Solved: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Nigel Bowden · ‎10-09-2008

I am trying to do anonymous PAC provisioning to some new 7921 phones with ACS 4.2.0.124.6.

I have created a user & pwd on the phone, and added this user to ACS.

I have configured the WLC, ACS & phone as per the 7921 deployment guide (though there are a few more options now in ACS 4.2).

When the phone tries to intially authenticate with ACS, I see failed logins on ACS for the user 'anonymous'. I assume that this is something to do with the PAC provisioning (phase 0 failure etc.).

But all I see is continuous login failures on ACS, and no PAC provisioning occurs.

Is there maybe some other setting I'm missing? Anyone else see a similar issue when trying to do this?

TIA.

Nigel.

Scott Fella · ‎10-09-2008

Here is a screen shot of the wlan

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎10-09-2008

Post a screen shot of your EAP-FAST Configuration on ACS along with a screen shot of your group or the user info.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎10-09-2008

Here is how I had it setup. Hope it helps.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎10-09-2008

Here is a screen shot of the wlan

-Scott
*** Please rate helpful posts ***

Nigel Bowden · ‎10-09-2008

Thanks very much for taking the time to post this info, I really appreciate it.

I'll check it out again tomorrow when I get in to work and let you know how it goes.

Regards

Nigel.

Nigel Bowden · ‎10-14-2008

Yes, those settings worked fine.

One other thing which I also think caused an issue was the client exclusion, which I disabled. The authentication has to fail before the provisioning can take place, and I think this setting on the WLAN may also have caused an issue.

Thanks again.

Nigel.

kristjan.edvardsson · ‎02-18-2009

Hi Nigel, hope this doesn't come to late. I was just browsing and I just hit this bug

CSCsw88545 and it matches your description too. I was using local EAP on WLC and the same 7921 phones and EAP-FAST. But it was working with this anonymous user entry but when trying to roam I got "username not found" on WLC. Cisco claims that there is no workaround since everything works on a single access point. But I have let them know that when roaming this will fail. So my workaround while waiting for a fix was to use LEAP temporarily and that worked just fine for fast-secure-roaming.

da.beaver · ‎06-09-2009

Here is something I ran into regarding EAP-FAST and my 7921's not authenticating. I had to set the EAP-FAST timeouts to higher values due to the version of code i'm running which is 4.2.130.0. I added these commands and it started working.

config advanced eap identity-request-timeout 60

config advanced eap identity-request-retries 20

config advanced eap request-timeout 60

config advanced eap request-retries 10

config advanced eap eapol-key-timeout 5

config advanced eap eapol-key-retries 4

This solved the EAP-FAST timeout issues.

Dave