Home

EAPFAST

EAPFAST, short for EAP Flexible Authentication via Secure Tunneling, is an Extensible Authentication Protocol (EAP) method intended for secure network access in wireless LANs and VPNs. It was developed to provide strong authentication without requiring every client to possess server certificates, while still leveraging a protected channel for credential exchange.

The core concept of EAPFAST is the Protected Access Credential (PAC). The PAC is provisioned onto both

Authentication with EAPFAST is commonly described in three phases: Phase 0 involves PAC provisioning and enrollment;

Advantages of EAPFAST include reduced certificate management, potential for faster roaming and re-authentication, and the ability

EAPFAST is used in some enterprise deployments and is supported by certain vendors’ network access devices,

the
client
and
the
authentication
server
and
used
to
create
a
TLS
tunnel.
Within
this
protected
tunnel,
the
actual
inner
authentication
method
is
executed
(for
example,
an
MS-CHAP-based
or
generic
token-based
method).
This
design
allows
a
combination
of
certificate-free
bootstrap
with
the
security
benefits
of
a
tunnel
for
sensitive
credentials.
Phase
1
establishes
the
TLS
tunnel
using
the
PAC;
Phase
2
performs
the
inner
authentication
inside
the
tunnel.
This
structure
aims
to
simplify
deployment
by
reducing
the
need
for
server
certificates
on
every
client
while
enabling
rapid
re-authentication.
to
support
various
inner
methods
inside
a
single
tunnel.
Security
considerations
center
on
safeguarding
the
PAC,
since
compromise
of
the
PAC
can
undermine
the
tunnel
and
impersonation
protections.
PAC
provisioning
and
storage
must
be
handled
securely
to
prevent
credential
leakage.
particularly
in
older
Cisco-centric
environments.
It
is
one
of
several
EAP
methods
available
for
802.1X
authentication,
with
others
such
as
EAP-TLS
and
EAP-TTLS
offering
alternative
approaches.