Cisco Systems Inc. on Tuesday released a new protocol for authentication in an effort to help protect customers from security deficiencies in existing protocols, chiefly one developed years ago by Cisco.
Known as EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling), the new protocol differs from Ciscos LEAP (Lightweight Extensible Authentication Protocol) in that it doesnt use digital certificates for authentication. Instead, EAP-FAST uses protected access credentials to establish an authenticated tunnel between a client and a server. Once the tunnel is in place, the client sends a username and password to the server to identify and authenticate itself.
This system is designed to guard against a variety of common attacks during the authentication process, including dictionary attacks and man-in-the-middle attacks, which are commonly used against networks employing LEAP.
LEAP is used mainly to authenticate users on wireless LANs, where the wireless access point serves as the RADIUS server.
Cisco, based in San Jose, Calif., has had EAP-FAST in development for some time and it has submitted the protocol to the Internet Engineering Task Force as an Internet-Draft. The company was spurred to make the protocol available now by the impending release of a tool for attacking EAP-protected networks. The tool, called Asleap, recovers weak LEAP passwords by performing a dictionary attack against them. This involves simply reading through a massive file of common words and trying them as the password.
The tools author, Joshua Wright, first discussed the problems with LEAP and his development of Asleap in a presentation at the Def Con 11 hacker conference last summer. Since then, he has refined the tool quite a bit.
In his documentation for Asleap, Wright says that Cisco asked him to delay the release of the tool until the company could finish testing and release EAP-FAST. He agreed and says he released Asleap last week in order to motivate Cisco customers to migrate away from LEAP.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: