About Pacs - Cisco 3.3 User Manual

Chapter 10 System Configuration: Authentication and Certificates

About PACs

78-16592-01
PACs are strong shared secrets that enable Cisco Secure ACS and an EAP-FAST
end-user client to authenticate each other and establish a TLS tunnel for use in
EAP-FAST phase two. Cisco Secure ACS generates PACs using the active master
key and a username. An EAP-FAST end-user client stores PACs for each user
accessing the network with the client. Additionally, a AAA server that supports
EAP-FAST has a unique Authority ID. An end-user client associates a user's
PACs with the Authority ID of the AAA server that generated them.
During EAP-FAST phase one, the end-user client presents the PAC that it has for
the current user and for the Authority ID sent by Cisco Secure ACS at the
beginning of the EAP-FAST transaction. Cisco Secure ACS determines whether
the PAC was generated using one of the master keys it is aware of, either active or
retired (a PAC generated using a master key that has since expired can never be
used to gain network access). When an end-user client has a PAC generated with
an expired master key, the end-user client must receive a new PAC before
EAP-FAST phase one can succeed. The means of providing PACs to end-user
clients, known as PAC provisioning, are discussed in
Provisioning, page 10-18
After end-user clients are provided PACs, Cisco Secure ACS refreshes them as
dictated by master key and PAC TTL values. Cisco Secure ACS generates and
sends a new PAC as needed at the end of phase two of EAP-FAST; however, if you
shorten the master key TTL, you may in effect be requiring PAC provisioning to
occur. For more information about how master key and PAC states determine
whether Cisco Secure ACS sends a new PAC to the end-user client at the end of
phase two, see Master Key and PAC TTLs, page
Regardless of the master key TTL values you define, a user will require PAC
provisioning when the user does not use EAP-FAST to access the network before
the master key used to generate the user's PAC has expired. For example, if the
master key TTL is one week and the retired master key TTL is one week, each
EAP-FAST end-user client used by someone who goes on vacation for two weeks
will require PAC provisioning.
About Certification and EAP Protocols
and Manual PAC Provisioning, page
User Guide for Cisco Secure ACS for Windows Server
Automatic PAC
10-20.
10-21.
10-17