Cisco Secure Access Control Server (ACS) for Windows supports a fast reconnect feature. When the Protected EAP (PEAP) session resume feature is enabled, the fast reconnect feature causes Cisco Secure ACS for Windows to allow a PEAP session to resume without checking user credentials. When you enable this feature, it allows Cisco Secure ACS for Windows to trust a user based on the cached TLS session from the original PEAP authentication. Because Cisco Secure ACS for Windows only caches a TLS session when phase two of PEAP authentication succeeds, the existence of a cached TLS session is proof that the user has successfully authenticated within the number of minutes defined by the PEAP session timeout option.
The fast reconnect feature is particularly useful for wireless LANs, wherein a user can move the client computer so that a different wireless access point is in use. When Cisco Secure ACS for Windows resumes a PEAP session, the user re-authenticates without entering a password, provided that the session has not timed out. If the end-user client is restarted, the user must enter a password even if the session timeout interval has not ended.
When you deselect the Enable Fast Reconnect check box, this causes Cisco Secure ACS for Windows to always perform phase two of PEAP authentication, even when the PEAP session has not timed out.
Fast reconnection can occur only when Cisco Secure ACS for Windows allows the session to resume because the session has not timed out. If you disable the PEAP session resume feature by entering 0 (zero) in the PEAP session timeout (minutes) box, then selecting the Enable Fast Reconnect check box has no effect on PEAP authentication and phase two of PEAP authentication always occurs.
In order to enable the fast reconnect feature on Cisco Secure ACS for Windows, go to the System Configuration page, select Global Authentication Setup, and click Enable Fast Reconnect.