About Master Keys - Cisco 3.3 User Manual

Chapter 10 System Configuration: Authentication and Certificates

About Master Keys

78-16592-01
Cisco Secure ACS supports password aging with EAP-FAST for users
authenticated by Windows user databases. Password aging can work with either
phase zero or phase two of EAP-FAST. If password aging requires a user to
change passwords during phase zero, the new password would be effective in
phase two. For more information about password aging for Windows user
databases, see Enabling Password Aging for Users in Windows Databases,
page 6-26.
EAP-FAST master keys are strong secrets that Cisco Secure ACS automatically
generates and that only Cisco Secure ACS is aware of. Master keys are never sent
to an end-user client. EAP-FAST requires master keys for two purposes:
PAC generation—Cisco Secure ACS generates PACs using the active master
•
key. For details about PACs, see
EAP-FAST phase one—Cisco Secure ACS determines whether the PAC
•
presented by the end-user client was generated by one of the master keys it is
aware of, either the active master key or a retired master key.
To increase the security of EAP-FAST, Cisco Secure ACS changes the master key
that it uses to generate PACs. Cisco Secure ACS uses time-to-live (TTL) values
you define to determine when it generates a new master key and to determine the
age of all master keys. Based on TTL values, Cisco Secure ACS assigns master
keys one of the three following states:
Active—An active master key is the master key used by Cisco Secure ACS to
•
generate PACs. The duration that a master key remains active is determined
by the Master key TTL setting. At any time, only one master key is active.
When you define TTLs for master keys and PACs, Cisco Secure ACS permits
only a PAC TTL that is shorter than the active master key TTL. This limitation
ensures that a PAC is refreshed at least once before the expiration of the
master key used to generate the PAC, provided that EAP-FAST users log in
to the network at least once before the master key expires. For more
information about how TTL values determine whether PAC refreshing or
provisioning is required, see
When Cisco Secure ACS is configured to receive replicated EAP-FAST
policies and master keys, a backup master key is among the master keys
received. The backup master key is used only if the active master key retires
About Certification and EAP Protocols
About PACs, page
Master Key and PAC TTLs, page
User Guide for Cisco Secure ACS for Windows Server
10-17.
10-21.
10-15