EAP-FAST
EAP-FAST (Flexible Authentication via Secure Tunneling) is an Extensible
Authentication Protocol (EAP) method developed by Cisco. It is designed to
provide secure communication between a client and an authentication server using Transport Layer Security (TLS) to establish a mutually authenticated
tunnel.
How EAP-FAST Works
- TLS Tunnel Establishment: The process begins with a TLS handshake to create a secure tunnel between the client and the server. This tunnel protects the exchange of authentication information.
- Protected Access Credentials (PACs): PACs optimize the authentication process. They consist of a shared secret and other information that helps establish the secure tunnel.
Two-Phase Authentication:
- Phase 1: Establishes the secure tunnel using the PAC.
- Phase 2: The client and server exchange authentication data within the tunnel using Type-Length-Value (TLV) objects.
Benefits of EAP-FAST
- Mutual Authentication: The client and server authenticate each other, ensuring secure communication.
- Immunity to Attacks: The protocol is designed to prevent passive dictionary attacks and man-in-the-middle attacks.
- Flexibility: Supports various password authentication methods like MS-CHAP, LDAP, and OTP.
- Efficiency: Optimized for environments with limited computational and power resources, such as wireless networks.
EAP-FAST is often used in wireless networks and point-to-point
connections to provide secure session authentication without client-side certificates.
This is covered in Pentest+ and Security+.