we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.
I'd suggest you take a look at this guide:
Read it and draw your own conclusions. Each method will have pros and cons and you know your network better than the rest of us.
EAP-FAST can be problematic. I suggest PEAP for a variety of reasons the guide goes over and because basically it's better security. However, if you're just talking a few users and not an enterprise deployment, then you can choose EAP-FAST which may be a quicker option for you.
Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that
it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.
regards. Kristjan Edvardsson
Sensa ehf. Cisco Silver Partner