Step 1 of 3: EAP-FAST Provisioning
With CCXv4, EAP-FAST supports two modes for provisioning:
● Server-Authenticated Mode: Provisioning inside a server authenticated TLS tunnel.
● Server-Unauthenticated Mode: Provisioning inside an unauthenticated TLS tunnel.
NOTE: Server-Authenticated Mode provides significant security advantages over Server-
Unauthenticated Mode even when EAP-MSCHAPv2 is being used as an inner method. This mode
protects the EAP-MSCHAPv2 exchanges from potential Man-in-the-Middle attacks by verifying the
server’s authenticity before exchanging MSCHAPv2. Therefore, Server-Authenticated Mode is
preferred whenever it is possible. EAP-FAST peer must use Server-Authenticated Mode whenever a
certificate or public key is available to authenticate the server and ensure the best security
practices.
Provisioning of Protected Access Credentials (PAC):
EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators are
identified by an authority identity (A-ID). The local authenticator sends its A-ID to an authenticating client, and
the client checks its database for a matching A-ID. If the client does not recognize the A-ID, it requests a new
PAC.
NOTE: If the provisioned Protected Access Credential (PAC) is valid, Intel(R) PROSet/Wireless
does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel PROSet/Wireless
fails the provisioning automatically. A status message is displayed in the
Wireless Event Viewer
that an administrator can review on the user's computer.
1. Verify that Disable EAP-FAST Enhancements (CCXv4) is not selected. Allow unauthenticated
provisioning and Allow authenticated provisioning are selected by default. Once a PAC is selected
from the Default Server, you can deselect any of these provisioning methods.
2. Default Server: None is selected as the default. Click Select Server to select a PAC from the default
PAC authority server or select a server from the Server group list. The EAP-FAST Default Server (PAC
Authority) selection page opens.
NOTE: Server groups are only listed if you have installed an
Administrator Package that contains
EAP-FAST Authority ID (A-ID) Group settings.
PAC distribution can also be completed manually (out-of-band). Manual provisioning enables you to create a
PAC for a user on an ACS server and then import it into a user's computer. A PAC file can be protected with a
password, which the user needs to enter during a PAC import.
To import a PAC:
1. Click Import to import a PAC from the PAC server.
2. Click Open.
3. Enter the PAC password. (Optional)
4. Click OK closes this page. The selected PAC is used for this wireless profile.
EAP-FAST CCXv4 enables support for the provisioning of other credentials beyond the PAC currently
provisioned for tunnel establishment. The credential types supported include trusted CA certificate, machine
credentials for machine authentication, and temporary user credentials used to bypass user authentication.
Use a certificate (TLS Authentication)
1. Click Use a certificate (TLS Authentication)
2. Click Identity Protection when the tunnel is protected.
3. Select one of the following:
❍ Use a user certificate on this computer: Click Select to choose the user certificate. Click OK.
To Next Page
Loading...
Need help?
General
