Problem configuring EAP-FAST with Active Directory

Unanswered Question
Feb 1st, 2007


I'm trying to Configure EAP-FAST with WPA1 & 2 using AES or TKIP depending on the capabilities of the client hardware, using WLC4402 and ACS 4.0.1 Appliance. The customer wants to use the Active Directory (Windows Database) to allow the windows login Credentials to be used to connect to the WLAN. I've installed the remote agent on a seperate W2K server and as a result the ACS has visibility of the Domain. However the customers database is LDAP and eap-fast cannot auto-provision it's PAC's using this type of database.

What other options are there? Or do I need to use some other method? we don't want to go down the road of installing certificates on the network and clients if it can be helped.

I'm using the CSSC Supplicant on the clients.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a-vazquez Thu, 02/08/2007 - 07:13

Could you verify whether the AAA client in the ACS in configured properly

dselfridge Thu, 02/08/2007 - 07:46

Yep that is done. The client is the controller and the shared secrets match. I don't think it's a config issue, I think it is more to do with the fact that the ACS doesn't support using EAP-FAST with LDAP Databases and if that is so, Is there another way of doing this (such as using the ACS internal database for instance).

The main feature the customer wants is to have single-sign-on for his windows clients and to not have the hassle of installing and maintaining certificates.

Vivek Santuka Fri, 02/09/2007 - 04:34


You have mentioned that the client wants to use Active Directory. In ACS if you use "Windows Database" option it will allow using EAP-FAST phase 0 and hence Automatic PAC Provisioning. If you have installed Remote Agent then you are ready to use the "Windows Database" option.

If you use the Generic LDAP option in ACS to connect to AD then as you mentioned, Automatic PAC is not supported.

If the database is not Windows AD but is some other LDAP server, then You would have to use PEAP-GTC to avoid certificates on the clients (client will have to be configured to not validate the server).



dselfridge Fri, 02/09/2007 - 07:04

Thanks Vivek,

I need to check the settings next time I'm on site to be sure, but I think that the ACS is configured for 'windows database' but I need to be sure. I'll get back and let you know how I got on.




This Discussion



Trending Topics - Security & Network