Client Authentication using ACS 4.x and choice of encryption!

misramanish · ‎02-19-2007

Hello all,

Is there a concern in migrating from LEAP to EAP-FAST in a Cisco Secure ACS environment? Rather, how secure is EAP-FAST authentication using AES encryption?

It appears there is mixed view out there. Some folks consider EAP-FAST to be just a little more secure than LEAP (prone to dictionary attacks) and advise to go with PEAP or EAP-TLS, but both these require additional certificates/configuration etc.

Are there any prevailing thoughts out there and/or Cisco's recommendations on the subject?

Thanks!

vblavet · ‎02-19-2007

Hello,

EAP-FAST establish a secure tunnel between the supplicant and the RADIUS server before sending the client credentials over the air. The secure tunnel is established by using PAC credentials that can be auto-provisionned or manually provisioned.

EAP-FAST is not far from PEAP-GTC, in the way that the credentials are send in a secure tunnel. What make the difference (the easy deployment feature) is the auto-provisioning feature of the PAC in order to establish this secure tunnel.

More details here :

http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa09186a00802030dc.html

Hope this helps,

Vincent

misramanish · ‎02-20-2007

Thank you for your reply and the useful link Vincent. So, is it safe to assume that EAP-FAST is as secure (or more) than PEAP and can be deployed with a high level of confidence?

I'm more concerned about the prevailing opinion and vulnerability to EAP-FAST that may be out there. I agree that deployment of it does not seem very complicated. BTW, does ACS 3.1 also support EAP-FAST? I looked around and it didn't seem to.

Thanks again!