About master keys – Cisco 3.3 User Manual

Page 395

Advertising
background image

10-15

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

Cisco Secure ACS supports password aging with EAP-FAST for users
authenticated by Windows user databases. Password aging can work with either
phase zero or phase two of EAP-FAST. If password aging requires a user to
change passwords during phase zero, the new password would be effective in
phase two. For more information about password aging for Windows user
databases, see

Enabling Password Aging for Users in Windows Databases,

page 6-26

.

About Master Keys

EAP-FAST master keys are strong secrets that Cisco Secure ACS automatically
generates and that only Cisco Secure ACS is aware of. Master keys are never sent
to an end-user client. EAP-FAST requires master keys for two purposes:

PAC generation—Cisco Secure ACS generates PACs using the active master
key. For details about PACs, see

About PACs, page 10-17

.

EAP-FAST phase one—Cisco Secure ACS determines whether the PAC
presented by the end-user client was generated by one of the master keys it is
aware of, either the active master key or a retired master key.

To increase the security of EAP-FAST, Cisco Secure ACS changes the master key
that it uses to generate PACs. Cisco Secure ACS uses time-to-live (TTL) values
you define to determine when it generates a new master key and to determine the
age of all master keys. Based on TTL values, Cisco Secure ACS assigns master
keys one of the three following states:

Active—An active master key is the master key used by Cisco Secure ACS to
generate PACs. The duration that a master key remains active is determined
by the Master key TTL setting. At any time, only one master key is active.
When you define TTLs for master keys and PACs, Cisco Secure ACS permits
only a PAC TTL that is shorter than the active master key TTL. This limitation
ensures that a PAC is refreshed at least once before the expiration of the
master key used to generate the PAC, provided that EAP-FAST users log in
to the network at least once before the master key expires. For more
information about how TTL values determine whether PAC refreshing or
provisioning is required, see

Master Key and PAC TTLs, page 10-21

.

When Cisco Secure ACS is configured to receive replicated EAP-FAST
policies and master keys, a backup master key is among the master keys
received. The backup master key is used only if the active master key retires

Advertising
Popular Brands
Popular manuals