Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Global Authentication setup on ACS

 

 

Introduction

 

 

Global Authentication setup on ACS

 

Resolution

 

The Global Authentication setup page provides a means to enable or disable some of the authentication protocols supported by Cisco Secure ACS.  For information on Global Authentication setup and how to configure the different authentication protocols on the ACS.

 

 

System Configuration

 

/image/gif/paws/44720/WDS-14.gif

 

 

 

WDS-15.gif

 

 

 

The Global Authentication Setup page contains the following configuration options:

 

•PEAP —You can configure the following options for PEAP:

 

–Allow EAP-MSCHAPv2 —Whether CiscoSecure ACS attempts EAP-MSCHAPv2 authentication with PEAP clients.

 

Note

If both the Allow EAP-MSCHAPv2 and the Allow EAP-MSCHAPv2 check boxes are selected, CiscoSecure ACS negotiates the EAP type with the end-user PEAP client.

 

–Allow EAP-GTC —Whether CiscoSecure ACS attempts EAP-GTC authentication with PEAP clients.

 

–Cisco client initial message —The message you want displayed during PEAP authentication. The PEAP client initial display message is the first challenge a user of a Cisco Aironet PEAP client sees when attempting authentication. It should direct the user on what to do next, for example, "Enter your passcode." The message is limited to 60 characters.

 

–PEAP session timeout (minutes) —The maximum PEAP session length you want to allow users, in minutes. A session timeout value greater than 0 (zero) enables the PEAP session resume feature, which caches the TLS session created in phase one of PEAP authentication. When a PEAP client reconnects, CiscoSecure ACS uses the cached TLS session to restore the session, which improves PEAP performance. CiscoSecure ACS deletes cached TLS sessions when they time out. The default timeout value is 120 minutes. To disable the session resume feature, set the timeout value to 0 (zero).

 

–Enable Fast Reconnect —Whether CiscoSecure ACS resumes sessions for PEAP clients without performing phase two of PEAP authentication. Deselecting the Enable Fast Reconnect check box causes CiscoSecure ACS to always perform phase two of PEAP authentication, even when the PEAP session has not timed out.

 

Fast reconnection can occur only when Cisco Secure ACS allows the session to resume because the session has not timed out. If you disable the PEAP session resume feature by entering 0 (zero) in the PEAP session timeout (minutes) box, selecting the Enable Fast Reconnect check box has no effect on PEAP authentication and phase two of PEAP authentication always occurs.

 

•EAP-FAST —You can configure the following options for EAP-FAST:

 

–Allow EAP-FAST —Whether CiscoSecure ACS permits EAP-FAST authentication.

 

Note

If users access your network using a AAA client defined in the Network Configuration section as a RADIUS (Cisco Aironet) device, one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be enabled on the Global Authentication Setup page; otherwise, Cisco Aironet users cannot authenticate.

 

–Master Key TTL —The duration that a master key is used to generate new PACs. When the master key becomes older than the master key TTL, CiscoSecure ACS retires the master key and generates a new master key. The default master key TTL is one month.

 

 

Note

Decreasing the master key TTL can cause retired master keys to expire because a master key expires when it is older than the sum of the master key TTL and the retired master key TTL; therefore, decreasing the master key TTL requires PAC provisioning for end-user clients with PACs based on the newly expired master keys.

 

For more information about master keys, see About Master Keys .

 

–Retired master key TTL —The duration that PACs generated using a retired master key are acceptable for EAP-FAST authentication. In other words, the retired master key TTL defines the length of the grace period during which PACs generated with a master key that is no longer active are acceptable. When an end-user client gains network access using a PAC based on a retired master key, CiscoSecure ACS sends a new PAC to the end-user client. The default retired master key TTL is three months.

 

When a retired master key ages past the retired master key TTL, it expires and Cisco Secure ACS deletes it.

 

Note

Decreasing the retired master key TTL is likely to cause some retired master keys to expire; therefore, end-user clients with PACs based on the newly expired master keys require PAC provisioning.

 

Note

Decreasing the retired master key TTL can cause retired master keys to expire; therefore, decreasing the retired master key TTL requires PAC provisioning for end-user clients with PACs based on the newly expired master keys.

 

For more information about master keys, see About Master Keys .

 

–PAC TTL —The duration that a PAC is used before it expires and must be replaced. If the master key used to generate it has not expired, new PAC creation and assignment are automatic. If the master key used to generate it has expired, in-band or out-of-band provisioning must be used to provide the end-user client with a new PAC. The default PAC TTL is one month.

 

For more information about PACs, see About PACs .

 

–Client initial display message —Specifies a message to be sent to users who authenticate with an EAP-FAST client. Maximum length is 40 characters.

 

Note

A user will see the initial display message only if the end-user client supports its display.

 

–Authority ID Info —A short description of this CiscoSecure ACS, sent along with PACs issued by CiscoSecure ACS. EAP-FAST end-user clients use it to describe the AAA server that issued the PAC. Maximum length is 64 characters.

 

Note

Authority ID information is not the same as the Authority ID, which is generated automatically by CiscoSecure ACS and is not configurable. While the Authority ID is used by end-user clients to determine which PAC to send to CiscoSecure ACS, the Authority ID information is strictly the human-readable label associated with the Authority ID.

 

 

–Allow automatic PAC provisioning —Whether CiscoSecure ACS will provision an end-user client with a PAC using EAP-FAST phase 0. If this check box is selected, CiscoSecure ACS establishes a secured connection with the end-user client for providing a new PAC. If the check box is not selected, CiscoSecure ACS denies the user access and PAC provisioning must be performed out of band (manually).

 

–EAP-FAST Master Server —When this check box is not selected and when CiscoSecure ACS receives replicated EAP-FAST policies, Authority ID, and master keys, CiscoSecure ACS uses them rather than its own EAP-FAST policies, Authority ID, and master keys.

 

When this check box is selected, Cisco Secure ACS uses its own EAP-FAST policies, Authority ID, and master keys. For more information, see Table 10-2 .

 

Note

Click Submit + Restart if you change the EAP-FAST master server setting.

 

–Actual EAP-FAST server status —This read-only option displays the state of CiscoSecure ACS with respect to EAP-FAST. If this option displays "Master", CiscoSecure ACS generates its own master keys and Authority ID. If this option displays "Slave", CiscoSecure ACS uses master keys and the Authority ID it receives during replication. For more information, see Table10-2.

 

Tip:

If you deselect the EAP-FAST Master Server check box, EAP-FAST server status remains "Master" until CiscoSecure ACS receives replicated EAP-FAST components.

 

•EAP-TLS —You can configure the following options for EAP-TLS:

 

–Allow EAP-TLS —Whether CiscoSecure ACS permits EAP-TLS authentication.

 

Note

If users access your network using a AAA client defined in the Network Configuration section as a RADIUS (Cisco Aironet) device, one or more of the LEAP, EAP-TLS, or EAP-FAST protocols must be enabled on the Global Authentication Setup page; otherwise, Cisco Aironet users cannot authenticate.

 

–Certificate SAN comparison —Whether authentication is performed by comparing the Subject Alternative Name (SAN) of the end-user client certificate to the username in the applicable user database.

 

Note

If you select more than one comparison type, CiscoSecure ACS performs the comparisons in the order listed. If the one comparison type fails, CiscoSecure ACS attempts the next enabled comparison type. Comparison stops after the first successful comparison.

 

–Certificate CN comparison —Whether authentication is performed by comparing the Common Name of the end-user client certificate to the username in the applicable user database.

 

–Certificate Binary comparison —Whether authentication is performed by a binary comparison of the end-user client certificate to the user certificate stored in the applicable user database. This comparison method cannot be used to authenticate users stored in an ODBC external user database.

 

–EAP-TLS session timeout (minutes) —The maximum EAP-TLS session length you want to allow users, in minutes. A session timeout value greater than 0 (zero) enables the EAP-TLS session resume feature. The session resume feature allows users to reauthenticate without a user lookup or certificate comparison provided that the session has not timed out. If the end-user client is restarted, authentication requires a certificate lookup even if the session timeout interval has not ended. The default timeout value is 120 minutes. To disable the session timeout feature, set the timeout value to 0 (zero).

 

•LEAP —The Allow LEAP (For Aironet only) check box controls whether CiscoSecure ACS performs LEAP authentication. LEAP is currently used only for Cisco Aironet wireless networking. If you disable this option, Cisco Aironet end-user clients configured to perform LEAP authentication cannot access the network. If all Cisco Aironet end-user clients use a different authentication protocol, such as EAP-TLS, we recommend that you disable this option.

 

Note

If users access your network using a AAA client defined in the Network Configuration section as a RADIUS (Cisco Aironet) device, either LEAP, EAP-TLS, or both must be enabled on the Global Authentication Setup page; otherwise, Cisco Aironet users cannot authenticate.

 

•EAP-MD5 —The Allow EAP-MD5 check box controls whether CiscoSecure ACS performs EAP-MD5 authentication. If you disable this option, end-user clients configured to perform EAP-MD5 authentication cannot access the network. If no end-user clients use EAP-MD5, we recommend that you disable this option.

 

•AP EAP request timeout (seconds) —Whether Cisco Secure ACS instructs Cisco Aironet Access Points (APs) to use the specified timeout value during EAP conversations. The value specified must be the number of seconds after which Cisco Aironet APs should assume that an EAP transaction with CiscoSecure ACS has been lost and should be restarted. A value of 0 (zero) disables this feature.

 

Note

The AP EAP request timeout feature is available beginning in Cisco Secure ACS version 3.2.3. Earlier versions of Cisco Secure ACS do not include this feature.

 

During EAP conversations, CiscoSecure ACS sends the value defined in the AP EAP request timeout box using the IETF RADIUS Session-Timeout (27) attribute; however, in the RADIUS Access-Accept packet at the end of the conversation, the value that CiscoSecure ACS sends in the IETF RADIUS Session-Timeout (27) attribute is the value specified in the Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) or, if that attribute is not enabled, the IETF RADIUS Session-Timeout (27) attribute.

 

Note

Cisco Aironet RADIUS VSA Cisco-Aironet-Session-Timeout (01) is not a true RADIUS VSA; instead, it represents the value that CiscoSecure ACS sends in the IETF RADIUS Session-Timeout attribute when the AAA client sending the RADIUS request is defined in the Network Configuration as authenticating with RADIUS (Cisco Aironet).

 

•MS-CHAP Configuration —The Allow MS-CHAP Version 1 Authentication and Allow MS-CHAP Version 2 Authentication check boxes control whether CiscoSecure ACS performs MS-CHAP authentication for RADIUS requests. The two check boxes allow you to further control which versions of MS-CHAP are permitted in RADIUS requests. If you disable a particular version of MS-CHAP, end-user clients configured to authenticate with that version using RADIUS cannot access the network. If no end-user clients are configured to use a specific version of MS-CHAP with RADIUS, we recommend that you disable that version of MS-CHAP.

 

Note

For TACACS+, CiscoSecure ACS supports only MS-CHAP version 1. TACACS+ support for MS-CHAP version 1 is always enabled and is not configurable.

 

Problem Type

 

Client / Device cannot authenticate

 

Security Options

 

EAP

ACS

Client OS Type

 

Window

 

Reference

 

Global Authentication Setup 

System Configuration: Authentication and Certificates