| EAP-FAST, EAP Flexible Authentication via Secure Tunneling |
| Description | Glossary | RFCs | Publications | Obsolete RFCs |
| Protocol suite: | TCP/IP. |
| Type: | EAP extension protocol. |
| Base protocol: | EAP, PPP Extensible Authentication Protocol. |
| EAP type: | 43 |
| MIME subtype: | |
| SNMP MIBs: | |
| Working groups: | |
| Links: |
EAP-FAST is an authentication protocol similar to EAP-TLS that enables mutual authentication and cryptographic context establishment by using the TLS handshake protocol. EAP-FAST allows for the established TLS tunnel to be used for further authentication exchanges. EAP-FAST makes use of TLVs to carry out the inner authentication exchanges. The tunnel is then used to protect weaker inner authentication methods, which may be based on passwords, and to communicate the results of the authentication.
EAP-FAST authentication occurs in two phases. In the first phase, EAP-FAST employs the TLS handshake to provide an authenticated key exchange and to establish a protected tunnel. Once the tunnel is established the second phase begins with the peer and server engaging in further conversations to establish the required authentication and authorization policies.
| EAP header | EAP-FAST header | Data ::: |
EAP-FAST header:
| 00 | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Type | L | M | S | 0 | 0 | Version | Message length (msb) | ||||||||||||||||||||||||
| Message length (lsb) | Data ::: | ||||||||||||||||||||||||||||||
Type.
8 bits.
EAP extension type.
Set to 43 (EAP-FAST).
L, Length included.
1 bit.
If set, the Message length field exists.
M, More fragments.
1 bit.
If set, this is not the final fragment.
S, EAP-FAST start.
1 bit.
If set, this is an EAP-FAST Start message.
Version.
3 bits.
Version number of this protocol.
Message length.
32 bits.
This field provides the total length of the message that may be fragmented over the data fields of multiple packets.
Data. Variable length.
(RFC 4851)
In the case of an EAP-FAST Start request (i.e., when the S bit is set) the Data field consists of the A-ID. In
other cases, when the Data field is present, it consists of an encapsulated TLS
packet in TLS record format. An EAP-FAST packet with Flags and Version fields,
but with zero length data field, is used to indicate EAP-FAST acknowledgement for either a fragmented message, a TLS Alert message or a TLS Finished message.
RFCs:
[RFC 4851] The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST).
| Description | Glossary | RFCs | Publications | Obsolete RFCs |