Automatic pac provisioning failing

Unanswered Question
Mar 29th, 2007


I use ACS4.1, link to a active directory database. I configured the laptops to use EAP-FAST to get a secure wireless link to our lan.

If I use a manual pac, it works fine. But if I try to use the automatic pac provisioning, it doesn't work, always getting the "Do you want to accept this pac" over and over...

The laptop are windows xp professional.

If I use the cisco cards, the manual and automatic pac works fine.

Only when I use the wireless integrated wireless card, the Intel ProSet 3945abg is having problems with the automatic pac provisioning. I am at the latest version, 10.5 for the intel wilress drivers.

Did anyone have the same issue ?

Did anyone solved it ?

Many thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bsiki Mon, 04/02/2007 - 02:58

I have the same issue.

IBM T41 with Intel PRO Wireless 2100B with ThinkVantage Access Connections v4.23 work with any version of ACS.

HP with Intel PRO Wireless 2200BG with Intel PRO Wireless Software works only with ACS 4.0.

dancampb Mon, 04/02/2007 - 17:31

If you are using the wireless LAN controller you need to increase the default EAP timers. This can be done through the CLI with config advanced eap.., Change the identity-request-timeout and request-timeout to 20.

rduke Wed, 04/18/2007 - 09:38

This is probably not your problem because I have different radius servers; however, you might want to give it a try. I have both TTLS and EAP-FAST enabled on my wireless network, and I kept having the same problem with the PAC popping up over and over again (a very frustrating problem so I feel your pain). Anyhow, for some reason, it worked OK when I omitted the domain name in the login for EAP fast. I don't know why.

R Duke

gauthier Wed, 04/18/2007 - 09:48

Finnaly mine is working fine...

At the trial version 4.0, it was working fine.

Here is what I modified for it to work:

On the ACS 4.1:

Generate a self sign certificate.Once the certificate is installed restart the

services (from System Configuration->Service Control) and then enable

"Allow Authenticated in-band PAC provisioning" and "Accept client on

authenticated provisioning".

System Configuration->Global Authentication->EAP-FAST Configuration and check the following :-

1. "Allow EAP-Fast" is selected

2. Allow anonymous in-band PAC provisioning is selected

3. "Allow authenticated in-band PAC provisioning" and "Accept client on authenticated provisioning" is selected

4. "Require client certificate for provisioning" is NOT selected

5. Most Importantly "Allow Machine Authentication" is selected

6. Under "Allowed Inner Methods" EAP-GTC and EAP-MSCHAPv2 should be selected

7. "EAP-Fast master server" should be selected.

On the client side ensure that "Validate Server Certificate" is unchecked.

Glade it is working fine now.

bsiki Fri, 04/27/2007 - 03:27

I still have the same issue.

I'm using the AP1100 and appliance 1113.

With ACS4.0 Intel wireless 2200BG works fine but with ACS4.1 not.

These are trace from Intel Wireless Event Viewer:



This Discussion