EAP-FAST Authentication Issue with Wireless 7925G Phones

Unanswered Question


I have a wireless network configured for a Unified Wireless Voice solution and have started to see some anomolies regarding the EAP-FAST authentication.

I currently have a Wireless Services Module (WiSM) installed into a Catalyst 6509. The software running on the WiSM is and we are authenticating the 7925 handsets using WPA2 (EAP-FAST). The handsets are being authenticated against a Cisco ACS Applicance (version 4.1).

The ACS has a Self-Signed Certificate installed and is doing automatic PAC provisioning.

The issue we are seeing is on the WiSM I have an error message as follows;

AAA Authentication Failure for UserName:anonymous  User Type: WLAN USER

And I can see on the ACS Server in the Failed Attempts log an Authentication Failure against the Username: anonymous. The Auth Failure Code is; ACS MSCHAP password is invalid

I thought that maybe the EAP timeout values could need changing so have set them to the following;

config advanced eap identity-request-timeout 60
config advanced eap identity-request-retries 20
config advanced eap request-timeout 60
config advanced eap request-retries 10
config advanced eap eapol-key-timeout 5
config advanced eap eapol-key-retries 4

I was also reading some other tech notes and blogs about a bug CSCsw88545 but this suggests this is authenticating against a local WLC.

Any suggestions would be helpful



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
dancampb Tue, 12/15/2009 - 07:27
User Badges:
  • Cisco Employee,

Are the phones authenticating to the WLAN but you are just seeing the entries in the failed attempt log or are they not authenticating at all?

Seeing the failed attempt with annonymous is normal.  During the PAC provisioning of EAP-FAST you will see a failed attempt with the username of annonymous.

rrmvvazquez Fri, 12/18/2009 - 14:53
User Badges:

The authentication process might need more time. The settings below are what TAC provided me to fix a similar issue but with the older handsets.

EAP-Identity-Request Timeout (seconds)........... 120
EAP-Identity-Request Max Retries................. 20
EAP Key-Index for Dynamic WEP.................... 0
EAP-Request Timeout (seconds).................... 120
EAP-Request Max Retries.......................... 20

Good luck.


This Discussion



Trending Topics - Security & Network