Solved: PEAP/EAP-TLS replication in node group

kerai08 · ‎08-07-2017

Hi there,

My customer has a concern around millisecond network/IP outages for the traders.

Question:

1. How is the PEAP/EAP-TLS session resumption replicated between PSNs in a node group?

My customer recognises that in a normal office environment, the PEAP/EAP-TLS exchange and failover process is "almost invisible" and not an issue however extra due diligence is required for trader workstations.

Thank you,

Arron

Craig Hyps · ‎08-07-2017

Sure. I should add that the implementation is based on RFC 5077 for session ticket extensions with EAP-TLS. The feature is not limited to node group, but config is common across all PSNs as all will leverage the same master ticket. A bit more info is provided in the Reference presentation for BRKSEC-3699 (CiscoLive.com >> Session Catalog >> BRKSEC-3699 @ CLUS Vegas 2017).

Also, the implementation is specific to EAP-TLS.

View solution in original post

Craig Hyps · ‎08-07-2017

Feature is based on master key that is common to all so that connection to different PSN will allow resumption based on initial negotiation for same master key.

kerai08 · ‎08-07-2017

Thanks, Craig!

Craig Hyps · ‎08-07-2017

Sure. I should add that the implementation is based on RFC 5077 for session ticket extensions with EAP-TLS. The feature is not limited to node group, but config is common across all PSNs as all will leverage the same master ticket. A bit more info is provided in the Reference presentation for BRKSEC-3699 (CiscoLive.com >> Session Catalog >> BRKSEC-3699 @ CLUS Vegas 2017).

Also, the implementation is specific to EAP-TLS.