10-09-2008 10:06 AM - edited 07-03-2021 04:35 PM
I am trying to do anonymous PAC provisioning to some new 7921 phones with ACS 4.2.0.124.6.
I have created a user & pwd on the phone, and added this user to ACS.
I have configured the WLC, ACS & phone as per the 7921 deployment guide (though there are a few more options now in ACS 4.2).
When the phone tries to intially authenticate with ACS, I see failed logins on ACS for the user 'anonymous'. I assume that this is something to do with the PAC provisioning (phase 0 failure etc.).
But all I see is continuous login failures on ACS, and no PAC provisioning occurs.
Is there maybe some other setting I'm missing? Anyone else see a similar issue when trying to do this?
TIA.
Nigel.
Solved! Go to Solution.
10-09-2008 11:00 AM
Here is a screen shot of the wlan
10-09-2008 10:49 AM
Post a screen shot of your EAP-FAST Configuration on ACS along with a screen shot of your group or the user info.
10-09-2008 10:56 AM
10-09-2008 11:00 AM
10-09-2008 11:14 AM
Thanks very much for taking the time to post this info, I really appreciate it.
I'll check it out again tomorrow when I get in to work and let you know how it goes.
Regards
Nigel.
10-14-2008 01:47 PM
Yes, those settings worked fine.
One other thing which I also think caused an issue was the client exclusion, which I disabled. The authentication has to fail before the provisioning can take place, and I think this setting on the WLAN may also have caused an issue.
Thanks again.
Nigel.
02-18-2009 01:06 AM
Hi Nigel, hope this doesn't come to late. I was just browsing and I just hit this bug
CSCsw88545 and it matches your description too. I was using local EAP on WLC and the same 7921 phones and EAP-FAST. But it was working with this anonymous user entry but when trying to roam I got "username not found" on WLC. Cisco claims that there is no workaround since everything works on a single access point. But I have let them know that when roaming this will fail. So my workaround while waiting for a fix was to use LEAP temporarily and that worked just fine for fast-secure-roaming.
06-09-2009 06:55 AM
Here is something I ran into regarding EAP-FAST and my 7921's not authenticating. I had to set the EAP-FAST timeouts to higher values due to the version of code i'm running which is 4.2.130.0. I added these commands and it started working.
config advanced eap identity-request-timeout 60
config advanced eap identity-request-retries 20
config advanced eap request-timeout 60
config advanced eap request-retries 10
config advanced eap eapol-key-timeout 5
config advanced eap eapol-key-retries 4
This solved the EAP-FAST timeout issues.
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide