EAP-FAST – Flexible Authentication via Secure Tunnelling is a proprietary 802.11X authentication method from Cisco. FAST does not require certificates, the protocol creates a tunnel between the user and AAA server and uses PAC – Protected Access Credentials as part of the algorithm, clients must support this in order to be compatible. Not all clients will be able to use FAST by default, in apple devices you can use the “Apple Configurator” to setup FAST and deploy to clients. In Windows the you will need to update the network driver and download the necessary Cisco module/plugin to use FAST, these can be downloaded from the manufactures website of the network adapter. Intel provide support for most of their “PROSet” adapters

In this Step-by-Step guide we will set-up central authentication on the vWLC using EAP-FAST, the WLC will act as the AAA Server, we will create a local EAP profile, and finally use a windows 10 client device to connect and centrally authenticate the local user.

Configure the networking

Make sure all the networking in the background is working, the vWLC management interface and the AP must be connected to a trunk port on the switch, this is to support VLANs. Also a DHCP Server must be available to service clients with IP addresses from the relevant VLANs.

Create a Local EAP profile for EAP-FAST

1. Login to the Wireless LAN Controller, and click “Security” – “Local EAP” – “Profiles” – “New”

2.  Give the new profile a name and click “Apply”, in this example we have used “Local-FAST”

3. Tick the “EAP-FAST” box to allow the profile to use FAST as its authentication method, and click “Apply”

4. From the left hand menu select “Authentication Priority” and verify “LOCAL” is selected in the “Order used for Authentication” box.

Create a local user

1. Under “Security” – “AAA” select “Local Net Users” and click “New”. Create a new user for authentication and click “Apply”.

Create the WLAN

1. Navigate to “WLANs” select “Create New” and hit “Go”. Give the profile and SSID a name. in this example we have used “Local-FAST” the profile name & SSID can be anything you like. Click “Apply”

2. From the “General” tab enable the WLAN and select an interface to map to the SSID, this can be any available VLAN on the network which we want users to be connected to upon successful authentication, DHCP will also issue an IP address from this range so the interface must be correctly configured.

3. Click the “Security” tab and verify that under layer 2 we have the following selected “WPA+WPA2”, “WPA2 Policy” and “802.1X”

4. Click the “AAA Servers” tab, scroll down and tick the “Local EAP Authentication” enabled tick box. From the drop down menu select the profile we created earlier “Local-FAST” and make sure that “LOCAL” is set at the top in the “Order used for Authentication”, finally click “Apply”

Client Connection and Testing 

Using the client device perform the following steps:

1. Navigate to “Network and Sharing Center”, and select “Set up a new connection or network” 

2. Click “Manually connect to a wireless network” and hit “Next”

3. Type in the name of the SSID name created earlier, in this case we used “Local-FAST”, select “WPA2-Enterprise” as the Security type and click “Next”

4. Select “Change connection settings”

5. From the network properties window select the “Security” tab. select “WPA2-Enterprise” as the security type and leave “AES” as the encryption type. from the drop down list select the “Cisco EAP-FAST” authentication method (This option will only be visible if the adapter supports FAST) and click “Settings”

6. Verify “Protected Access Credentials” is ticked and select the “User Credentials” tab

7. Under the “User Credentials” tab select “Prompt automatically for username and password” Finally click “OK” and “OK” to save the settings and exit the window.

8. From the windows client check to see the SSID is being broadcast, and click “Connect”.

9. At the prompt for “EAP-FAST credentials”, enter the user account details created earlier and click “OK”

Once the user is authenticated the connection should appear as “Connected”

The adapter icon also verifies the connection

10. Launch CMD and issue a “ipconfig” to verify DHCP is issuing an IP from the correct subnet. in this case we used VLAN30 so the IP 192.168.30.3 validates a correct IP has been obtained.

11. Verify we can ping the Default Gateway.

12. On the WLC, verify the connected client is visible, navigate to “Monitor” – “Clients”

Click on the “Client MAC Addr” and view the details of the client. from the details we can see that the client is connected to the “Local-FAST” SSID using the local user account “Jay”.

If we scroll down to the “Security Information” we can see that we are using “802.1x” along with “EAP-FAST” as our authentication method.