EAP-FAST

EAP-FAST
EAP-FAST is like EAP-TLS in that it uses a certificate-like Protected Access
Credential (PAC) file for authentication, and it is like PEAP in that it authenticates the
station using a username and password via an encrypted TLS tunnel. EAP-FAST is
unique in that it is designed to speed re-authentication as stations roam among APs.
EAP-TLS and PEAP require lengthy message exchanges between the station and the
server, taking several seconds to re-authenticate. Applications that are not latency
sensitive do not need to worry much about this; however, applications that are sensitive
to latency (such as voice over IP) suffer if re-authentication takes more than a few
milliseconds.
EAP-FAST uses shared secret keys to accelerate the re-authentication process. Public
keys are convenient because the station and AP can authenticate each other without
having to know each other in advance. (Public keys are used when connecting to a
secure website, for instance.) Secret keys are faster, but require that both the station and
the AP already have the secret key. Figure 4-5 shows how EAP-FAST works.
Figure 4-5 The EAP-FAST Authentication Process
The EAP-FAST authentication process is as follows:
1. The client associates with the AP.
1 2
3
4
5
6
Client
Access Point Switch
RADIUS Server
76 IEEE 802.1X Authentication
2. The AP blocks the client from accessing the network.
3. The client verifies the RADIUS server’s credentials with the shared secret key.
4. The RADIUS server authenticates the client with the shared secret key.
5. The RADIUS server and the client agree on the WEP key.
6. A secure connection is established.