Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
Authentication
This client server security architecture encrypts EAP transactions within a Transport Level Security
(TLS) tunnel between the AP and the RADIUS server such as the Cisco Access Control Server (ACS).
The TLS tunnel uses Protected Access Credentials (PAC) for authentication between the client (phone)
and the RADIUS server. The server sends an Authority ID (AID) to the client (phone), which in turn
selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The
server decrypts the PAC with its master-key. The server and client now have the PAC key and a TLS
tunnel is created. EAP-FAST supports automatic PAC provisioning, but you must enable it on the
RADIUS server.
In the Cisco ACS, by default, the PAC expires in one week. If the phone has
an expired PAC, authentication with the RADIUS server takes longer while
the phone gets a new PAC. To avoid the PAC provisioning delays, set the PAC
expiration period to 90 days or longer on the ACS or RADIUS server.
Note
Extended Authentication Protocol Transport Level Security (EAP-TLS) Authentication
EAP-TLS/RFC 2716 uses the TLS protocol (RFC 2246), which is the latest IETF version of the SSL
security protocol. TLS provides a way to use certificates for both user and server authentication, and
for dynamic session key generation.
Microsoft Windows XP provides support for 802.1x, allowing EAP authentication protocols (including
EAP-TLS) to be used for authentication. The authentication used in EAP-TLS is mutual: the server
authenticates the user and the user authenticates the server. Mutual authentication is required in a
WLAN. EAP-TLS provides excellent security but requires client certificate management.
EAP-TLS uses Public Key Infrastructure (PKI) with the following conditions:
•
A Wireless LAN client (user machine) requires a valid certificate to authenticate to the WLAN
network.
•
An authentication server (typically a RADIUS server) requires a server certificate to validate its
identity to the clients.
•
A Certificate Authority (CA) server infrastructure issues certificates to the authentication server
and the clients.
Protected Extensible Authentication Protocol (PEAP) Authentication
PEAP uses server-side public key certificates to authenticate clients by creating an encrypted SSL/TLS
tunnel between the client and the authentication server. This functionality is disabled by default and
you enable it using Cisco Unified Communications Manager Administration.
The Cisco Unified Wireless IP Phone can optionally validate the server certificate during the
authentication over an 802.11 wireless link.
Lightweight Extensible Authentication Protocol (LEAP)
Cisco proprietary password-based mutual authentication scheme between the client (phone) and a
RADIUS server. Cisco Unified Wireless IP Phones can use LEAP for authentication with the wireless
network.
Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G Administration Guide
40
VoIP Wireless Network
Authentication Methods
To Next Page
Loading...
Need help?
General
Weight and Dimensions
