Manual pac provisioning – Cisco 3.3 User Manual
Page 400
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-20
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Manual PAC Provisioning
Manual PAC provisioning requires a Cisco Secure ACS administrator to generate
PAC files, which must then be distributed to the applicable network users. Users
must configure end-user clients with their PAC files. For example, if your
EAP-FAST end-user client is the Cisco Aironet Client Utility (ACU), configuring
the ACU to support EAP-FAST requires that you import a PAC file. For more
information about configuring a Cisco ACU, see the applicable configuration
guide for your ACU.
You can use manual PAC provisioning to control who can use EAP-FAST to
access your network. If you disable automatic PAC provisioning, any EAP-FAST
user denied a PAC cannot access the network. If your Cisco Secure ACS
deployment includes network segmentation wherein access to each network
segment is controlled by a separate Cisco Secure ACS, manual PAC provisioning
enables you to grant EAP-FAST access on a per-segment basis. For example, if
your company uses EAP-FAST for wireless access in its Chicago and Boston
offices and the Cisco Aironet Access Points at each of these two offices are
configured to use different Cisco Secure ACSes, you can determine, on a
per-employee basis, whether Boston employees visiting the Chicago office can
have wireless access.
Note
Replicating EAP-FAST master keys and policies affects the ability to require
different PACs per Cisco Secure ACS. For more information, see
.
While the administrative overhead of manual PAC provisioning is much greater
than automatic PAC provisioning, it does not include the risk of sending the PAC
over the network. When you first deploy EAP-FAST, using manual PAC
provisioning would require a lot of manual configuration of end-user clients;
however, it is the most secure means for distributing PACs. We recommend that,
after a large EAP-FAST deployment, PAC provisioning should be performed
manually to ensure the highest security for PACs.
You can generate PAC files for specific usernames, groups of users, lists of
usernames, or all users. When you generate PAC files for groups of users or all
users, the users must be known or discovered users and cannot be unknown users.
Cisco Secure ACS for Windows Server supports the generation of PAC files with
CSUtil.exe. For more information about generating PACs with CSUtil.exe, see
PAC File Generation, page D-40
.