NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

Unanswered Question

Hi!

Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?

I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:

Access-Requests with User-Name="anonymous"

Access-Challenges (I see certificate is sent from ACS)

Access-Reject

CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".

So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.

The following is excerpt from the CS ACS documentation:

"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."

SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe

So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?

Any help is greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
scadora Tue, 03/18/2008 - 10:26

I have this working using SSC & ACS 4.1.4.

Check your CSAuth.log file. The Failed Attempt Report may show the outer-id (anonymous), but CSAUth.log should show the inner-id that failed authentication. You should see stuff like this:

AuthenProcessResponse: process response for 'anonymous'

EAP: EAP-FAST: INNER: --> EAP Response/EAP-Type=Identity (User Identity = 'Administrator')

In this case "Administrator" would be the inner id that (in your case) could not be found in the internal ACS database.

Hope that helps,

Shelly

oysteins Fri, 08/15/2008 - 05:31

Hi

Did you solve this issue? I have the same issue with EAP-FAST on 7921 phones, WISM and ACS version 4.2

Regards

Actions

This Discussion