Chapter 10
System Configuration: Authentication and Certificates
EAP-FAST Authentication
About EAP-FAST
78-16592-01
This section contains the following topics:
About EAP-FAST, page 10-13
•
About Master Keys, page 10-15
•
About PACs, page 10-17
•
Automatic PAC Provisioning, page 10-18
–
Manual PAC Provisioning, page 10-20
–
Master Key and PAC TTLs, page 10-21
•
Table 10-2
•
Enabling EAP-FAST, page 10-25
•
The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a
client-server security architecture that encrypts EAP transactions with a TLS
tunnel. While similar to PEAP in this respect, it differs significantly in that
EAP-FAST tunnel establishment is based upon strong secrets that are unique to
users. These secrets are called Protected Access Credentials (PACs), which
Cisco Secure ACS generates using a master key known only to Cisco Secure ACS.
Because handshakes based upon shared secrets are intrinsically faster than
handshakes based upon PKI, EAP-FAST is the significantly faster of the two
solutions that provide encrypted EAP transactions. No certificate management is
required to implement EAP-FAST.
EAP-FAST occurs in three phases:
Phase zero—Unique to EAP-FAST, phase zero is a tunnel-secured means of
•
providing an EAP-FAST end-user client with a PAC for the user requesting
network access (see
PAC to the end-user client is the sole purpose of phase zero. The tunnel is
established based on an anonymous Diffie-Hellman key exchange. If
EAP-MSCHAPv2 authentication succeeds, Cisco Secure ACS provides the
user a PAC. To determine which databases support EAP-FAST phase zero,
see
Authentication Protocol-Database Compatibility, page
Automatic PAC Provisioning, page
User Guide for Cisco Secure ACS for Windows Server
About Certification and EAP Protocols
10-18). Providing a
1-10.
10-13