Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Client Authentication using ACS 4.x and choice of encryption!

Hello all,

Is there a concern in migrating from LEAP to EAP-FAST in a Cisco Secure ACS environment? Rather, how secure is EAP-FAST authentication using AES encryption?

It appears there is mixed view out there. Some folks consider EAP-FAST to be just a little more secure than LEAP (prone to dictionary attacks) and advise to go with PEAP or EAP-TLS, but both these require additional certificates/configuration etc.

Are there any prevailing thoughts out there and/or Cisco's recommendations on the subject?


New Member

Re: Client Authentication using ACS 4.x and choice of encryption


EAP-FAST establish a secure tunnel between the supplicant and the RADIUS server before sending the client credentials over the air. The secure tunnel is established by using PAC credentials that can be auto-provisionned or manually provisioned.

EAP-FAST is not far from PEAP-GTC, in the way that the credentials are send in a secure tunnel. What make the difference (the easy deployment feature) is the auto-provisioning feature of the PAC in order to establish this secure tunnel.

More details here :

Hope this helps,


New Member

Re: Client Authentication using ACS 4.x and choice of encryption

Thank you for your reply and the useful link Vincent. So, is it safe to assume that EAP-FAST is as secure (or more) than PEAP and can be deployed with a high level of confidence?

I'm more concerned about the prevailing opinion and vulnerability to EAP-FAST that may be out there. I agree that deployment of it does not seem very complicated. BTW, does ACS 3.1 also support EAP-FAST? I looked around and it didn't seem to.

Thanks again!

CreatePlease to create content