Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

350 series adaptor cards unable to PAC Provision

We are migrating from an autonomous wireless infrastructure to Unified infrastructure and have come across an issue with clients unable to automatically provision a PAC.

The same ACS server is being used for authentication and eap-fast has been working for a number of years now. Upon a failure, the client (ACU 6.4) says "provisioning failed" whilst the ACS failed attempt logs says "EAP-TLS or PEAP authentication failed during SSL handshake"

If I take the client PC into an area where the old infrastructure has coverage the client provisions fine and authenticates. If I then bring the client back into the new coverage area it authenticates fine. It appears it's just the PAC provisioning that is failing.

Interestingly, newer CB21 cards which are ABG provision fine. Anybody else had problems like this?

ACS is v3.3

ACU is v6.4

WLC is

APs are 1240's

Community Member

Re: 350 series adaptor cards unable to PAC Provision

As the newer CB21 cards are working fine without any provisioning issues check the configuration on the client card having the issue and make sure it is the same as the config on the working card. Also try upgrading the client software on the card. This may resolve the issue. The error message "EAP-TLS or PEAP authentication failed during SSL handshake” may be due to certificate being invalid in the ACS.

Community Member

Re: 350 series adaptor cards unable to PAC Provision

Cisco TAC requested me to increase certain timers on the Wireless LAN Controllers to try and resolve the problem.

This has now fixed the issue and 350 series clients can now PAC provision as normal.

The timers changed were;

Config advanced eap identity-request-timeout 120

Config advanced eap identity-request-retries 20

Config advanced eap request-timeout 120

Config advanced eap request-retries 20

CreatePlease to create content