Administrator Guide
152 | Authentication and Authorization Dell Networking W-ClearPass Policy Manager 6.5 |User Guide
Parameter Description Considerations
In-Band PACProvisioning
Allow
anonymous
mode
When in anonymous mode, phase 0 of EAP_FAST
provisioning establishes an outer tunnel without end-
host/Policy Manager authentication (not as secure as
the authenticated mode).
After an outer tunnel is established, end-host and
Policy Manager perform mutual authentication using
MSCHAPv2, then Policy Manager provisions the end-
host with an appropriate PAC (tunnel or machine).
Authenticated mode is more secure
than anonymous provisioning mode.
After the server is authenticated, the
phase 0 tunnel is established. The end-
host and Policy Manager perform
mutual authentication and provision on
the end-host with an appropriate PAC
(tunnel or machine):
l If both anonymous and
authenticated provisioning modes
are enabled and the end-host sends
a cipher suite that supports server
authentication, Policy Manager
picks the authenticated provisioning
mode.
l If the appropriate cipher suite is
supported by the end-host, Policy
Manager performs anonymous
provisioning.
Allow
authenticated
mode
Enable to allow authenticated mode provisioning.
When Allow authenticated mode is in phase 0,
Policy Manager establishes the outer tunnel inside a
server-authenticated tunnel. The end-host
authenticates the server by validating the Policy
Manager certificate.
Accept end-
host after
authenticated
provisioning
After the authenticated provisioning mode is complete
and the end-host is provisioned with a PAC, Policy
Manager rejects end-host authentication; the end-host
subsequently re-authenticates using the newly
provisioned PAC. When this field is enabled, Policy
Manager accepts the end-host authentication in the
provisioning mode itself; the end-host does not have
to re-authenticate.
None.
Required
end-host
certificate for
provisioning
In authenticated provisioning mode, the end-host
authenticates the server by validating the server
certificate resulting in a protected outer tunnel; the
end-host is authenticated by the server inside this
tunnel. When this field is enabled, the server can
require the end-host to send a certificate inside the
tunnel for the purpose of authenticating the end-host.
None.
Table 62:
EAP_FAST PAC Provisioning Tab Parameters
EAP-GTC
EAP-Generic Token Card (GTC) enables the exchange of clear-text authentication credentials across the
network. EAP-GTC is used inside a TLS tunnel created by TTLS or PEAP to provide server authentication in
wireless environments. The EAP-GTC method contains the General tab that labels the authentication method
and defines session details.