NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

Unanswered Question

Hi!


Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?


I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:


Access-Requests with User-Name="anonymous"

Access-Challenges (I see certificate is sent from ACS)

Access-Reject


CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".


So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.


The following is excerpt from the CS ACS documentation:


"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."


SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe


So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?


Any help is greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion