Cisco 3.3 User Manual
Page 390
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-10
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
When the end-user client is the Cisco Aironet PEAP client and both
PEAP(EAP-GTC) and PEAP(EAP-MSCHAPv2) are enabled on the Global
Authentication Setup page, Cisco Secure ACS first attempts PEAP(EAP-GTC)
authentication with the end-user client. If the client rejects this protocol (by
sending an EAP NAK message), Cisco Secure ACS attempts authentication with
PEAP(EAP-MSCHAPv2). For more information about enabling EAP protocols
supported within PEAP, see
Global Authentication Setup, page 10-26
.
Cisco Secure ACS can use PEAP(EAP-MSCHAPv2) to support machine
authentication to Microsoft Windows Active Directory. The end-user client may
limit the protocol used for user authentication to the same protocol used for
machine authentication; that is, use of PEAP for machine authentication requires
the use of PEAP for user authentication. For more information about machine
authentication, see
Machine Authentication, page 13-16
.
Cisco Secure ACS supports a session resume feature for PEAP-authenticated user
sessions. When this feature is enabled, Cisco Secure ACS caches the TLS session
created during phase one of PEAP authentication, provided that the user
successfully authenticates in phase two of PEAP. If a user needs to reconnect and
the original PEAP session has not timed out, Cisco Secure ACS uses the cached
TLS session, resulting in faster PEAP performance and lessened AAA server
load.
Note
Session timeout is based on the time that authentication succeeds. It is not
dependent upon accounting.
You can enable the PEAP session resume feature and configure the timeout
interval on the Global Authentication Setup page. For more information about
enabling this feature, see
Global Authentication Setup, page 10-26
.
Cisco Secure ACS also supports a fast reconnect feature. When the session
resume feature is enabled, the fast reconnection feature causes Cisco Secure ACS
to allow a PEAP session to resume without checking user credentials. In effect,
enabling this feature allows Cisco Secure ACS to trust a user based on the cached
TLS session from the original PEAP authentication. Because Cisco Secure ACS
only caches a TLS session when phase two of PEAP authentication succeeds, the
existence of a cached TLS session is proof that the user has successfully
authenticated within the number of minutes defined by the PEAP session timeout
option.