08-07-2017 09:24 AM
Hi there,
My customer has a concern around millisecond network/IP outages for the traders.
Question:
1. How is the PEAP/EAP-TLS session resumption replicated between PSNs in a node group?
My customer recognises that in a normal office environment, the PEAP/EAP-TLS exchange and failover process is "almost invisible" and not an issue however extra due diligence is required for trader workstations.
Thank you,
Arron
Solved! Go to Solution.
08-07-2017 01:32 PM
Sure. I should add that the implementation is based on RFC 5077 for session ticket extensions with EAP-TLS. The feature is not limited to node group, but config is common across all PSNs as all will leverage the same master ticket. A bit more info is provided in the Reference presentation for BRKSEC-3699 (CiscoLive.com >> Session Catalog >> BRKSEC-3699 @ CLUS Vegas 2017).
Also, the implementation is specific to EAP-TLS.
08-07-2017 09:44 AM
Feature is based on master key that is common to all so that connection to different PSN will allow resumption based on initial negotiation for same master key.
08-07-2017 09:50 AM
Thanks, Craig!
08-07-2017 01:32 PM
Sure. I should add that the implementation is based on RFC 5077 for session ticket extensions with EAP-TLS. The feature is not limited to node group, but config is common across all PSNs as all will leverage the same master ticket. A bit more info is provided in the Reference presentation for BRKSEC-3699 (CiscoLive.com >> Session Catalog >> BRKSEC-3699 @ CLUS Vegas 2017).
Also, the implementation is specific to EAP-TLS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide