How does ACS select EAP type to send to client?

ds6123 · ‎04-30-2014

From what I understand when using PEAP and EAP-TLS, it's the radius server that first determines which one to use.

From draft-kamath-pppext-peapv0-00.txt :

So my question is how does ACS select which one to use. I'm assuming its the "Access Services" "Allowed Protocols" tab. But what if you have multiple ones selected? Does it first try the "Preferred EAP protocol" field? Does it cycle through all checked options? The way that "allowed protocols" tab is labeled seems to imply that ACS will know from the incoming request if the client wants to use PEAP or EAP-TLS which doesn't make sense.

I read the Managing Access Policies user guide for ACS 5.5 and it's still not clear to me.

Any input is appreciated.

hdussa · ‎05-01-2014

Allowed Protocols is what ACS accept for authentication.. If for example Process Host Lookup is not marked, no client can authenitcate with it´s MAC-Address.

ds6123 · ‎05-02-2014

Thanks for responding hdussa. I understand that. Its what that policy will accept from the client. Or is it.

But I'm wondering how the ACS server knows what EAP method the client wants to do? According to that draft I linked to above, it's the server that suggests the EAP type to the client. So do they somehow negotiate?

Here's a nice article but it kinda glosses over how the AS (Authenticating Server) knows what EAP method to select (see Packet 3 of the "phase 1"). And the packet capture clearly shows the ACS server saying that its using PEAP.

Ravi Singh · ‎05-03-2014

An EAP infrastructure consists of the following:

EAP peer Computer that is attempting to access a network, also known as an access client.
EAP authenticator An access point or network access server (NAS) that is requiring EAP authentication prior to granting access to a network.
Authentication server A server computer that negotiates the use of a specific EAP method with an EAP peer, validates the EAP peer's credentials, and authorizes access to the network. Typically, the authentication server is a Remote Authentication Dial-In User Service (RADIUS) server.

The EAP peer and the EAP authenticator send EAP messages using a supplicant-a software component that uses EAP to authenticate network access-and a data link layer transport protocol such as PPP or IEEE 802.1X. The EAP authenticator and the authentication server send EAP messages using RADIUS. The end result is that EAP messages are exchanged between the EAP components on the EAP peer and the authentication server. The following figure shows EAP infrastructure and information flow.

Because the logical communication of EAP messages is between the EAP components on the EAP peer and the authentication server, the EAP authenticator does not need to support any specific EAP methods.

So it's all depend on the Endpoint (EAP Peer) which method it 's going to use not on Authentication server (Radius Server)

ds6123 · ‎05-05-2014

Thanks for the response ravsingh!

Because the logical communication of EAP messages is between the EAP components on the EAP peer and the authentication server, the EAP authenticator does not need to support any specific EAP methods.

Sure, I totally agree. So the wireless lan controller or switch is only the middle man and doesn't care about the EAP method.

So it's all depend on the Endpoint (EAP Peer) which method it 's going to use not on Authentication server (Radius Server)

This is what I'm still unclear on. The packet captures I've seen shows the AS (Authentication Server - ie the radius server) suggest the EAP type. I guess that's what the preferred EAP method is on ACS. Then there must be some type of EAP negotiation that occurs. I'm trying to find the appropriate RFC but there appears to be about 40 of them and 35 of them are obsolete.