Cisco develops new EAP-FAST method to avoid certificates for username/password authentication without passive dictionary attack threat: Cisco EAP-FAST (Flexible Authentication via Secure Tunneling) uses a pre-shared secret or a Diffie-Hellman key agreement exchange to mutually authenticate both the client and server in a tunnel and avoid man in the middle attacks. Once the tunnel is established, the secrets can be changed as well, according to the draft of the standard submitted to the Internet Engineering Task Force (IETF).
The standard will be available as a free download from existing Cisco software at the end of March, and the company hopes to have it accepted alongside PEAP as a method of securing EAP without the same overhead issues involved in that standard. Cisco isn't abandoning PEAP, they said, and will make the protocol available to its secure extensions partners, which includes most chipmakers.
Interestingly, a systems engineer who has built a tool to automate dictionary attacks on Cisco's weak LEAP (Lightweight EAP) is quoted as agreeing to delay release of his tool longer because Cisco has continued to work on solving the problem through this new standard.