The Elektron EAP-FAST service implements Cisco’s “Flexible Authentication via Secure Tunneling” protocol. This protocol builds on their earlier experience with LEAP, which provides password-based authentication for wireless networks, but which doesn’t do so in a particularly secure manner.
EAP-FAST — like PEAP and TTLS — is a superset of the functionality provided by EAP-TLS. It uses usernames and password protected by a TLS tunnel. EAP-FAST provides one significant advantage over the other EAP-TLS protocols: its integration with TLS can significantly improve the performance of the wireless authentication.
Under normal circumstances, a user must complete a full TLS handshake with the RADIUS server in order to authenticate herself. With EAP-FAST, however, this full handshake needs to take place only once. With the first authentication, the user is supplied with a secure token known as a Protected Access Credential (PAC). With future authentications, the user need only supply the PAC to gain access to the network, avoiding the full handshake.
EAP-FAST support is included in Mac OS X 10.4.8 and later, Cisco client software, and any with newer supplicants that implement the Cisco Compatible Extensions.
The single options available with EAP-FAST is to enable anonymous PAC provisioning. With this option selected, Elektron may not send its digital certificate to clients. This allows clients that don’t have any prior relationship to your Elektron server (i.e., they do not have the Elektron certificate authority certificate installed) to connect. The disadvantage is that the server cannot provide the client with a guarantee of the end-to-end security of the TLS connection. This only applies to the initial connection; subsequent connections are secure.