topic PEAP Vs. EAP-Fast in Wireless

PEAP Vs. EAP-Fast

sburton — Sun, 04 Jul 2021 17:18:21 GMT

PEAP seems like a solid, well supported solution. EAP-FAST seems like its got lots of nice features but isn't well supported on non-cisco client devices.

Can someone break down the advantages of EAP-FAST over PEAP? What am I loosing with PEAP that makes EAP-FAST worth doing?

Re: PEAP Vs. EAP-Fast

dixho — Wed, 05 Jan 2005 01:00:56 GMT

How about the followings:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml

EAP-FAST is supported by CCXv3 compliant wireless clients. Please go to the following URL for CCX compliant clients:

http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html

Re: PEAP Vs. EAP-Fast

sburton — Wed, 05 Jan 2005 01:21:52 GMT

Thanks Dixon.

From the text it looks to me like the most significant benefit of FAST over PEAP is fast secure roaming, and perhaps the fact that it doesn't require a certificate server. Unfortunatley, my client is standardized on Toshiba laptops, so CCXv3 is too high a price to pay.

Re: PEAP Vs. EAP-Fast

sburton — Wed, 05 Jan 2005 06:50:19 GMT

What roaming solution is available for clients using PEAP? I don't need layer 3 roaming, but roaming between APs in the same subnet is a requirement. Is there a way to do this without using LEAP or FAST?

Re: PEAP Vs. EAP-Fast

jeremys — Wed, 05 Jan 2005 07:21:30 GMT

I never thought we'd get to EAP-FAST - meaning, I specifcally thought that LEAP would suffice for low-level security conscious customers, PEAP would sit happily in the good-enough-for-the-vast majority middle, and EAP-TLS would be the protocol of choice for the ultimate security conscious customers. Well, I was wrong.

First off, LEAP vulnerabilities became very well published and promoted, and drove a lot of customers off of LEAP, even for rather low-security connections (e.g. scanners tracking bar codes with no $$$ or sensitive data). Secondly, even though PEAP only requires certificate(s) on the RADIUS server(s), some customers expressed a desire to not use certs or require certificate at all. So, EAP-FAST came about really at the intersection of those two drivers:

- the need for something "lightweight" in implementation without certs or heavywieght RSA PKI operations (for embedded devices primarily)

and

- the need for something secure and not easily attackable.

The key advantages of EAP-FAST are mostly off-the-desktop in processor or memory constrained environments. Specifically, you don't need any certicate or RSA code, and as such, you don't need to support as much memory or processor footprint required for PEAP. With that said, we do see some very large enterprise customers also deploying EAP-FAST, primarily because regardless of the number of certs, they don't want to use certificates or anything PKI in their IT rollouts.

From a security standpoint, you are not really "loosing" anything with PEAP, and if you are authenticating desktop users with username/pwds and/or OTP, PEAP is probably the easiest way to go from a deployment, client-side support and requirements standpoint.

Re: PEAP Vs. EAP-Fast

sburton — Wed, 05 Jan 2005 16:42:12 GMT

Thanks Jeremy.

So just to clarify, most of the SWAN documentation I've seen indicates that using either LEAP or FAST is a requirement for Fast Secure Roaming. Are you saying that I can use PEAP and still get the benefits of FSR?

Thanks!

Re: PEAP Vs. EAP-Fast

emcpherson — Thu, 06 Jan 2005 19:39:28 GMT

I am wondering about the deployment part.

I read this article and would like your comment:

http://www.lanarchitect.net/Articles/Wireless/EAP-FAST/index.htm

Re: PEAP Vs. EAP-Fast

dixho — Fri, 07 Jan 2005 20:16:02 GMT

I would like to explain the difference between roaming and fast secured roaming.

All AP supports roaming, no matter what encryption and authentication used. When a wireless client determines that there is a better AP than the current AP, it roams to another AP.

Roaming does not work for all applications, especially IP phone or Citrix. The romaing time is around 200ms. If you use fast secured roaming, it reduces the roaming time to around 50ms. However, you need to configure WDS and CCKM.

I hope that the above clear any mis-understanding.

Re: PEAP Vs. EAP-Fast

sburton — Sat, 08 Jan 2005 00:36:00 GMT

Thanks for the reply Dixon. Unfortunatley it's still not quite clear.

I understand that wireless devices can roam in the manner you described, by jumping to an AP with a stronger signal. But as I understand it, this is handled by the client alone, and works with any sort of AP including a $20 Netgear purchased from the local computer store. Per my understanding, this method would require a user to re-authenticate (and perhaps re-address IP), causing an unknown delay.

My Goal is to have a more intelligent solution than the roaming described above. I don't want users to be prompted to re-authenticate when roaming. I don't need layer 3 mobilitiy, but we may be using applications that would have problems if connectivity was halted while re-asociation / re-authentication occurs.

So the question remains, can this (layer 2 roaming without re-authentication) be done with PEAP? Based on the info I've seen, a more intelligent roaming solution (FSR) in the Cisco world would require LEAP or EAP-FAST. Correct?

Re: PEAP Vs. EAP-Fast

jeremys — Sat, 08 Jan 2005 05:05:46 GMT

A fairly accurate article overall. EAP-FAST is probably going to see some benefits from moving off the desktop. Having said that, I do know that some newer architectures at Cisco, such as those for the Network Admission Control initiative, are also looking at EAP-FAST for some optimizations available in that protocol not available in PEAP. Meaning, there may come both some improvements to provisioning EAP-FAST, and some more custom catered solutions that take better advantage of it in the future.

thanks,

jeremy

Re: PEAP Vs. EAP-Fast

dixho — Sat, 08 Jan 2005 21:00:45 GMT

I've seen, a more intelligent roaming solution (FSR) in the Cisco world would require LEAP or EAP-FAST. Correct?

Answer: that's correct.

CB21AG will support EAP-FAST with CCKM soon. If you want a solution now, I think that the supplicant from Funk or Meeting House should support EAP-FAST with fast secured roaming. Funk's Odyssey Client v3.10 does support EAP-FAST now. I think that it should support CCKM as well. Meeting House's Aegis client should also support EAP-FAST 4Q 2004.

I admit that you may save money to use third party supplicant. However, we have to run compatibility tests for different laptops and different wireless NICs. If you support a lot of laptop models, it will be a nightmare for you.

The problem of CB21AG is that it only supports Windows 2000 and XP. If you have Windows CE, LINUX, or Apple clients, you need to find a solution for these clients.