Master key and pac ttls – Cisco 3.3 User Manual
Page 401
10-21
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
Master Key and PAC TTLs
The TTL values for master keys and PACs determine their states, as described in
and
. Master key and
PAC states determine whether someone requesting network access with
EAP-FAST requires PAC provisioning or PAC refreshing.
summarizes
Cisco Secure ACS behavior with respect to PAC and master key states.
Table 10-1
Master Key versus PAC States
Master key state
PAC active
PAC expired
Master key active
Phase one succeeds.
PAC is not refreshed at end of phase
two.
Phase one succeeds.
PAC is refreshed at end of phase two.
Master key retired
Phase one succeeds.
PAC is refreshed at end of phase two.
Phase one succeeds.
PAC is refreshed at end of phase two.
Master key expired
PAC provisioning is required.
If automatic provisioning is enabled,
phase zero occurs and a new PAC is
sent. The end-user client initiates a
new EAP-FAST authentication
request using the new PAC.
If automatic provisioning is disabled,
phase zero does not occur and phase
one fails. You must use manual
provisioning to give the user a new
PAC.
PAC provisioning is required.
If automatic provisioning is enabled,
phase zero occurs and a new PAC is
sent. The end-user client initiates a
new EAP-FAST authentication
request using the new PAC.
If automatic provisioning is disabled,
phase zero does not occur and phase
one fails. You must use manual
provisioning to give the user a new
PAC.