EAP-FAST and Windows 7 Wireless Authentication Issues

Unanswered Question
Feb 1st, 2010
User Badges:

I am expieriencing some authentication issues with our users who are being migrated to Windows 7. I currently am running 6.0.182 on our 4404 controllers with 1242 APs. I am also running 2 ACS 1113 Radius servers along with a server running ACS 4.1 configured with the Remote Agent for the 2 ACS appliances. I am running WPA2 encryption with EAP-FAST authentication.I have adjusted the EAP timeout on the controllers to 30 seconds. I can switch the authentication method to LEAP and that works most of the time. If that doesn't work then a reboot of the AP will generally fix the issue for a short time.


Most clients are using Dell E6400 laptops with Broadcom wireless NICs. The laptops are running the latest drivers for Windows 7 and are configured correctly. Some clients get on fine and other absolutely will not connect. They are repeatedly prompted about accepting the PAC file and will not connect. Eventually the systems assigns itself the generic 169.254.x.x address.


Is anyone having similar issues with EAP-FAST and Windows 7?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
PaulGirard Wed, 02/23/2011 - 07:41
User Badges:

I recently ran into this issue. What I found although not that technical....if the user is prompted for the PAC and does not accept, I had a hard time getting them to authenticate afterwards. I was able to remove the user from the AAA server and once I added them back in they were able to authenticate with no issues. Again this is a very basic finding  and I have not had time to test my theory. I believe it has someting to do with the way AAA caches the user account, perhaps there is a denial of service or time-wait before the next login attempt is permitted. If you are using AD and not local accounts use the option, on the Radius server to Remove Dynamic Users.


hardware userd Version 7.0...5508 WLC, 3500i AP's, WCS, MSE, Cisco ACS/Radius 4.2 WPA2, 802.1x, EAP-FAST

simonwynn Wed, 03/09/2011 - 10:40
User Badges:

I'm curious if the orginal poster figurred out what is going on? I have WIndiows 7 clients (Dells) and they work fine for a few days, then ask for the PAC file again. I had to move them to LEAP. I have all the most up to date Dell software (basically the Cisco EAP host plugin).


Simon

Using basically the same method, I believe:


2 x Cisco Secure ACS servers

Cisco 4400 series WLC at each site, SSID is configured with WEP encryption, EAP-FAST


Local:

Dell laptops (normally Latitude D620/D630s, but some newer) running Windows 7.  All are using the Cisco EAP-FAST plugin, installed in automated fashion via MSI.


We have made no changes to our infrastructure, and Windows XP clients using the Broadcom Wireless Client for Dell are connecting fine.  The clients using the Cisco EAP-FAST plugin connect OK, but often get repeatedly requested to get a new PAC file, sometimes 50-100 times an hour.


Is there any workaround for this at all?    

Actions

This Discussion

 

 

Trending Topics - Security & Network