Enabling eap-fast – Cisco 3.3 User Manual

Page 405

Advertising
background image

10-25

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

Enabling EAP-FAST

This procedure provides an overview of the detailed procedures required to
configure Cisco Secure ACS to support EAP-FAST authentication.

Note

End-user clients must be configured to support EAP-FAST. This procedure is
specific to configuring Cisco Secure ACS only.

Before You Begin

The steps in this procedure are a suggested order only. Enabling EAP-FAST at
your site may require recursion of these steps or performing these steps in a
different order. For example, in this procedure, determining how you want to
support PAC provisioning comes after configuring a user database to support
EAP-FAST; however, choosing automatic PAC provisioning places different
limits upon user database support.

To enable Cisco Secure ACS to perform EAP-FAST authentication, follow these
steps:

Step 1

Configure a user database that supports EAP-FAST authentication. To determine
which user databases support EAP-FAST authentication, see

Authentication

Protocol-Database Compatibility, page 1-10

. For user database configuration, see

Chapter 13, “User Databases”

.

Note

User database support differs for EAP-FAST phase zero and phase two.

Cisco Secure ACS supports use of the Unknown User Policy and group mapping
with EAP-FAST, as well as password aging with Windows external user
databases.

Step 2

Determine master key and PAC TTL values. While changing keys and PACs more
frequently could be considered more secure, it also increases the likelihood that
PAC provisioning will be needed for machines left offline so long that the PACs
on them are based on expired master keys.

Also, if you reduce the TTL values that you initially deploy EAP-FAST with, you
may force PAC provisioning to occur because users would be more likely to have
PACs based on expired master keys.

Advertising