IEEE 802.1X, the authentication scheme used by many enterprise-class wireless (and wired) networks, uses various types of Extensible Authentication Protocol (EAP) to relay port access requests between clients, switches, access points and RADIUS servers. One of the most popular EAP types has been Lightweight EAP, or LEAP, created by Cisco Systems to bring mutual authentication to the table.
LEAP has two problems though. Cisco owns it, so any other vendor that wants to support it has to license it. The real bad news is that last year LEAP was discovered to be vulnerable to hackers using a “dictionary attack”
The solution from Cisco is not a LEAP fix — something they say would have been too difficult to pull off — but a replacement EAP type called EAP-FAST. The new acronym stands for Flexible Authentication via Secure Tunneling. FAST will have two major changes from LEAP. It doesn’t use certificates (that’s the flexible part) and maybe more importantly, it’s free. Cisco is making the specification open to all and not requiring license fees.
Even with LEAP’s issues, it’s not useless. “When [LEAP] broke, we recommended to customers to not panic — and to use strong passwords,” says Chris Bolinger, manager of product marketing at Cisco’s Wireless Business Unit.
Strong passwords are those not easily found in a dictionary, usually involving extra characters such as numbers and punctuation. According to Bolinger, some customers said “that makes sense, others said [strong passwords] make it hard for users to remember them.”
Knowing that changing user habits wouldn’t work, Cisco instead set about creating EAP-FAST. The new protocol will use a dynamic Protected Access Credential key (PAC-key) for mutual authentication when securing a tunnel between client and server. FAST will keep the PAC-key refreshed, so the vulnerability to dictionary attacks is eliminated.
WLAN security expert Lisa Phifer, vice president at Core Competence and a contributor to Wi-Fi Planet, says that the pre-shared PAC-Key must still be kept safe from intruders, but does see it as an improvement. “Static preshared secrets have been shown time and time again to be vulnerable and administratively expensive,” she says.
But is EAP-FAST a necessity? “The last thing the industry needs is yet another EAP type,” says Phifer. “We would have been much closer to industry convergence on at least one common tunneled EAP type if Cisco and Microsoft could have agreed to refine PEAP to address known vulnerabilities.”
PEAP, the “Protected” EAP type, was jointly developed by Cisco and Microsoft (with RSA Security), but each took the certificate-based authentication scheme in a different direction. Microsoft includes PEAP with versions of Windows XP shipping today.
Bolinger says a lot of customers Cisco talked with didn’t like PEAP because of the use of certificates (many IT organizations don’t know how to use them), whether it was the Microsoft (MS-Chap) flavor or Cisco’s (Generic Token Card). He downplays any “war” between his company and Microsoft as hype, and points out that development of a PEAP version 2 is ongoing. He says FAST is not about replacing PEAP anyway, but addressing the issues with LEAP.
In hopes of getting in ahead of the Internet Engineering Task Force (IETF)
However, unlike the IEEE process, where specifications like 802.11b must go through months of scrutiny and voting before becoming a standard, Cisco’s “informational draft” on the IETF site is not up for any sort of approval. It’s out there in part so people can comment to Cisco about it, but ultimately it’s been made public so it can be used by 802.1X vendors, from third parties such as Funk Software on up to major providers like, well, Microsoft and Cisco.
EAP-FAST is also destined to become part of Cisco Compatible Extensions (CCX), the set of specifications Cisco wants vendors from chip makers to laptop manufacturers to build into their Wi-Fi products. CCX is meant to ensure Wi-Fi products will work seamlessly with the Cisco infrastructure products that abound in the world. CCX 2.0 is coming out this quarter; EAP-FAST will likely be in the 3.0 version in a few months.
Of EAP-FAST, Bolinger says that Cisco “doesn’t want it to be ‘the one’ [EAP-type] but it’s a nice type that fits well with customers that have used LEAP before and want something similar, but with an additional security mechanism.”