Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

Hi!

Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?

I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:

Access-Requests with User-Name="anonymous"

Access-Challenges (I see certificate is sent from ACS)

Access-Reject

CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".

So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.

The following is excerpt from the CS ACS documentation:

"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."

SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe

So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?

Any help is greatly appreciated.

2 REPLIES
Cisco Employee

Re: NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.

I have this working using SSC & ACS 4.1.4.

Check your CSAuth.log file. The Failed Attempt Report may show the outer-id (anonymous), but CSAUth.log should show the inner-id that failed authentication. You should see stuff like this:

AuthenProcessResponse: process response for 'anonymous'

EAP: EAP-FAST: INNER: --> EAP Response/EAP-Type=Identity (User Identity = 'Administrator')

In this case "Administrator" would be the inner id that (in your case) could not be found in the internal ACS database.

Hope that helps,

Shelly

New Member

Re: NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.

Hi

Did you solve this issue? I have the same issue with EAP-FAST on 7921 phones, WISM and ACS version 4.2

Regards

199
Views
0
Helpful
2
Replies
CreatePlease login to create content