EAP-FAST Advantage over LEAP

A.

EAP-FAST and LEAP are both Extensible Authentication Protocol (EAP) methods that are commonly used in wireless networks to authenticate clients to access points. However, they differ in their implementation and security features.

One advantage of EAP-FAST over LEAP is that EAP-FAST exchanges user credentials within a Transport Layer Security (TLS) tunnel, which provides an additional layer of security compared to LEAP. In contrast, LEAP exchanges credentials in clear text, which makes it vulnerable to offline dictionary attacks, where an attacker can try to guess passwords based on previously captured authentication information. EAP-FAST's use of TLS also provides protection against man-in-the-middle attacks, where an attacker intercepts and alters the authentication exchange.

Another advantage of EAP-FAST is that it allows for authenticated in-band Private Authorization Certificate (PAC) provisioning, which allows for the distribution of PACs securely. PACs are used in EAP-FAST to create a shared secret between the client and the authentication server, which is used for subsequent authentications. In contrast, LEAP uses anonymous in-band PAC provisioning, which can be transparent to the user but is less secure.

EAP-FAST also supports user and password changes using different authentication protocols, including MS-CHAPv2, One-Time Password (OTP), or Protected Access (PA). In contrast, LEAP only supports user and password changes when used with MS-CHAPv2.

Finally, EAP-FAST can work with two different 802.11 authentication algorithms, open EAP and network EAP, which provide more flexibility than LEAP, which is limited to the 802.11 authentication algorithm.

In summary, the advantages of EAP-FAST over LEAP include improved security through the use of TLS, authenticated in-band PAC provisioning, support for different authentication protocols for user and password changes, and greater flexibility in 802.11 authentication algorithms.