Users Guide
Figure 67: EAP_FAST PAC Provisioning tab
Table 55:
EAP_FAST PAC Provisioning Tab
Parameter Description Considerations
Allow
Anonymous
Mode
When in anonymous mode,
phase 0
of EAP_FAST
provisioning establishes an outer tunnel without end-
host/Policy Manager authentication (not as secure as
the authenticated mode).
Once the tunnel is established, end-host and Policy
Manager perform mutual authentication using
MSCHAPv2, then Policy Manager provisions the end-
host with an appropriate PAC (tunnel or machine).
Authenticated mode is more secure than
anonymous provisioning mode. Once the
server is authenticated, the phase 0
tunnel is established, the end-host and
Policy Manager perform mutual
authentication, and Policy Manager
provisions the end-host with an
appropriate PAC (tunnel or machine):
l If both anonymous and authenticated
provisioning modes are enabled, and
the end-host sends a cipher suite that
supports server authentication, Policy
Manager picks the authenticated
provisioning mode.
l Otherwise, if the appropriate cipher
suite is supported by the end-host,
Policy Manager performs anonymous
provisioning.
Allow
Authenticated
Mode
Enable to allow authenticated mode provisioning.
When in Allow Authenticated Mode
phase 0
, Policy
Manager establishes the outer tunnel inside of a
server-authenticated tunnel. The end-host
authenticates the server by validating the Policy
Manager certificate.
Accept end-
host after
authenticated
provisioning
Once the authenticated provisioning mode is
complete and the end-host is provisioned with a
PAC, Policy Manager rejects end-host
Dell Networking W-ClearPass Policy Manager 6.0 | User Guide 125