Cisco proposes EAP FAST wireless security protocol

Cisco has submitted to the IETF a draft document for a new Extensible Authentication Protocol type that's designed to fix security weaknesses in its proprietary Lightweight EAP, or LEAP.

The draft, dubbed an "information draft" in IETF lingo, can be found here. Cisco calls the new type EAP Flexible Authentication via Secure Tunneling (EAP FAST).

LEAP is Cisco's own authentication mechanism, used as part of an IEEE 802.1x authentication system, which is generally considered to be the emerging standard for network authentication.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Cisco has submitted to the IETF a draft document for a new Extensible Authentication Protocol type that's designed to fix security weaknesses in its proprietary Lightweight EAP, or LEAP.

The draft, dubbed an "information draft" in IETF lingo, can be found here. Cisco calls the new type EAP Flexible Authentication via Secure Tunneling (EAP FAST).

LEAP is Cisco's own authentication mechanism, used as part of an IEEE 802.1x authentication system, which is generally considered to be the emerging standard for network authentication.

In mid-2003, several tools were developed for mounting a dictionary attack on LEAP. The tools could sniff a LEAP authentication session, then use a database of names and terms to guess the password. Cisco's initial recommendations to worried users were 1) use hard-to-guess passwords and 2) use another existing EAP type, such as Protected EAP. PEAP is a joint effort by Cisco, Microsoft and RSA.

But those other EAP types all require the use of a fairly complex digital certificate infrastructure to set up a secure tunnel between two ends of a network connection.

With EAP FAST, Cisco has drafted a mechanism that looks and behaves like LEAP, but creates a PEAP-like tunnel without the use of certificates and infrastructure needed to support them, says Chris Bolinger, manager of product marketing for Cisco's wireless networking business unit.

EAP FAST will be introduced into the Cisco Secure ACS security server and on Aironet wireless adapter cards, starting with the 350 series, in March, Bolinger says. The new type also is being released to partners in Cisco Compatability Extensions 3.0 specification. This spec outlines how to write software drivers that can work with parts of Cisco's operating system software. An array of third-party adapters and security products are expected to feature EAP FAST by fall, Bolinger says.