Wireless Security / Authentication Support
Parent topic: Authentication Support

Configuring EAP-FAST Authentication

The TLS tunnel is established based on shared secrets called Protected Access Credentials (PACs) instead of public key certificates.

To implement EAP-FAST, you can choose from two types of PAC provisioning:

  • Automatic PAC provisioning—Badges automatically download a PAC from the Cisco ACS, and the ACS periodically refreshes the PAC to ensure that it does not expire. To take advantage of automatic PAC provisioning, you must configure badges correctly by setting Auto-PAC properties.

    For details, refer to Vocera Badge Configuration Guide. Automatic PAC provisioning takes care of copying PAC to the Vocera Voice Server and PAC expiry.

  • Manual PAC provisioning—Badges use a PAC that is created on the Cisco ACS and then manually copy it to the Vocera Voice Server. Generally, the PAC should be set to expire a year or more later so that you do not need to frequently update it. The badge downloads this PAC from the Vocera Voice Server and then exchanges it with an access point that is enabled to support EAP-FAST.

    Note: EAP-FAST has been tested with Cisco Secure ACS v4.0(1) Build 27.

Each badge must use the same username and password for EAP-FAST authentication. This is also applicable for LEAP and WPA-PEAP authentication.

To implement EAP-FAST authentication, in the Cisco Secure ACS, perform the following:

  1. Choose System Configuration >Global Authentication Setup.
  2. Under PEAP settings, ensure that the Enable Fast Reconnect option is checked.
  3. Click EAP-FAST Configuration.
  4. Ensure the Allow EAP-FAST option is checked.
  5. Enter the following property values:

    • Active Master Key TTL—Period of time that a master key is used to generate new PACs.

    • Retired Master Key TTL—Period of time that PACs generated using a retired master key are acceptable for EAP-FAST authentication.

    • Tunnel PAC TTL—Period of time that a PAC is used before it expires and must be replaced.

      Note: If you are using manual PAC provisioning, set this property value to 5 years to ensure that the PAC file you create for Vocera will not expire soon.
  6. Ensure that the Allow Stateless Session Resume option is checked, and set Authorization PAC TTL to 8 hours, or the length of a typical shift.
    The Allow Stateless Session Resume ensures that a session will not trigger a full authentication over the duration of a typical shift.
  7. Click Submit.
  8. On the Cisco Secure ACS, create a single user that all Vocera badges will use.
  9. If you are using manual PAC provisioning, perform the following:
    1. On the computer running Cisco Secure ACS, open an MS-DOS command prompt window and change to the directory containing the CSUtil file.
    2. Start CSUtil with following arguments: CSUtil.exe -t -u username -passwd password -filepath C:\ClientPACs

      Where username and password are the user account and password set up for Vocera.

    3. Press Enter.
      The CSUtil application creates a PAC called username.pac in the directory C:\ClientPACs.
    4. Rename this file to eapfast.pac.
    5. Copy eapfast.pac to the following locations on both the Vocera Voice Server and the standalone configuration computer:

      • \vocera\config\gen3n\badge\res\certificates\EAP-Fast\

      • \vocera\config\gen3\badge\res\certificates\EAP-Fast\

      Note: The folder name is case-sensitive.
  10. On the Vocera Voice Server, start the Badge Properties Editor as described in Using the Badge Properties Editor topic in the Vocera Badge Configuration Guide.
  11. In the Badge Type list, select B3000N.
  12. Click Security, and provide the following property values:

    • AuthenticationEAP-FAST.

    • EncryptionTKIP-WPA or AES-CCMP.

    • User Nameusername.

      Where username is an ACS user ID.

    • Passwordpassword.

      Where password is the password of the ACS user.

  13. Click Apply to save the values.
  14. In the Badge Type list, select B3000.
  15. On General and Security, specify the same property settings for B3000 that you specified for B3000n.
  16. Click OK to save the values and close the Badge Properties Editor.
  17. Copy badge.properties to \vocera\config location on both the Vocera Voice Server and the standalone configuration computer:
  18. Perform one of the following:

    • Stop the Vocera Voice Server and restart it.

      This causes the server to reload badge.properties into memory. When the server restarts, it updates the badges with badge.properties and retrieves the PAC file, allowing the badge to be authenticated during boot-up and roaming.

    • Run the Badge Configuration Utility.

      When the badge connects, the Badge Configuration Utility updates it with badge.properties and the badge retrieves the PAC file, allowing the badge to be authenticated during boot-up and roaming.

    Important: If you use manual PAC provisioning, the eapfast.pac file must be in place before the badges download the badge.properties file with EAP-FAST security enabled.
Parent topic: Authentication Support

This guide last modified: 2019-02-11 01:38.  .   http://www.vocera.com