7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Answered Question
Oct 9th, 2008
User Badges:

I am trying to do anonymous PAC provisioning to some new 7921 phones with ACS 4.2.0.124.6.


I have created a user & pwd on the phone, and added this user to ACS.


I have configured the WLC, ACS & phone as per the 7921 deployment guide (though there are a few more options now in ACS 4.2).


When the phone tries to intially authenticate with ACS, I see failed logins on ACS for the user 'anonymous'. I assume that this is something to do with the PAC provisioning (phase 0 failure etc.).


But all I see is continuous login failures on ACS, and no PAC provisioning occurs.


Is there maybe some other setting I'm missing? Anyone else see a similar issue when trying to do this?


TIA.


Nigel.

Correct Answer by Scott Fella about 8 years 8 months ago

Here is a screen shot of the wlan



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Thu, 10/09/2008 - 10:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Post a screen shot of your EAP-FAST Configuration on ACS along with a screen shot of your group or the user info.

Scott Fella Thu, 10/09/2008 - 10:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Here is how I had it setup. Hope it helps.



Attachment: 
Correct Answer
Scott Fella Thu, 10/09/2008 - 11:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Here is a screen shot of the wlan



Attachment: 
Nigel Bowden Thu, 10/09/2008 - 11:14
User Badges:

Thanks very much for taking the time to post this info, I really appreciate it.


I'll check it out again tomorrow when I get in to work and let you know how it goes.


Regards


Nigel.

Nigel Bowden Tue, 10/14/2008 - 13:47
User Badges:

Yes, those settings worked fine.


One other thing which I also think caused an issue was the client exclusion, which I disabled. The authentication has to fail before the provisioning can take place, and I think this setting on the WLAN may also have caused an issue.


Thanks again.


Nigel.


kristjan.edvardsson Wed, 02/18/2009 - 01:06
User Badges:

Hi Nigel, hope this doesn't come to late. I was just browsing and I just hit this bug

CSCsw88545 and it matches your description too. I was using local EAP on WLC and the same 7921 phones and EAP-FAST. But it was working with this anonymous user entry but when trying to roam I got "username not found" on WLC. Cisco claims that there is no workaround since everything works on a single access point. But I have let them know that when roaming this will fail. So my workaround while waiting for a fix was to use LEAP temporarily and that worked just fine for fast-secure-roaming.

da.beaver Tue, 06/09/2009 - 06:55
User Badges:

Here is something I ran into regarding EAP-FAST and my 7921's not authenticating. I had to set the EAP-FAST timeouts to higher values due to the version of code i'm running which is 4.2.130.0. I added these commands and it started working.


config advanced eap identity-request-timeout 60

config advanced eap identity-request-retries 20

config advanced eap request-timeout 60

config advanced eap request-retries 10

config advanced eap eapol-key-timeout 5

config advanced eap eapol-key-retries 4


This solved the EAP-FAST timeout issues.

Dave

Actions

This Discussion

 

 

Trending Topics - Security & Network