Jan 14, 2015

Wireless LAN feature -- 4 EAP-FAST wlan

Hello everyone.

In this post, we still go to Wireless LAN feature -- EAP-FAST.  The process of EAP-FAST is very similar with LEAP, which we had introduced in last post.

EAP-FAST (EAP Flexiable Authentication via securei tunneling) is more security than LEAP
If you wan to understand it more, please read the 1. and 2. reference


// Topology //

Client   )) ((    AP ----- Switch ---- WLC (local authentication)



// How to //

1.   Create LEAP profile, Go to [Security] > [Local EAP] > [Profiles]  and create LEAP-FAST
 profile




2.   Add EAP-FAST support to our profile

 


3.  Go to the [Security] > [Local EAP] > [EAP-FAST Parameters] and leave the default setting as the following 

 

Of course, you can change these parameters based on the customer's request. For example, we can chose 16 days instead of the default days as the specific life duration for PACKERS.



4.  Create one WLAN and Setup Layer-2 security parameters. For example, we give the following setting


 *
 In this example, we use "802.1x + CCKM" at Auth Key Mgmt. But, in the real lab, this part should depend on your clients. 
If there are only Cisco 7921 phones in your network development, you should select CCKM. For Cisco 7921 phones, "802.1x + CCKM" is very bad for Cisco 7921 phones

Since the laptop pc is may support 802.1x or CCKM., you should clarify it. Then, you can decide to select 802.1x, CCKM or 802.1x + CCKM.

 

5. Enable local EAP-FAST authentication in the AAA servers tab




 6. Create a local user as the following 


 


*
Since Cisco 792.1 phones' CPU is slower than a PC CPU, these phones take longer to process the PAC than a PC.  It is better to set a longer EAP request than the default. 20 is the default value.  Unfortunately, you cannot set the time of  eap request though GUI.

[CLI]
config advanced eap request-timeout 30
(WLC) >config advanced eap request-timeout  20
(WLC) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600



 OK, see you next time.


// reference //
1.
http://www.opus1.com/nac/whitepapers-old/e-eapfast-lv05.pdf

2.
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1300-series/prod_qas09186a00802030dc.html