3-3
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
OL-16534-01
Chapter 3 Configuring EAP Types
How EAP-FAST Works
After the tunnel is established, the second phase of authentication begins. The client and server
communicate further to establish the required authentication and authorization policies. This phase
consists of a series of requests and responses that are encapsulated in TLV objects. The TLV exchange
includes the EAP method to be used within the protected tunnel. For more information about TLV
objects and format, see section 4.2 of RFC 4851.
The EAP-FAST module offers a variety of EAP-FAST configuration options, including whether
automatic or manual PAC provisioning is used to establish a tunnel, whether or not server certificate is
used to establish a tunnel, what type of user credentials to use for authentication and provisioning, and
what type of authentication method to use to in the established tunnel.
Protected Access Credentials
Protected Access Credentials (PACs) are credentials that are distributed to clients for optimized network
authentication. PACs can be used to establish an authentication tunnel between the client and the
authentication server (the first phase of authentication as described in the
“Two-Phase Tunneled
Authentication” section on page 3-2
). A PAC consists of, at most, three components: a shared secret, an
opaque element, and other information.
The shared secret component contains the pre-shared key between the client and authentication server.
Called the PAC-Key, this pre-shared key establishes the tunnel in the first phase of authentication.
The opaque component is provided to the client and is presented to the authentication server when the
client wants to obtain access to network resources. Called the PAC-Opaque, this component is a variable
length field that is sent to the authentication server during tunnel establishment. The EAP server
interprets the PAC-Opaque to obtain the required information to validate the client's identity and
authentication. The PAC-Opaque includes the PAC-Key and may contain the PAC's client identity.
The PAC might contain other information. Called PAC-Info, this component is a variable length field
that is used to provide, at a minimum, the authority identity of the PAC issuer (the server that created the
PAC). Other useful but not mandatory information, such as the PAC-Key lifetime, can also be conveyed
by the PAC-issuing server to the client during PAC provisioning or refreshment.
PACs are created and issued by a PAC authority, such as Cisco Secure ACS, and are identified by an ID.
A user obtains his or her own copy of a PAC from a server, and the ID links the PAC to a profile.
Persistent PACs, such as machine PACs, are stored in the EAP-FAST registry and encrypted. These PACs
are also protected with access control lists (ACLs) so only designated users (the owners of the PACs)
and members of privileged user groups (for example, administrators) can access them. Machine PACs
are stored globally so that all users of a machine can use the PACs.
All PACs are encrypted and tied to the host machine with Microsoft Crypto API (CryptoProtectData).
PACs cannot be copied and used on other machines.
All non-persistent PACs, such as User Authorization PACs, are stored in volatile memory and do not
persist after reboot or after a user has logged off.
Server Certificate Validation
As a part of TLS negotiation in the first phase of EAP-FAST authentication, the authentication server
presents the client with a certificate. The client must verify the validity of the EAP server certificate and
also examines the EAP server name that is presented in order to determine if the server can be trusted.