Wednesday, 14 December 2011

Why not to use EAP-FAST: Part One

Recently I recommended against the EAP-FAST authentication protocol whilst writing a WLAN design and instead recommended that either EAP-TLS or PEAPv0 (EAP-MSCHAPv2) be used. There were a number of reasons for this recommendation and in this short post I will discuss the first reason - the lack of WLAN chipset support.

For the uninitiated, EAP-FAST is Cisco's answer to the cracked-back-in-'03 LEAP authentication protocol. LEAP was also courtesy of Cisco. EAP-FAST was Cisco-proprietary, became an IETF draft in 2004 and then err, a non-draft fully fledged, fair dinkum IETF RFC in 2007.

Few WLAN chipsets supported EAP-FAST initially but since 2009 it been added to the Wi-Fi Alliance certification program.

Edit (10th Jan 2012): Whilst the numbers below were correct as of November 2011 comments about these figures have made me realise that my methodology was flawed. Whilst I mention below that EAP-FAST has only had since 2009 to be included in the Wi-Fi Alliance certified client listings, I didn't take into account clients that supported EAP-FAST, prior to the Wi-Fi Alliance certification. I doubt even Cisco has an accurate idea of how many clients this includes. In addition, clients that did not originally support EAP-FAST may have since received support via a driver update.

Whilst the numbers may not represent the true extent of EAP-FAST support, my experience has been that fewer clients support EAP-FAST, particularly non-laptop based Wi-Fi devices..Whilst laptop-based driver updates may be available for some clients, driver management in most enterprises is almost non-existent so updating a large enterprise for support of a new authentication protocol would typically not be a light undertaking. This does not even touch on the work required to update devices such as phones, barcode scanners, medical equipment, etc.

Although accurate numbers may be difficult to determine when it comes to EAP-FAST client support, unless you can be sure that the vast majority of your EAP-capable clients do in fact support EAP-FAST I would suggest looking towards PEAP or EAP-TLS in most cases. Part two of this post will document other factors that weigh in when considering an EAP-FAST implementation.

Of the current ~10,000 Wi-Fi Alliance certified WLAN products, ~1,300 support EAP-FAST. By contrast, PEAPv0 is supported by ~4400 products and EAP-TLS by ~5400. Keep in mind that these figures include both enterprise and SOHO products and generally SOHO gear does not support any flavour of EAP. 
So of the three most popular flavours of EAP, the break-down is, as of November 2011:
  • EAP-TLS                           : ~54% of Wi-Fi Alliance certified products support it
  • PEAPv0 (EAP-MSCHAPv2) : ~44% of Wi-Fi Alliance certified products support it
  • EAP-FAST                         : ~13% of Wi-Fi Alliance certified products support it

The number of devices supporting EAP-FAST has been steadily growing but it is still far behind EAP-TLS and PEAPv0. To be fair, EAP-FAST has only had since 2009 as far as Wi-Fi Alliance certification goes whilst EAP-TLS and PEAPv0 certification from the Wi-Fi Alliance has been occurring for much longer. For the time being however, deploying EAP-FAST today means that you may be stuck using (if you're lucky) WPA2-Personal (Pre-shared Key) on some of your managed devices which is far from desirable when alternatives exist.

No comments:

Post a Comment