B-19
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-FAST

Authenticating with MSCHAPv2

After the TLS tunnel is created, follow these steps to authenticate the wireless client credentials with
MSCHAPv2:
At the end of this mutual authentication exchange, the wireless client has provided proof of knowledge
of the correct password (the response to the ACS challenge string), and ACS has provided proof of
knowledge of the correct password (the response to the wireless client challenge string). The enti re
exchange is encrypted through the TLS channel created in PEAP.
Related Topics
Authentication Protocol and Identity Store Compatibility, pageB-36
Configuring PEAP Settings, page 18-3
EAP-FAST
This section contains the following topics:
Overview of EAP-FAST, pageB-19
EAP-FAST Flow in ACS 5.4., pageB-27
EAP-FAST PAC Management, pageB-28

Overview of EAP-FAST

The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a new, publicly accessible
IEEE 802.1x EAP type that Cisco developed to support customers that cannot enforce a strong passwor d
policy and want to deploy an 802.1x EAP type that does not require d igital certificates.
EAP-FAST supports a variety of user and password database types, password change and expiration, and
is flexible, easy to deploy, and easy to manage. For more information about EAP-FAST and comparison
with other EAP types, see:
http://www.cisco.com/en/US/products/hw/wireless/ps430/
products_qanda_item09186a00802030dc.shtml.
1ACS sends an EAP-Request/Identity message. 2The wireless client responds with an
EAP-Response/Identity message that contains the
identity (user or computer name) of the wireless client.
3ACS sends an EAP-Request/EAP-MSCHAPv2 challenge
message that contains a challenge string.
4The wireless client responds with an
EAP-Response/EAP-MSCHAPv2 Response message
that contains the response to the ACS challen ge string
and a challenge string for ACS.
5ACS sends an EAP-Request/EAP-MSCHAPv2 success
message, which indicates that the wireless client
response was correct and contains the response to the
wireless client challenge string.
6The wireless client responds with an
EAP-Response/EAP-MSCHAPv2 acknowledgment
message, indicating that the ACS response was correct.
7ACS sends an EAP-Success message.