EAP-FAST and Windows XP

Unanswered Question
CRISTIAN LACATUS Wed, 01/02/2008 - 17:20
User Badges:


The default wireless client built into XP supports PEAP and EAP-TLS.

PEAP seems to be the most deployed form of authentication. See http://www.microsoft.com/technet/network/wifi/ed80211.mspx for a Microsoft document explaining how to integrate PEAP with Active Directory.

The Cisco Secure Services Client supports “every protocol known to man”, including EAP-FAST. Cisco Secure Services Client is a better product compared to the default Windows client, but it is not “free” like the Windows client. The licensing costs can add up especially for large deployments.

Some people are passionately against EAP-FAST, see http://articles.techrepublic.com.com/5100-1035-6148557.html .



I had heard that XP service pack 3 was supposed to have EAP-FAST support and was wondering if anyone else had heard the same. We've tested it and it doesn't appear to have the support without something called "EAP-FAST modules" that are supposed to be available from Cisco. I haven't found anything on it so I figured I'd post it here.

I'd read the article linked in your response and didn't read it as "passionately against EAP-FAST".... just not what Cisco advertises. It is easy to deploy and would be easier if supported by Windows without third party supplicants. We've been using the Intel and Dell wireless clients but were hoping to simplify things.

CRISTIAN LACATUS Thu, 01/03/2008 - 07:03
User Badges:


You obviously did quite a bit of work, I am still in the user testing phase.

Tell me please if the default Windows XP wireless client (the XP Zero Configuration utility) did not work for you. I use Linksys wireless network cards. The Linksys wireless software client was disabled, and I use the Windows built-in client with PEAP authentication against a Cisco ACS RADIUS server.

The built-in client in Windows seems to work quite well. Because it comes “by default” with Windows, it does not require any third-party supplicant. Microsoft has extensive documentation explaining how to configure PEAP in an Active Directory environment (Active Directory is not required, it is just nice to place everything under one umbrella).

PEAP requires SSL certificates on the RADIUS server (Cisco ACS in my case). We have two ACS boxes, two Verisign certificates are not that expensive. If “real” SSL certificates are not an option, you can build your own Certification Authority using software that comes by default in Windows 2000 Server. You just have to deploy the certificate identifying your local Certification Authority to all wireless clients (the cert deployment can be automated in Windows environments).

I miss the extensive debug traces from Cisco Secure Services Client, but the Windows PEAP client works (and it's free).



No... the XP wireless client doesn't work because of it's lack of EAP-FAST support. Intel ProSet clients and Dell wireless clients work fine with the config utility that comes with the cards. We also have authentication forwarded to AD though ACS. We were looking for something to ease deployment to clients and EAP-FAST seemed to fit the bill since the automatic deployment of PACs made things seem easy. I'm not sure if I had it to do again if I would go that route due to the added complexity of having to configure one client differently from another. The hope and impression based on information I can't locate at this time was that XP SP3 would have EAP-FAST support and all of the problems would go away since the zero config utility with XP could be used. I'm really bothered / concerned that this isn't the case and will have to determine what to do now. We have significant time invested in making EAP-FAST work in our network and changing will be an incredible hassle. I understand that a third party supplicant sold be Cisco partners would alleviate this issue but is a cost that isn't necessary if you use PEAP. The software isn't cheap either.

I'll add that although Linksys is a Cisco company their clients don't support EAP-FAST authentication out of the box which blows my mind. They are listed as CCX compatible but only with third party supplicants.

CRISTIAN LACATUS Thu, 01/03/2008 - 08:37
User Badges:

I understand that your company already made significant investments on EAP-FAST, and you are trying to leverage this work.

Take a look at wpa_supplicant (a short explanation at http://en.wikipedia.org/wiki/Wpa_supplicant ). I have not used it on Windows, and the setup on Linux is quite complex.

Thank you for this interesting conversation; it convinced me again to use PEAP, the “most standard” protocol.


rosantowski Thu, 01/03/2008 - 11:54
User Badges:

Has anyone tried to get the Lenovo Thinkpad Intel 4965AGN card (with Access Connections) working with EAP-FAST and AES? I've gotten EAP-FAST with WEP working to the AP, but nothing beyond it.

Any info would be appreciated...

Funny you ask.... it's the one Intel card that has given me some trouble. I just ordered a new Dell for myself and had that card installed for it figuring it would work as well as the 3945 ABG and 2200 BG and also give me N radio capability for later. I wished I hadn't. I was able to get it to work with EAP-FAST and AES but I cannot create multiple profiles with the Intel client using these settings or it will not work. Try to "disable EAP-FAST enhancements" when setting up the profile. It will probably work.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode