user manual
B-14
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
PEAPv0/1
Note All communication between the host and ACS goes through the network device.
EAP-TLS authentication fails if the:
• Server fails to verify the client’s certificate, and rejects EAP-TLS authentication.
• Client fails to verify the server’s certificate, and rejects EAP-TLS authentication.
Certificate validation fails if the:
–
Certificate has expired.
–
Server or client cannot find the certificate issuer.
–
Signature check failed.
• The client dropped cases resulting in malformed EAP packets.
EAP-TLS also supports the Session Resume feature. ACS supports the EAP-TLS session resume feature
for fast reauthentication of a user who has already passed full EAP-TLS authentication. If the EAP-TLS
configuration includes a session timeout period, ACS caches each TLS session for the duration of the
timeout period.
When a user reconnects within the configured EAP-TLS session timeout period, ACS resumes an
EAP-TLS session, and the user reauthenticates by a TLS handshake only, without a certificate
comparison.
Related Topics
• Types of PACs, page B-22
• User Certificate Authentication, page B-6
PEAPv0/1
This section contains the following topics:
• Overview of PEAP, page B-15
• EAP-MSCHAPv2, page B-30
ACS 5.3 supports these PEAP supplicants:
• Microsoft Built-In Clients 802.1x XP (PEAPv0 only)
• Microsoft Built-In Clients 802.1x Vista (PEAPv0 only)
• Microsoft Built-In Clients 802.1x Windows 7
• CSSC v.4.0
• CSSC v.5
• Funk Odyssey access client (latest version)
• Intel Supplicant 12.4.x