10. The server sends a Pass or Fail message. The Pass message indicates that the client is
successfully authenticated.
Key TopicClient
Authenticator
Authentication Server
(AAA Server)
EAP Start
EAP Request Identity
EAP Response Identity
EAP-FAST Start (AID)
EAP Request Challenge (AID)
PAC Opaque PAC Opaque
Cipher Trust Protocol Set
Confirm Cipher Trust Protocol Set
TLS Tunnel
Identity Request
Authentication Response (EAP-GTC)
Pass/Fail
Figure 17-13 EAP-FAST Negotiation
PEAP
As you’ve seen with EAP-TLS, certificates are required on both the client and the server.
With EAP-FAST, no certificates are required; rather, the PAC takes care of things. With
Protected EAP (PEAP), only a server-side certificate is used. This server-side certificate is
used to create a tunnel, and then the real authentication takes place inside. The PEAP
method was jointly developed by Cisco Systems, Microsoft, and RSA. PEAP uses Mi-
crosoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) or Generic
Token Card (GTC) to authenticate the user inside an encrypted tunnel.
To authenticate to Microsoft Windows Active Directory, you would use MS-CHAPv2.
Figure 17-14 shows the PEAP process.
In PEAP, the following occurs:
Bạn đang xem 10. - CCNA WIRELESS OFFICIAL EXAM CERTIFICATION GUIDE PART 38 DOC