Filter
Top Products
10-13
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
EAP-FAST Authentication
This section contains the following topics:
• About EAP-FAST, page 10-13
• About Master Keys, page 10-15
• About PACs, page 10-17
–
Automatic PAC Provisioning, page 10-18
–
Manual PAC Provisioning, page 10-20
• Master Key and PAC TTLs, page 10-21
• Table 10-2
• Enabling EAP-FAST, page 10-25
About EAP-FAST
The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a
client-server security architecture that encrypts EAP transactions with a TLS
tunnel. While similar to PEAP in this respect, it differs significantly in that
EAP-FAST tunnel establishment is based upon strong secrets that are unique to
users. These secrets are called Protected Access Credentials (PACs), which
Cisco Secure ACS generates using a master key known only to Cisco Secure ACS.
Because handshakes based upon shared secrets are intrinsically faster than
handshakes based upon PKI, EAP-FAST is the significantly faster of the two
solutions that provide encrypted EAP transactions. No certificate management is
required to implement EAP-FAST.
EAP-FAST occurs in three phases:
• Phase zero—Unique to EAP-FAST, phase zero is a tunnel-secured means of
providing an EAP-FAST end-user client with a PAC for the user requesting
network access (see Automatic PAC Provisioning, page 10-18). Providing a
PAC to the end-user client is the sole purpose of phase zero. The tunnel is
established based on an anonymous Diffie-Hellman key exchange. If
EAP-MSCHAPv2 authentication succeeds, Cisco Secure ACS provides the
user a PAC. To determine which databases support EAP-FAST phase zero,
see Authentication Protocol-Database Compatibility, page 1-10.