Cisco Systems PI21AG, CB21AG manual How EAP-FAST Works, Two-Phase Tunneled Authentication

Chapter 3 Configuring EAP Types

How EAP-FAST Works

Many authentication protocols require a password to be explicitly provided (either as cleartext or hashed) by the client to the EAP server. The communication of the weak credential (such as a password) must be immune from eavesdropping.

•Immunity to man-in-the-middle (MitM) attacks

In establishing a mutually authenticated protected tunnel, the protocol must prevent adversaries from successfully interjecting information into the communication between the client and the EAP server.

•Flexibility to enable support for most password authentication interfaces

Many different password interfaces exist to authenticate a client—for example, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Lightweight Directory Access Protocol (LDAP), and One-Time Password (OTP). EAP-FAST provides support for these different password types.

•Efficiency in computational and power resources

Especially when using wireless media, clients have limited computational and power resources. EAP-FAST enables network access communication to occur in a more efficient manner.

•Flexibility to extend the communications inside the tunnel

Because network infrastructures are becoming increasingly complex, authentication, authorization, and accounting is also becoming more complex. For example, there are instances in which multiple existing authentication protocols are required to achieve mutual authentication. Also, different protected conversations might be required to achieve the proper authorization when a client has successfully authenticated.

•Minimize authentication server requirements for per-user authentication

With large deployments, it is typical to have several servers that act as authentication servers for several clients. A client uses the same shared secret to secure a tunnel in much the same way that is uses a username and password to gain access to the network. EAP-FAST facilitates the use of a single strong shared secret by the client, while enabling the authentication servers to minimize the per-user and device state that they must cache and manage.

How EAP-FAST Works

The following sections describe how EAP-FAST works:

•Two-Phase Tunneled Authentication, page 3-2

•Protected Access Credentials, page 3-3

•Server Certificate Validation, page 3-3

Two-Phase Tunneled Authentication

EAP-FAST uses a two-phase tunneled authentication process.

In the first phase of authentication, EAP-FAST employs the TLS handshake to provide an authenticated key exchange and to establish a protected tunnel between the client and the authentication server. The tunnel protects client identity information from disclosure outside the tunnel. During this phase, the client and the server engage in EAP-FAST version negotiation to ensure that they are using a compatible version of the protocol.

Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista