Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

EAP-Fast or PEAP ??

Dear All,

we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.

3 REPLIES
New Member

Re: EAP-Fast or PEAP ??

I'd suggest you take a look at this guide:

http://downloads.techrepublic.com.com/abstract.aspx?docid=277380

Read it and draw your own conclusions. Each method will have pros and cons and you know your network better than the rest of us.

New Member

Re: EAP-Fast or PEAP ??

EAP-FAST can be problematic. I suggest PEAP for a variety of reasons the guide goes over and because basically it's better security. However, if you're just talking a few users and not an enterprise deployment, then you can choose EAP-FAST which may be a quicker option for you.

Re: EAP-Fast or PEAP ??

Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that

it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.

regards. Kristjan Edvardsson

Sensa ehf. Cisco Silver Partner

259
Views
0
Helpful
3
Replies
CreatePlease to create content