Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

Unanswered Question
Mar 9th, 2009

Hello,

I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"


The eror message I recieved on a debug is:

*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

But of course there is a user configured on my ipphone !


Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)

Note2: When I use LEAP it is OK

Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.


See attacehement for more detail.


Many thanks in advance.



Michel Misonne



*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mmisonne Tue, 03/10/2009 - 09:00

Hi,


I do it exactely like the procedure described. The User and password exist in my profile!


And if I change "EAP-Fast" to "LEAP" simultaneously in my ip-phone profile and in my WLC-internal-radius-profile, it works. So the user and password does exist.


In case there is a Bug somewhere, can I use LEAP in place of EAP-Fast without degradation ?


Regards.



Michel Misonne


a01harda Wed, 03/11/2009 - 10:10

Hello,

You may need to change some eap timeouts on the controller. The phone may not be accepting the PAC quick enough.


config advanced eap identity-request-timeout 120

config advanced eap identity-request-retries 20

config advanced eap request-timeout 120

config advanced eap request-retries 20

save config

Stephen Rodriguez Thu, 08/18/2011 - 07:38

ABSOLUTLEY DO NOT DO THIS!

config advanced eap identity-request-timeout 120

config advanced eap identity-request-retries 20

config advanced eap request-timeout 120

config advanced eap request-retries 20


This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart


Please take a look at

https://supportforums.cisco.com/docs/DOC-12110


config advanced eap identity-request-timeout 5

config advanced eap identity-request-retries 12

config advanced eap request-timeout 5

config advanced eap request-retries 12


would be much better, as it is only 60 seconds.  No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.


HTH,

Steve

kristjan.edvardsson Thu, 08/18/2011 - 07:34

I ran into this same bug. 7921 EAP-FAST and WLC with localradius. The phone works fine on first AP but when it roams

it uses it outer identity (anonymous) and the WLC doesn´t accept it as a cached CCKM user and denies. The WLC is to blame casue it should cache the inner username and use it. I had to change the LEAP as a temporary solution.

Actions

This Discussion