Revision as of 12:51, 8 September 2023 edit Froggy (talk \| contribs) 7 edits →EAP Internet Key Exchange v. 2 (EAP-IKEv2): Describing the actual expected authentication combinations of IKEv2 ← Previous edit		Revision as of 13:50, 1 October 2023 edit undo Jec (talk \| contribs) Extended confirmed users 1,173 edits Remove unsourced opinion →EAP Flexible Authentication via Secure Tunneling (EAP-FAST) Next edit →
Line 82: \|} When automatic PAC provisioning is enabled, EAP-FAST has a ~~slight~~ vulnerability where an attacker can intercept the PAC and use that to compromise user credentials. This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase. It is worth noting that the PAC file is issued on a per-user basis. This is a requirement in {{IETF RFC\|4851}} sec 7.4.4 so if a new user logs on the network from a device, a new PAC file must be provisioned first. This is one reason why it is difficult not to run EAP-FAST in insecure anonymous provisioning mode. The alternative is to use device passwords instead, but then the device is validated on the network not the user.

Extensible Authentication Protocol: Difference between revisions