Cisco Systems 3.3 Server User Manual


 
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-18
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
The following list contrasts the various means by which an end-user client can
receive PACs:
PAC provisioning—Required when an end-user client has no PAC or has a
PAC that is based on an expired master key. For more information about how
master key and PAC states determine whether PAC provisioning is required,
see Master Key and PAC TTLs, page 10-21.
Two means of PAC provisioning are supported:
Automatic provision—Sends a PAC using a secure network connection.
For more information, see Automatic PAC Provisioning, page 10-18.
Manual provision—Requires that you use Cisco Secure ACS to
generate a PAC file for the user, copy the PAC file to the computer
running the end-user client, and import the PAC file into the end-user
client. For more information, see Manual PAC Provisioning, page 10-20.
PAC refresh—Occurs automatically when EAP-FAST phase two
authentication has succeeded and master key and PAC TTLs dictate that the
PAC must be refreshed. For more information about how master key and PAC
states determine whether a PAC is refreshed, see Master Key and PAC TTLs,
page 10-21.
PACs have the following two states, determined by the PAC TTL setting:
Active—A PAC younger than the PAC TTL is considered active and can be
used to complete EAP-FAST phase one, provided that the master key used to
generate it has not expired. Regardless of whether a PAC is active, if it is
based on an expired master key, PAC provisioning must occur before
EAP-FAST phase one can succeed.
Expired—A PAC older than the PAC TTL is considered expired. Provided
that the master key used to generate the PAC has not expired, an expired PAC
can be used to complete EAP-FAST phase one and, at the end of EAP-FAST
phase two, Cisco Secure ACS will generate a new PAC for the user and
provide it to the end-user client.
Automatic PAC Provisioning
Automatic PAC provisioning sends a new PAC to an end-user client over a secured
network connection. Automatic PAC provisioning requires no intervention of the
network user or a Cisco Secure ACS administrator, provided that both
Cisco Secure ACS and the end-user client are configured to support automatic
provisioning.