06-22-2009 05:32 PM - edited 11-18-2020 02:39 AM
Global Authentication setup on ACS
The Global Authentication setup page provides a means to enable or disable some of the authentication protocols supported by Cisco Secure ACS. For information on Global Authentication setup and how to configure the different authentication protocols on the ACS.
The Global Authentication Setup page contains the following configuration options:
•PEAP —You can configure the following options for PEAP:
–Allow EAP-MSCHAPv2 —Whether CiscoSecure ACS attempts EAP-MSCHAPv2 authentication with PEAP clients.
Note
If both the Allow EAP-MSCHAPv2 and the Allow EAP-MSCHAPv2 check boxes are selected, CiscoSecure ACS negotiates the EAP type with the end-user PEAP client.
–Allow EAP-GTC —Whether CiscoSecure ACS attempts EAP-GTC authentication with PEAP clients.
–Cisco client initial message —The message you want displayed during PEAP authentication. The PEAP client initial display message is the first challenge a user of a Cisco Aironet PEAP client sees when attempting authentication. It should direct the user on what to do next, for example, "Enter your passcode." The message is limited to 60 characters.
–PEAP session timeout (minutes) —The maximum PEAP session length you want to allow users, in minutes. A session timeout value greater than 0 (zero) enables the PEAP session resume feature, which caches the TLS session created in phase one of PEAP authentication. When a PEAP client reconnects, CiscoSecure ACS uses the cached TLS session to restore the session, which improves PEAP performance. CiscoSecure ACS deletes cached TLS sessions when they time out. The default timeout value is 120 minutes. To disable the session resume feature, set the timeout value to 0 (zero).
–Enable Fast Reconnect —Whether CiscoSecure ACS resumes sessions for PEAP clients without performing phase two of PEAP authentication. Deselecting the Enable Fast Reconnect check box causes CiscoSecure ACS to always perform phase two of PEAP authentication, even when the PEAP session has not timed out.
Fast reconnection can occur only when Cisco Secure ACS allows the session to resume because the session has not timed out. If you disable the PEAP session resume feature by entering 0 (zero) in the PEAP session timeout (minutes) box, selecting the Enable Fast Reconnect check box has no effect on PEAP authentication and phase two of PEAP authentication always occurs.
•EAP-FAST —You can configure the following options for EAP-FAST:
–Allow EAP-FAST —Whether CiscoSecure ACS permits EAP-FAST authentication.
Note
If users access your network using a AAA client defined in the Network Configuration section as a RADIUS (Cisco Aironet) device, one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be enabled on the Global Authentication Setup page; otherwise, Cisco Aironet users cannot authenticate.
–Master Key TTL —The duration that a master key is used to generate new PACs. When the master key becomes older than the master key TTL, CiscoSecure ACS retires the master key and generates a new master key. The default master key TTL is one month.
Note
Decreasing the master key TTL can cause retired master keys to expire because a master key expires when it is older than the sum of the master key TTL and the retired master key TTL; therefore, decreasing the master key TTL requires PAC provisioning for end-user clients with PACs based on the newly expired master keys.
For more information about master keys, see About Master Keys .
–Retired master key TTL —The duration that PACs generated using a retired master key are acceptable for EAP-FAST authentication. In other words, the retired master key TTL defines the length of the grace period during which PACs generated with a master key that is no longer active are acceptable. When an end-user client gains network access using a PAC based on a retired master key, CiscoSecure ACS sends a new PAC to the end-user client. The default retired master key TTL is three months.
When a retired master key ages past the retired master key TTL, it expires and Cisco Secure ACS deletes it.
Note
Decreasing the retired master key TTL is likely to cause some retired master keys to expire; therefore, end-user clients with PACs based on the newly expired master keys require PAC provisioning.
Note
Decreasing the retired master key TTL can cause retired master keys to expire; therefore, decreasing the retired master key TTL requires PAC provisioning for end-user clients with PACs based on the newly expired master keys.
For more information about master keys, see About Master Keys .
–PAC TTL —The duration that a PAC is used before it expires and must be replaced. If the master key used to generate it has not expired, new PAC creation and assignment are automatic. If the master key used to generate it has expired, in-band or out-of-band provisioning must be used to provide the end-user client with a new PAC. The default PAC TTL is one month.
For more information about PACs, see About PACs .
–Client initial display message —Specifies a message to be sent to users who authenticate with an EAP-FAST client. Maximum length is 40 characters.
Note
A user will see the initial display message only if the end-user client supports its display.
–Authority ID Info —A short description of this CiscoSecure ACS, sent along with PACs issued by CiscoSecure ACS. EAP-FAST end-user clients use it to describe the AAA server that issued the PAC. Maximum length is 64 characters.
Note
Authority ID information is not the same as the Authority ID, which is generated automatically by CiscoSecure ACS and is not configurable. While the Authority ID is used by end-user clients to determine which PAC to send to CiscoSecure ACS, the Authority ID information is strictly the human-readable label associated with the Authority ID.
–Allow automatic PAC provisioning —Whether CiscoSecure ACS will provision an end-user client with a PAC using EAP-FAST phase 0. If this check box is selected, CiscoSecure ACS establishes a secured connection with the end-user client for providing a new PAC. If the check box is not selected, CiscoSecure ACS denies the user access and PAC provisioning must be performed out of band (manually).
–EAP-FAST Master Server —When this check box is not selected and when CiscoSecure ACS receives replicated EAP-FAST policies, Authority ID, and master keys, CiscoSecure ACS uses them rather than its own EAP-FAST policies, Authority ID, and master keys.
When this check box is selected, Cisco Secure ACS uses its own EAP-FAST policies, Authority ID, and master keys. For more information, see Table 10-2 .
Note
Click Submit + Restart if you change the EAP-FAST master server setting.
–Actual EAP-FAST server status —This read-only option displays the state of CiscoSecure ACS with respect to EAP-FAST. If this option displays "Master", CiscoSecure ACS generates its own master keys and Authority ID. If this option displays "Slave", CiscoSecure ACS uses master keys and the Authority ID it receives during replication. For more information, see Table10-2.
Tip:
If you deselect the EAP-FAST Master Server check box, EAP-FAST server status remains "Master" until CiscoSecure ACS receives replicated EAP-FAST components.
•EAP-TLS —You can configure the following options for EAP-TLS:
–Allow EAP-TLS —Whether CiscoSecure ACS permits EAP-TLS authentication.
Note
If users access your network using a AAA client defined in the Network Configuration section as a RADIUS (Cisco Aironet) device, one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be enabled on the Global Authentication Setup page; otherwise, Cisco Aironet users cannot authenticate.
–Certificate SAN comparison —Whether authentication is performed by comparing the Subject Alternative Name (SAN) of the end-user client certificate to the username in the applicable user database.
Note
If you select more than one comparison type, CiscoSecure ACS performs the comparisons in the order listed. If the one comparison type fails, CiscoSecure ACS attempts the next enabled comparison type. Comparison stops after the first successful comparison.
–Certificate CN comparison —Whether authentication is performed by comparing the Common Name of the end-user client certificate to the username in the applicable user database.
–Certificate Binary comparison —Whether authentication is performed by a binary comparison of the end-user client certificate to the user certificate stored in the applicable user database. This comparison method cannot be used to authenticate users stored in an ODBC external user database.
–EAP-TLS session timeout (minutes) —The maximum EAP-TLS session length you want to allow users, in minutes. A session timeout value greater than 0 (zero) enables the EAP-TLS session resume feature. The session resume feature allows users to reauthenticate without a user lookup or certificate comparison provided that the session has not timed out. If the end-user client is restarted, authentication requires a certificate lookup even if the session timeout interval has not ended. The default timeout value is 120 minutes. To disable the session timeout feature, set the timeout value to 0 (zero).
•LEAP —The Allow LEAP (For Aironet only) check box controls whether CiscoSecure ACS performs LEAP authentication. LEAP is currently used only for Cisco Aironet wireless networking. If you disable this option, Cisco Aironet end-user clients configured to perform LEAP authentication cannot access the network. If all Cisco Aironet end-user clients use a different authentication protocol, such as EAP-TLS, we recommend that you disable this option.
Note
If users access your network using a AAA client defined in the Network Configuration section as a RADIUS (Cisco Aironet) device, either LEAP, EAP-TLS, or both must be enabled on the Global Authentication Setup page; otherwise, Cisco Aironet users cannot authenticate.
•EAP-MD5 —The Allow EAP-MD5 check box controls whether CiscoSecure ACS performs EAP-MD5 authentication. If you disable this option, end-user clients configured to perform EAP-MD5 authentication cannot access the network. If no end-user clients use EAP-MD5, we recommend that you disable this option.
•AP EAP request timeout (seconds) —Whether Cisco Secure ACS instructs Cisco Aironet Access Points (APs) to use the specified timeout value during EAP conversations. The value specified must be the number of seconds after which Cisco Aironet APs should assume that an EAP transaction with CiscoSecure ACS has been lost and should be restarted. A value of 0 (zero) disables this feature.
Note
The AP EAP request timeout feature is available beginning in Cisco Secure ACS version 3.2.3. Earlier versions of Cisco Secure ACS do not include this feature.
During EAP conversations, CiscoSecure ACS sends the value defined in the AP EAP request timeout box using the IETF RADIUS Session-Timeout (27) attribute; however, in the RADIUS Access-Accept packet at the end of the conversation, the value that CiscoSecure ACS sends in the IETF RADIUS Session-Timeout (27) attribute is the value specified in the Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) or, if that attribute is not enabled, the IETF RADIUS Session-Timeout (27) attribute.
Note
Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) is not a true RADIUS VSA; instead, it represents the value that CiscoSecure ACS sends in the IETF RADIUS Session-Timeout attribute when the AAA client sending the RADIUS request is defined in the Network Configuration as authenticating with RADIUS (Cisco Aironet).
•MS-CHAP Configuration —The Allow MS-CHAP Version 1 Authentication and Allow MS-CHAP Version 2 Authentication check boxes control whether CiscoSecure ACS performs MS-CHAP authentication for RADIUS requests. The two check boxes allow you to further control which versions of MS-CHAP are permitted in RADIUS requests. If you disable a particular version of MS-CHAP, end-user clients configured to authenticate with that version using RADIUS cannot access the network. If no end-user clients are configured to use a specific version of MS-CHAP with RADIUS, we recommend that you disable that version of MS-CHAP.
Note
For TACACS+, CiscoSecure ACS supports only MS-CHAP version 1. TACACS+ support for MS-CHAP version 1 is always enabled and is not configurable.
Client / Device cannot authenticate
EAP
ACS
Window
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: