Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

Hello,

I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"

The eror message I recieved on a debug is:

*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

But of course there is a user configured on my ipphone !

Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)

Note2: When I use LEAP it is OK

Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.

See attacehement for more detail.

Many thanks in advance.

Michel Misonne

*Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

5 REPLIES
Hall of Fame Super Gold

Re: Cannot use IP-phone-7921 with EAP-Fast using internal WLC Ra

Have a browse at this link:

Cisco Unified Wireless IP Phone 7921 Security Configuration

https://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan_ch10.html#wp1048306

New Member

Re: Cannot use IP-phone-7921 with EAP-Fast using internal WLC Ra

Hi,

I do it exactely like the procedure described. The User and password exist in my profile!

And if I change "EAP-Fast" to "LEAP" simultaneously in my ip-phone profile and in my WLC-internal-radius-profile, it works. So the user and password does exist.

In case there is a Bug somewhere, can I use LEAP in place of EAP-Fast without degradation ?

Regards.

Michel Misonne

New Member

Re: Cannot use IP-phone-7921 with EAP-Fast using internal WLC Ra

Hello,

You may need to change some eap timeouts on the controller. The phone may not be accepting the PAC quick enough.

config advanced eap identity-request-timeout 120

config advanced eap identity-request-retries 20

config advanced eap request-timeout 120

config advanced eap request-retries 20

save config

Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

ABSOLUTLEY DO NOT DO THIS!

config advanced eap identity-request-timeout 120

config advanced eap identity-request-retries 20

config advanced eap request-timeout 120

config advanced eap request-retries 20

This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart

Please take a look at

https://supportforums.cisco.com/docs/DOC-12110

config advanced eap identity-request-timeout 5

config advanced eap identity-request-retries 12

config advanced eap request-timeout 5

config advanced eap request-retries 12

would be much better, as it is only 60 seconds.  No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.

HTH,

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Re: Cannot use IP-phone-7921 with EAP-Fast using internal WLC Ra

I ran into this same bug. 7921 EAP-FAST and WLC with localradius. The phone works fine on first AP but when it roams

it uses it outer identity (anonymous) and the WLC doesn´t accept it as a cached CCKM user and denies. The WLC is to blame casue it should cache the inner username and use it. I had to change the LEAP as a temporary solution.

399
Views
0
Helpful
5
Replies