Cisco Support Community
ovt Bronze

NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net


Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?

I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:

Access-Requests with User-Name="anonymous"

Access-Challenges (I see certificate is sent from ACS)


CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".

So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.

The following is excerpt from the CS ACS documentation:

"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."

SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe

So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?

Any help is greatly appreciated.

CreatePlease to create content