Extensible Authentication Protocol - Flexible Authentication Via Secure Tunneling (Eap-Fast) - Cisco 9971 Deployment Manual

WPA-PSK (Pre-Shared key + TKIP encryption)
•
WPA2-PSK (Pre-Shared key + AES encryption)
•
EAP-FAST (Extensible Authentication Protocol – Flexible Authentication via Secure Tunneling)
•
LEAP (Lightweight Extensible Authentication Protocol)
•
CCKM (Cisco Centralized Key Management)
•
Open and Shared Key
•
Encryption
AES (Advanced Encryption Scheme)
•
TKIP / MIC (Temporal Key Integrity Protocol / Message Integrity Check)
•
WEP (40-bit and 128-bit Wired Equivalent Protocol)
•
Extensible Authentication Protocol - Flexible Authentication via Secure
Tunneling (EAP-FAST)
This client server security architecture encrypts EAP transactions within a Transport Level Security (TLS) tunnel between the
access point and the Remote Authentication Dial-in User Service (RADIUS) server such as the Cisco Access Control Server
(ACS).
The TLS tunnel uses Protected Access Credentials (PACs) for authentication between the client (phone) and the RADIUS
server. The server sends an Authority ID (AID) to the client (phone), which in turn selects the appropriate PAC. The client
(phone) returns a PAC-Opaque to the RADIUS server. The server decrypts the PAC with its master-key. Both endpoints now
have the PAC key and a TLS tunnel is created. EAP-FAST supports automatic PAC provisioning, but it must enable don the
RADIUS server.
To enable EAP-FAST, a certificate must be installed.
The Cisco Unified IP Phone 9971 currently supports only automatic provisioning of the PAC, so enable "Allow anonymous in-
band PAC provisioning" on the RADIUS server as shown below.
Both EAP-GTC and EAP-MSCHAPv2 must be enabled when "Allow anonymous in-band PAC provisioning" is enabled.
EAP-FAST requires that a user account be created on the authentication server.
Cisco Unified IP Phone 9971 Wireless LAN Deployment Guide 14