Filter
Top Products
10-17
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 10 Managing Access Policies
Configuring Access Services
Allow EAP-TLS Enables the EAP-TLS Authentication protocol and configures EAP-TLS settings. You can specify
how ACS verifies user identity as presented in the EAP Identity response from the end-user client.
User identity is verified against information in the certificate that the end-user client presents.
This comparison occurs after an EAP-TLS tunnel is established between ACS and the end-user
client. If you choose Allow EAP-TLS, you can configure the following:
• Enable Stateless Session resume—Check this check box to enable the Stateless Session
Resume feature per Access service. This feature enables you to configure the following
options:
–
Proactive Session Ticket update—Enter the value as a percentage to indicate how much
of the Time to Live must elapse before the session ticket is updated. For example, the
session ticket update occurs after 10 percent of the Time to Live has expired, if you enter
the value 10.
–
Session ticket Time to Live—Enter the equivalent maximum value in days, weeks,
months, and years, using a positive integer.
EAP-TLS is a certificate-based authentication protocol. EAP-TLS authentication can occur only
after you have completed the required steps to configure certificates. See Configuring Local
Server Certificates, page 18-14 for more information.
Allow LEAP Enables LEAP authentication.
Allow PEAP Enables the PEAP authentication protocol and PEAP settings. The default inner method is
MSCHAPv2.
When you check Allow PEAP, you can configure the following PEAP inner methods:
• Allow EAP-TLS—Check to use EAP-TLS as the inner method.
• Allow EAP-MSCHAPv2—Check to use EAP-MSCHAPv2 as the inner method.
–
Allow Password Change—Check for ACS to support password changes.
–
Retry Attempts—Specifies how many times ACS requests user credentials before
returning login failure. Valid values are 1 to 3.
• Allow EAP-GTC—Check to use EAP-GTC as the inner method.
–
Allow Password Change—Check for ACS to support password changes.
–
Retry Attempts—Specifies how many times ACS requests user credentials before
returning login failure. Valid values are 1 to 3.
• Allow PEAP Cryptobinding TLV—Check to use the PEAP cryptobinding TLV support.
• Allow PEAPv0 only for legacy clients—Check this option to allow PEAP supplicants to
negotiate PEAPv0 only.
Note A few legacy clients do not confirm the PEAPv1 protocol standard. As a result, the EAP
conversations are dropped with an
Invalid EAP payload error message.
Table 10-7 Access Service Properties—Allowed Protocols Page (continued)
Option Description