B-21
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
AppendixB Authentication in ACS 5.4
EAP-FAST
EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user
authentication based on a username that is presented in phase one, however, whether the username is
protected during phase one depends on the end-user clien t.
If the end-user client does not send the real username in phase one, the username is protected. After
phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in
clear text.
ACS supports password aging with EAP-FAST for users who are authenticated by Windows user
databases. Password aging can work with phase zero or phase two of EAP-FAST. If password aging
requires a user to change passwords during phase zero, the new password would be effective in phase
two.

EAP-FAST Benefits

EAP-FAST provides the following benefits over other authentication protocols:
Mutual Authentication—The EAP server must be able to verify the identity and authenticity of the
peer and the peer must be able to verify the authenticity of the EAP server.
Immunity to passive dictionary attacks—Many authentication protocols require a password to be
explicitly provided, either as clear text or hashed, by the peer to the EAP server.
Immunity to man-in-the-middle (MitM) attacks—In establishing a mutually authenticated protected
tunnel, the protocol must prevent adversaries from successfully interjecting information into the
conversation between the peer and the EAP server.
Flexibility to enable support for many different password authentication interfaces such as
MSCHAPv2 and GTC, and others—EAP-FAST is an extensible framework that allows support of
multiple internal protocols by the same server.
Efficiency—When using wireless media, peers are limited in computational and power resources.
EAP-FAST enables the network access communication to be computationally lightweight.
Minimization of the authentication server's per user authentication state requirements—With large
deployments, it is typical to have many servers acting as the authentication servers for many peers.
It is better for a peer to use the same shared secret to secure a tunnel much the same way it uses the
username and password to gain access to the network. EAP-FAST facilitates the use of a single
strong shared secret by the peer while enabling servers to minimize the per-user and device state it
must cache and manage.
EAP-FAST in ACS 5.4
ACS supports in-band provisioning of the peer with a shared secret credential (PAC) based on PKI or
ADHP (phase 0). Authentication of the peer and allowing the peer access to the network is implemented
in phase 1 and phase 2.
ACS 5.4 supports EAP-FAST versions 1 and 1a.
This section contains the following topics:
About Master-Keys, pageB-22
About PACs, pageB-22
Provisioning Modes, page B-23
Types of PACs, pageB-23