Cisco Systems has put its weight behind a new wireless security protocol to protect its proprietary but widely used EAP system.

The company has submitted a draft document to the IETF for a new Extensible Authentication Protocol type that's designed to fix security weaknesses in its proprietary Lightweight EAP, or LEAP, and calls it EAP Flexible Authentication via Secure Tunneling (EAP-FAST).

LEAP is Cisco's own authentication mechanism, used as part of an IEEE 802.1x authentication system, which is generally considered to be the emerging standard for network authentication.

Last year, LEAP security was compromised by various programs that enabled someone to guess a password while another person was logging onto a system with a dictionary program. Cisco's initial recommendations to worried users were:

  1. Use hard-to-guess passwords
  2. Use another existing EAP type, such as Protected EAP

But those other EAP types all require the use of a fairly complex digital certificate infrastructure to set up a secure tunnel between two ends of a network connection.

With EAP-FAST, Cisco has drafted a mechanism that looks and behaves like LEAP, but creates a PEAP-like tunnel without the use of certificates and infrastructure needed to support them, says Chris Bolinger, manager of product marketing for Cisco's wireless networking business unit.

It will be introduced into the Cisco Secure ACS security server and on Aironet wireless adapter cards, starting with the 350 series, in March, Bolinger says. The new type also is being released to partners in Cisco Compatability Extensions 3.0 specification. This spec outlines how to write software drivers that can work with parts of Cisco's operating system software. An array of third-party adapters and security products are expected to feature EAP FAST by fall, Bolinger says.