EAP-FAST is a Cisco proprietary EAP authentication method
EAP-FAST is a flexible EAP method which allows mutual authentication of a supplicant and a server. It is similar to EAP-PEAP, but typically does not require the use of client or even server certificates. One advantage of EAP-FAST is the ability to chain multiple authentications (using multiple inner methods) and bind it cryptographically together (EAP Chaining). Cisco implementations use this for user and machine authentications.
EAP-FAST supports PAC-less and PAC-based conversation. PAC-based consists of PAC provisioning and PAC-based authentication. PAC provisioning can be based on anonymous or authenticated TLS session.
outer identity can be faked: anonymous
use PAC (Protected Access Credential) to authentication credential
PAC is shared secret between supplicant an authentication server
authentication server creates PAC for each supplicant, by using username and private secure key.
PAC uses symmetric encryption
PAC is basic a client identity
PAC is Protected Access Credentials generated by the server and provided to client. It consists of:
PAC has 3 components:
-- PAC-key - shared secret, random secret value, used to derive TLS master and session keys
-- PAC-Opaque - PAC key + user identity - all encrypted by EAP-FAST server master key
-- PAC-Info - PAC issuer identity (has PAC life time)
Sending PAC to supplicant
-- Manual
-- Automatic
taking help of Diff-Hellman and MS-CHAPv2
EAP-FAST phases (steps)
1. PAC provisioning
- Manual
- Phase 0 (Automatic PAC provisioning)
2. Phase 1
- Change dummy credentials
- Setup the TLS tunnel (not using certificate, using symmetric encryption from PAC-key)
if PAC is not enabled, will use authentication server certificate act as PEAP.
3. Phase 2
- Exchange actual supplicant credential
ppacket 209: server propose EAP-TLS
packet 212: supplicant response with EAP-FAST
packet 214: server request EAP-FAST
packet 216, started client and server hello to create TLS tunnel, note, no certificate.
all following packets has EAP type : EAP-FAST
Same info should be seen in the Radius capture, encapsulated in Radius Access-Request and Access-Challenge.
Comments
Post a Comment