Peap and the unknown user policy – Cisco 3.3 User Manual

Page 391

Advertising
background image

10-11

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

Changes to group assignment in an external user database are not enforced by the
session resume feature. This is because group mapping does not occur when a user
session is extended by the session resume feature. Instead, the user is mapped to
the same Cisco Secure ACS group that the user was mapped to upon the beginning
of the session. Upon the start of a new session, group mapping enforces the new
group assignment.

The fast reconnect feature is particularly useful for wireless LANs, wherein a user
may move the client computer so that a different wireless access point is in use.
When Cisco Secure ACS resumes a PEAP session, the user reauthenticates
without entering a password, provided that the session has not timed out. If the
end-user client is restarted, the user must enter a password even if the session
timeout interval has not ended.

You can enable the PEAP fast reconnect feature on the Global Authentication
Setup page. For more information about enabling this feature, see

Global

Authentication Setup, page 10-26

.

PEAP and the Unknown User Policy

During PEAP authentication, the real username to be authenticated may not be
known by Cisco Secure ACS until phase two of authentication. While the
Microsoft PEAP client does reveal the actual username during phase one, the
Cisco PEAP client does not; therefore, Cisco Secure ACS does not attempt to look
up the username presented during phase one and the use of the Unknown User
Policy is irrelevant during phase one, regardless of the PEAP client used.

When phase two of PEAP authentication occurs and the username presented by
the PEAP client is unknown to Cisco Secure ACS, Cisco Secure ACS processes
the username in the same way that it processes usernames presented in other
authentication protocols. If the username is unknown and the Unknown User
Policy is disabled, authentication fails. If the username is unknown and the
Unknown User Policy is enabled, Cisco Secure ACS attempts to authenticate the
PEAP user with unknown user processing.

For more information about unknown user processing, see

About Unknown User

Authentication, page 15-4

.

Advertising