Cisco 2509 - Router - EN User Manual page 347

Chapter 8 Establishing Cisco Secure ACS System Configuration
PEAP Limitations
78-14696-01, Version 3.1
the case may be) message is returned to the end-user client in the clear. If
authentication is successful, cryptographic keys are derived using the TLS PRF.
Session keys never transit the network.
As compared to LEAP, PEAP is a major step forward in data security. After phase
1 of PEAP is established, all data is encrypted; this includes all username
information that, with LEAP, is sent in cleartext. User identity is only sent through
the secure (SSL) tunnel. The initial identity, which is sent in the clear, is the MAC
address with the word "PEAP_" as a prefix. Further, by avoiding the requirement
for MSCHAP usernames and passwords that is found in LEAP, PEAP can support
a wider range of user databases.For more information regarding what protocols
are compatible with the different databases, see
Protocol-Database Compatibility, page
The Cisco Secure ACS implementation of PEAP has the following limitations:
External Databases Only—PEAP only supports external user databases.
•
The CiscoSecure user database cannot support PEAP authentication;
therefore, only users who have an account in a supported external user
database can authenticate with PEAP.
Unknown User Processing—Enabling unknown user processing is strictly
•
required to support PEAP authentication. Cisco Secure ACS uses unknown
user processing during phase 1 of PEAP authentication, when the username
is not known to Cisco Secure ACS. For more information about the Unknown
User Policy, see Unknown User Processing, page
Note Unknown user processing can introduce large latencies during
authentication. Be sure to configure the Unknown User Policy page
to account for this possibility. For more information, see
Search Order, page
1-9.
12-9.
User Guide for Cisco Secure ACS for Windows Server
Cisco Secure ACS Certificate Setup
Authentication
12-1.
Database
8-73