EAP-FAST authentication issue

Unanswered Question
Aug 24th, 2009
User Badges:

The following is the setup.


WLC 4404 running 5.2.178.0 code. 1142N LAPs. ACS ver 3.2 is the radius server and is tied to AD.


I tested with three different models of laptops, two worked and one did not. The first laptop that worked: IBM (not on domain) with WinXP Pro and Intel wireless NIC. Used Intel ProSet utility with a user in the domain. The second laptop that worked: Dell with Vista and also Intel NIC. This laptop was part of the domain, it also worked. The laptop that is not working (LEAP does work though) is a HP/Compaq with WinXP Pro and Broadcom wireless NIC. This laptop is also in the domain. I'm using the Broadcom wireless utility. I tried different versions of the utility but no success. The ACS Failed Attempt log says the PAC has been provisioned to the user under the Authentication failure reason. The WLC shows authentication failed. Attached is a 'debug aaa events' from the WLC.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dancampb Tue, 08/25/2009 - 05:03
User Badges:
  • Cisco Employee,

Try extending the default EAP timers. We find they are often too aggressive for EAP types that create a tunnel during the first phase such as EAP-FAST, PEAP, and EAP-TLS.


config advanced eap identity-request-timeout 10

!

config advanced eap request-timeout 10

alexjr Tue, 08/25/2009 - 11:49
User Badges:

I changed the timers and I still get an authentication failure in the controller. The ACS says: EAP-FAST user was provisioned with new PAC.


Does the ACS version matter?


Thanks for your help!

Actions

This Discussion

 

 

Trending Topics - Security & Network