Authentication configuration options, Authentication configuration – Cisco 3.3 User Manual
Page 407
10-27
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
Global Authentication Setup
Authentication Configuration Options
The Global Authentication Setup page contains the following configuration
options:
•
PEAP—You can configure the following options for PEAP:
–
Allow EAP-MSCHAPv2—Whether Cisco Secure ACS attempts
EAP-MSCHAPv2 authentication with PEAP clients.
Note
If both the Allow EAP-MSCHAPv2 and the Allow EAP-MSCHAPv2
check boxes are selected, Cisco Secure ACS negotiates the EAP type
with the end-user PEAP client.
–
Allow EAP-GTC—Whether Cisco Secure ACS attempts EAP-GTC
authentication with PEAP clients.
–
Cisco client initial message—The message you want displayed during
PEAP authentication. The PEAP client initial display message is the first
challenge a user of a Cisco Aironet PEAP client sees when attempting
authentication. It should direct the user on what to do next, for example,
“Enter your passcode.” The message is limited to 60 characters.
–
PEAP session timeout (minutes)—The maximum PEAP session length
you want to allow users, in minutes. A session timeout value greater than
0 (zero) enables the PEAP session resume feature, which caches the TLS
session created in phase one of PEAP authentication. When a PEAP
client reconnects, Cisco Secure ACS uses the cached TLS session to
restore the session, which improves PEAP performance. Cisco Secure
ACS deletes cached TLS sessions when they time out. The default
timeout value is 120 minutes. To disable the session resume feature, set
the timeout value to 0 (zero).
–
Enable Fast Reconnect—Whether Cisco Secure ACS resumes sessions
for PEAP clients without performing phase two of PEAP authentication.
Deselecting the Enable Fast Reconnect check box causes Cisco Secure
ACS to always perform phase two of PEAP authentication, even when the
PEAP session has not timed out.
Fast reconnection can occur only when Cisco Secure ACS allows the
session to resume because the session has not timed out. If you disable
the PEAP session resume feature by entering 0 (zero) in the PEAP