Eap-fast authentication, About eap-fast – Cisco 3.3 User Manual
Page 393
10-13
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
EAP-FAST Authentication
This section contains the following topics:
•
•
•
–
Automatic PAC Provisioning, page 10-18
–
Manual PAC Provisioning, page 10-20
•
Master Key and PAC TTLs, page 10-21
•
•
About EAP-FAST
The EAP Flexible Authentication via Secured Tunnel (EAP-FAST) protocol is a
client-server security architecture that encrypts EAP transactions with a TLS
tunnel. While similar to PEAP in this respect, it differs significantly in that
EAP-FAST tunnel establishment is based upon strong secrets that are unique to
users. These secrets are called Protected Access Credentials (PACs), which
Cisco Secure ACS generates using a master key known only to Cisco Secure ACS.
Because handshakes based upon shared secrets are intrinsically faster than
handshakes based upon PKI, EAP-FAST is the significantly faster of the two
solutions that provide encrypted EAP transactions. No certificate management is
required to implement EAP-FAST.
EAP-FAST occurs in three phases:
•
Phase zero—Unique to EAP-FAST, phase zero is a tunnel-secured means of
providing an EAP-FAST end-user client with a PAC for the user requesting
network access (see
Automatic PAC Provisioning, page 10-18
). Providing a
PAC to the end-user client is the sole purpose of phase zero. The tunnel is
established based on an anonymous Diffie-Hellman key exchange. If
EAP-MSCHAPv2 authentication succeeds, Cisco Secure ACS provides the
user a PAC. To determine which databases support EAP-FAST phase zero,
see