Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 15 of 42
Figure 5-5
Server Authentication Certificate
5.3 Mixed EAP Protocol Deployments
The Cisco Aironet access point passes through any EAP authentication type presented to it by a client. It is up to the
authentication server (RADIUS server) to accept or reject the authentication type and respond accordingly. In the
situation of EAP-TLS, the AAA/RADIUS server must be able to reject the presented authentication type and respond
with the desired type.
For example, Cisco Secure ACS supports fallback from LEAP to EAP-TLS. By default, ACS initially employs LEAP
authentication when a client initiates EAP authentication (only if the access point is configured for Cisco Aironet as
the RADIUS network-access-server type). If the client is a LEAP client, LEAP is used. If it is not a LEAP client, the
client sends an EAP negative-acknowledgment (NAK) message with the desired EAP type. If this type is EAP-TLS
and the ACS is configured to do EAP-TLS, the ACS starts EAP-TLS.
5.4 AAA Server Scalability
The AAA server’s scalability plays a role in EAP-TLS deployment. The number of EAP-TLS clients along with
EAP-TLS authentications per second (both worst case and average scenarios) must be considered when assessing the
appropriate scalability and availability for the AAA servers.
As an example, though formal testing on ACS using EAP-TLS has not been performed, informal testing indicates a
performance reduction, when compared with LEAP, because of the increased computation requirements of PKI over
LEAP. A 20-30 percent reduction can be expected. With this in mind, LEAP has tested to perform 40-60
authentications per second. With the maximum expected performance reduction, you can reasonably expend .7 x
60, or 42, authentications per second using EAP-TLS.