Cisco 3.3 User Manual
Page 408
Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup
10-28
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
session timeout (minutes) box, selecting the Enable Fast Reconnect
check box has no effect on PEAP authentication and phase two of PEAP
authentication always occurs.
•
EAP-FAST—You can configure the following options for EAP-FAST:
–
Allow EAP-FAST—Whether Cisco Secure ACS permits EAP-FAST
authentication.
Note
If users access your network using a AAA client defined in the
Network Configuration section as a RADIUS (Cisco Aironet) device,
one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be
enabled on the Global Authentication Setup page; otherwise, Cisco
Aironet users cannot authenticate.
–
Master Key TTL—The duration that a master key is used to generate
new PACs. When the master key becomes older than the master key TTL,
Cisco Secure ACS retires the master key and generates a new master key.
The default master key TTL is one month.
Note
Decreasing the master key TTL can cause retired master keys to
expire because a master key expires when it is older than the sum of
the master key TTL and the retired master key TTL; therefore,
decreasing the master key TTL requires PAC provisioning for
end-user clients with PACs based on the newly expired master keys.
For more information about master keys, see
.
–
Retired master key TTL—The duration that PACs generated using a
retired master key are acceptable for EAP-FAST authentication. In other
words, the retired master key TTL defines the length of the grace period
during which PACs generated with a master key that is no longer active
are acceptable. When an end-user client gains network access using a
PAC based on a retired master key, Cisco Secure ACS sends a new PAC
to the end-user client. The default retired master key TTL is three
months.
When a retired master key ages past the retired master key TTL, it expires
and Cisco Secure ACS deletes it.