3-2
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
OL-16534-01
Chapter 3 Configuring EAP Types
How EAP-FAST Works
Many authentication protocols require a password to be explicitly provided (either as cleartext or
hashed) by the client to the EAP server. The communication of the weak credential (such as a
password) must be immune from eavesdropping.
•
Immunity to man-in-the-middle (MitM) attacks
In establishing a mutually authenticated protected tunnel, the protocol must prevent adversaries
from successfully interjecting information into the communication between the client and the EAP
server.
•
Flexibility to enable support for most password authentication interfaces
Many different password interfaces exist to authenticate a client—for example, Microsoft Challenge
Handshake Authentication Protocol (MS-CHAP), Lightweight Directory Access Protocol (LDAP),
and One-Time Password (OTP). EAP-FAST provides support for these different password types.
•
Efficiency in computational and power resources
Especially when using wireless media, clients have limited computational and power resources.
EAP-FAST enables network access communication to occur in a more efficient manner.
•
Flexibility to extend the communications inside the tunnel
Because network infrastructures are becoming increasingly complex, authentication, authorization,
and accounting is also becoming more complex. For example, there are instances in which multiple
existing authentication protocols are required to achieve mutual authentication. Also, different
protected conversations might be required to achieve the proper authorization when a client has
successfully authenticated.
•
Minimize authentication server requirements for per-user authentication
With large deployments, it is typical to have several servers that act as authentication servers for
several clients. A client uses the same shared secret to secure a tunnel in much the same way that is
uses a username and password to gain access to the network. EAP-FAST facilitates the use of a
single strong shared secret by the client, while enabling the authentication servers to minimize the
per-user and device state that they must cache and manage.
How EAP-FAST Works
The following sections describe how EAP-FAST works:
•
Two-Phase Tunneled Authentication, page 3-2
•
Protected Access Credentials, page 3-3
•
Server Certificate Validation, page 3-3
Two-Phase Tunneled Authentication
EAP-FAST uses a two-phase tunneled authentication process.
In the first phase of authentication, EAP-FAST employs the TLS handshake to provide an authenticated
key exchange and to establish a protected tunnel between the client and the authentication server. The
tunnel protects client identity information from disclosure outside the tunnel. During this phase, the
client and the server engage in EAP-FAST version negotiation to ensure that they are using a compatible
version of the protocol.