Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
2
Replies

NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

ovt
Level 4
Level 4

‎03-17-2008 09:34 AM - edited ‎03-10-2019 03:43 PM

Hi!

Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?

I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:

Access-Requests with User-Name="anonymous"

Access-Challenges (I see certificate is sent from ACS)

Access-Reject

CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".

So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.

The following is excerpt from the CS ACS documentation:

"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."

SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe

So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?

Any help is greatly appreciated.

Labels:
0 Helpful
2 Replies 2

scadora
Cisco Employee
Cisco Employee

‎03-18-2008 10:26 AM

I have this working using SSC & ACS 4.1.4.

Check your CSAuth.log file. The Failed Attempt Report may show the outer-id (anonymous), but CSAUth.log should show the inner-id that failed authentication. You should see stuff like this:

AuthenProcessResponse: process response for 'anonymous'

EAP: EAP-FAST: INNER: --> EAP Response/EAP-Type=Identity (User Identity = 'Administrator')

In this case "Administrator" would be the inner id that (in your case) could not be found in the internal ACS database.

Hope that helps,

Shelly

0 Helpful

oysteins
Level 1
Level 1

‎08-15-2008 05:31 AM

Hi

Did you solve this issue? I have the same issue with EAP-FAST on 7921 phones, WISM and ACS version 4.2

Regards

0 Helpful
Customers Also Viewed These Support Documents