eap-fast pac provisioning fails on 350 series adaptors

Unanswered Question
Oct 13th, 2008

We are migrating from an autonomous wireless infrastructure to Unified infrastructure and have come across an issue with clients unable to automatically provision a PAC.

The same ACS server is being used for authentication and eap-fast has been working for a number of years now. Upon a failure, the client (ACU 6.4) says "provisioning failed" whilst the ACS failed attempt logs says "EAP-TLS or PEAP authentication failed during SSL handshake"

If I take the client PC into an area where the old infrastructure has coverage the client provisions fine and authenticates. If I then bring the client back into the new coverage area it authenticates fine. It appears it's just the PAC provisioning that is failing.

Interestingly, newer CB21 cards which are ABG provision fine. Anybody else had problems like this?

ACS is v3.3

ACU is v6.4

WLC is 5.1.151.0

APs are 1240's

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Mon, 10/20/2008 - 12:21

If the ACS's certificate on the wireless client is invalid (which depends on the certificate's valid "from" and "to" dates, the client's date and time settings, and CA trust), then the client will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." The expected error message in the CSAuth.log file is similar to the following.

AUTH 06/04/2003 14:56:41 E 0345 1644 EAP: buildEAPRequestMsg:

other side probably didn't accept our certificate

For the Further procedure following URL may help you :

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

richard-hughes Tue, 10/21/2008 - 06:21

If the ACS certificate was invalid, I would expect all clients on the old wireless infrastructure to start failing but this is not the case.

Have now also increased the logging on the ACS server and captured the error;

"EAP: EAP-FAST: ProcessResponse: SSL handshare failed, status = 3 (SSL alert fatal:bad record mac)"

Actions

This Discussion

 

 

Trending Topics - Security & Network