beautypg.com

Configuring eap-fast, Table 20, Eap-fast configuration – B&B Electronics WLNN-AN(ER,SE,SP.EK)-DP551 - Manual User Manual

Page 64: 6 configuring eap-fast

background image

64

Airborne Enterprise CLI Reference Manual

10.6 Configuring EAP-FAST

EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal
by Cisco Systems as a replacement for LEAP. The protocol was designed to
address the weaknesses of LEAP while preserving a lightweight implementation.
Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected
Access Credential (PAC) to establish a TLS tunnel in which client credentials are
verified.

The EAP-FAST protocol has three phases:

 Phase 0 is an optional phase in which the PAC can be provisioned manually

or dynamically, but is outside the scope of EAP-FAST as defined in
RFC4851. PAC provisioning is still officially Work-in-progress, even though
there are many implementations. PAC provisioning typically only needs to be
done once for a RADIUS server, client pair.

 Phase 1, the client and the AAA server uses the PAC to establish a TLS

tunnel.

 Phase 2, the client credentials are exchanged inside the encrypted tunnel.

It is worth noting that the PAC file is issued on a per-user basis. If a new user
logs on the network from a device, he needs a new PAC file provisioned first.
This is one reason why it is difficult not to run EAP-FAST in the unsecure
anonymous provisioning mode. The alternative is to use device passwords
instead, but then it is not the user that is validated on the network.

Due to the use of PAC files for provisioning and credential validation the
configuration and use of EAP-FAST on the module is slightly different than the
earlier enterprise security modes. The module supports the use of EAP fast with
either WPA (TKIP) or WPA2 (AES-CCMP), Table 20 highlights the commands
required and their use when implementing EAP-FAST on the module.

Table 20 - EAP-FAST Configuration

Command

Description

wl-security wpa-fast

Sets the EAP-FAST authentication process using
TKIP encryption.

wl-security wpa2-fast

Sets the EAP-FAST authentication process using
AES-CCMP encryption.

See also other documents in the category B&B Electronics Accessories communication: