7921 EAP-FAST PAC Provisioning Issue (ACS

Answered Question
Oct 9th, 2008

I am trying to do anonymous PAC provisioning to some new 7921 phones with ACS

I have created a user & pwd on the phone, and added this user to ACS.

I have configured the WLC, ACS & phone as per the 7921 deployment guide (though there are a few more options now in ACS 4.2).

When the phone tries to intially authenticate with ACS, I see failed logins on ACS for the user 'anonymous'. I assume that this is something to do with the PAC provisioning (phase 0 failure etc.).

But all I see is continuous login failures on ACS, and no PAC provisioning occurs.

Is there maybe some other setting I'm missing? Anyone else see a similar issue when trying to do this?



Correct Answer by Scott Fella about 8 years 4 months ago

Here is a screen shot of the wlan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fella Thu, 10/09/2008 - 10:49

Post a screen shot of your EAP-FAST Configuration on ACS along with a screen shot of your group or the user info.

Nigel Bowden Thu, 10/09/2008 - 11:14

Thanks very much for taking the time to post this info, I really appreciate it.

I'll check it out again tomorrow when I get in to work and let you know how it goes.



Nigel Bowden Tue, 10/14/2008 - 13:47

Yes, those settings worked fine.

One other thing which I also think caused an issue was the client exclusion, which I disabled. The authentication has to fail before the provisioning can take place, and I think this setting on the WLAN may also have caused an issue.

Thanks again.


kristjan.edvardsson Wed, 02/18/2009 - 01:06

Hi Nigel, hope this doesn't come to late. I was just browsing and I just hit this bug

CSCsw88545 and it matches your description too. I was using local EAP on WLC and the same 7921 phones and EAP-FAST. But it was working with this anonymous user entry but when trying to roam I got "username not found" on WLC. Cisco claims that there is no workaround since everything works on a single access point. But I have let them know that when roaming this will fail. So my workaround while waiting for a fix was to use LEAP temporarily and that worked just fine for fast-secure-roaming.

da.beaver Tue, 06/09/2009 - 06:55

Here is something I ran into regarding EAP-FAST and my 7921's not authenticating. I had to set the EAP-FAST timeouts to higher values due to the version of code i'm running which is I added these commands and it started working.

config advanced eap identity-request-timeout 60

config advanced eap identity-request-retries 20

config advanced eap request-timeout 60

config advanced eap request-retries 10

config advanced eap eapol-key-timeout 5

config advanced eap eapol-key-retries 4

This solved the EAP-FAST timeout issues.



This Discussion



Trending Topics - Security & Network