ISE - EAP-FAST PAC Provisioning - Identity field??

Stephen McBride · ‎05-22-2013

Hi all, very simple question regarding the fields in the PAC provisioning section of ISE. Basically wondering what the "identity" field under machine and tunnel PAC is meant to be? I am currently planning an EAP-FAST deployment and this is the only area I am wondering about. Essentially planning to auto-provision the PAC hopefully using authenticate in-band. The Cisco doco is a little vague on this particular field.

Thanks in advance - have googled this for a day or so and frankly cannot find the information that I want.

Richard Atkin · ‎06-01-2013

Is it the tunnel outer identity?

More importantly though, why are you planning to use EAP-FAST anyway!?

Stephen McBride · ‎06-02-2013

I am still unsure what this field actually is for. I can only guess that it is utilised for out of band provisioning of the PAC. I deployed EAP-FAST for wireless using authenticated in band method and never had to touch this field. As for the reason why I want to use EAP-FAST it was so that I can use both a machine and user certificate for authorization of the client.

Venkatesh Attuluri · ‎06-23-2013

I think Identity field For the Tunnel and Machine PAC identity field, this specifies the username or machine name that is presented as the "inner username" by the EAP-FAST protocol. If the identity string does not match that username, authentication fails.
If you are generating the SGA PAC, the Identity field specifies the Device ID of an SGA network device and is provided with an initiator ID by the EAP-FAST protocol. If the Identity string entered here does not match that Device ID, authentication fails

Stephen McBride · ‎06-23-2013

For what it is worth I think you are correct. The part that perplexes me is that I left the field blank in ISE and left the Anyconnect NAM settings for the identity field as default and everything worked just fine. I am only allowing authenticated PAC provisioning which made me think I would have to input some sort of string at least. EIther way I am still unsure of the need for that field but for the moment I will leave it as is. Thanks for the response though.

Mark Lancaster · ‎10-17-2013

Hi Stephen,

I was just researching the same exact question and came across this thread. I did find this tidbit on the wikipedia EAP article:

"EAP-FAST can be used without PAC files, falling back to normal TLS."

http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-FAST

blenka · ‎10-18-2013

Use

PAC

•Tunnel PAC Time To Live—The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.

•Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.

•Allow Anonymous In-band PAC Provisioning—Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.

•Allow Authenticated In-band PAC Provisioning—Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.

When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.

–Server Returns Access Accept After Authenticated Provisioning—Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning.

•Allow Machine Authentication—Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed.

When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).

•Enable Stateless Session Resume—Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).

Uncheck this check box in the following cases:

–If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients

–To always perform phase two of EAP-FAST

When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.

•Preferred EAP Protocol—Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field.

Phil · ‎03-05-2014

Basant,

Thank you for the detailed information on all of the fields for EAP-FAST!