8-73
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 8 Establishing Cisco Secure ACS System Configuration
Cisco Secure ACS Certificate Setup
the case may be) message is returned to the end-user client in the clear. If
authentication is successful, cryptographic keys are derived using the TLS PRF.
Session keys never transit the network.
As compared to LEAP, PEAP is a major step forward in data security. After phase
1 of PEAP is established, all data is encrypted; this includes all username
information that, with LEAP, is sent in cleartext. User identity is only sent through
the secure (SSL) tunnel. The initial identity, which is sent in the clear, is the MAC
address with the word “PEAP_” as a prefix. Further, by avoiding the requirement
for MSCHAP usernames and passwords that is found in LEAP, PEAP can support
a wider range of user databases.For more information regarding what protocols
are compatible with the different databases, see Authentication
Protocol-Database Compatibility, page 1-9.
PEAP Limitations
The Cisco Secure ACS implementation of PEAP has the following limitations:
• External Databases Only—PEAP only supports external user databases.
The CiscoSecure user database cannot support PEAP authentication;
therefore, only users who have an account in a supported external user
database can authenticate with PEAP.
• Unknown User Processing—Enabling unknown user processing is strictly
required to support PEAP authentication. Cisco Secure ACS uses unknown
user processing during phase 1 of PEAP authentication, when the username
is not known to Cisco Secure ACS. For more information about the Unknown
User Policy, see Unknown User Processing, page 12-1.
Note Unknown user processing can introduce large latencies during
authentication. Be sure to configure the Unknown User Policy page
to account for this possibility. For more information, see Database
Search Order, page 12-9.
To Next Page
Loading...
