Cisco 3.3 User Manual

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

10-16

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

before the next successful master key replication. If the backup master key
also retires before the next successful master key replication, EAP-FAST
authentication fails for all users requesting network access with EAP-FAST.

Tip

If EAP-FAST authentication fails because the active and backup master keys have
retired and Cisco Secure ACS has not received new master keys in replication,
you can force Cisco Secure ACS to generate its own master keys by selecting the
EAP-FAST Master Server check box and clicking Submit.

Cisco Secure ACS records the generation of master keys in the logs for the
CSAuth service.

•

Retired—When a master key becomes older than the Master key TTL
settings, it is considered retired for as long as specified by the Retired master
key TTL settings. Cisco Secure ACS can store up to 255 retired master keys.
While a retired master key is not used to generate new PACs, Cisco Secure
ACS needs it to authenticate PACs that were generated using it. When you
define TTLs for master keys and retired master keys, Cisco Secure ACS
permits only TTL settings that require storing 255 or fewer retired master
keys. For example, if the master key TTL is 1 hour and the retired master key
TTL is 4 weeks, this would require storing up to 671 retired master keys;
therefore, Cisco Secure ACS presents an error message and does not allow
these settings.

When a user gains network access using a PAC generated with a retired
master key, Cisco Secure ACS provides the end-user client a new PAC
generated with the active master key. For more information about
Cisco Secure ACS with respect to the states of master keys and PACs, see

Master Key and PAC TTLs, page 10-21

.

•

Expired—When a master key becomes older than the sum of the master key
TTL and retired master TTL settings, it is considered expired and
Cisco Secure ACS deletes it from its records of master keys. For example, if
the master key TTL is one hour and the retired master key TTL is one week,
a master key expires when it becomes greater than one week and one hour old.

PACs generated by an expired master key cannot be used to access your
network. An end-user client presenting a PAC that was generated with an
expired master key must be provided a new PAC using automatic or manual
provisioning before phase one of EAP-FAST can succeed.