beautypg.com

Peap authentication, About the peap protocol – Cisco 3.3 User Manual

Page 388

background image

Chapter 10 System Configuration: Authentication and Certificates

About Certification and EAP Protocols

10-8

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Step 2

Edit the certification trust list so that the certification authority (CA) issuing
end-user client certificates is trusted. If you do not perform this step, Cisco Secure
ACS only trusts user certificates issued by the same CA that issued the certificate
installed in Cisco Secure ACS. For detailed steps, see

Editing the Certificate Trust

List, page 10-38

.

Step 3

Establish a certificate revocation list (CRL) for each CA and certificate type listed
in the certificate trust list (CTL). As part of EAP-TLS authentication,
Cisco Secure ACS validates the status of the certificate presented by the user
against the cached CRL to ensure that it has not been revoked. For detailed steps,
see

Adding a Certificate Revocation List Issuer, page 10-42

.

Step 4

Enable EAP-TLS on the Global Authentication Setup page. Cisco Secure ACS
allows you to complete this step only after you have successfully completed Step
1. For detailed steps, see

Configuring Authentication Options, page 10-33

.

Step 5

Configure a user database. To determine which user databases support EAP-TLS
authentication, see

Authentication Protocol-Database Compatibility, page 1-10

.

Cisco Secure ACS is ready to perform EAP-TLS authentication.

PEAP Authentication

This section contains the following topics:

About the PEAP Protocol, page 10-8

PEAP and Cisco Secure ACS, page 10-9

PEAP and the Unknown User Policy, page 10-11

Enabling PEAP Authentication, page 10-12

About the PEAP Protocol

The PEAP (Protected EAP) protocol is a client-server security architecture that
provides a means of encrypting EAP transactions, thereby protecting the contents
of EAP authentications. PEAP has been posted as an IETF Internet Draft by RSA,
Cisco, and Microsoft and is available at

http://www.ietf.org/internet-drafts/

draft-josefsson-pppext-eap-tls-eap-05.txt

.