Cisco 3.3 User Manual
Page 399
10-19
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
EAP-FAST phase zero requires EAP-MSCHAPv2 authentication of the user.
Upon successful user authentication, Cisco Secure ACS establishes a
Diffie-Hellman tunnel with the end-user client. Cisco Secure ACS generates a
PAC for the user and sends it to the end-user client within this tunnel, along with
the Authority ID and Authority ID information about this Cisco Secure ACS.
Note
Because EAP-FAST phase zero and phase two use different authentication
methods (EAP-MSCHAPv2 in phase zero versus EAP-GTC in phase two), some
databases that support phase two cannot support phase zero. Given that
Cisco Secure ACS associates each user with a single user database, the use of
automatic PAC provisioning requires that EAP-FAST users are authenticated with
a database that is compatible with EAP-FAST phase zero. For the databases with
which Cisco Secure ACS can support EAP-FAST phase zero and phase two, see
Authentication Protocol-Database Compatibility, page 1-10
No network service is enabled by phase zero of EAP-FAST; therefore,
Cisco Secure ACS logs a EAP-FAST phase zero transaction in the Failed
Attempts log, including an entry that PAC provisioning occurred. After the
end-user client has received a PAC through a successful phase zero, it sends a new
EAP-FAST request to begin phase one.
Note
Because transmission of PACs in phase zero is secured by MS-CHAPv2
authentication and MS-CHAPv2 is vulnerable to dictionary attacks, we
recommend that you limit use of automatic provisioning to initial deployment of
EAP-FAST. After a large EAP-FAST deployment, PAC provisioning should be
performed manually to ensure the highest security for PACs. For more
information about manual PAC provisioning, see
To control whether Cisco Secure ACS performs automatic PAC provisioning, you
use the options on the Global Authentication Setup page in the System
Configuration section. For more information, see