Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

I am trying to do anonymous PAC provisioning to some new 7921 phones with ACS 4.2.0.124.6.

I have created a user & pwd on the phone, and added this user to ACS.

I have configured the WLC, ACS & phone as per the 7921 deployment guide (though there are a few more options now in ACS 4.2).

When the phone tries to intially authenticate with ACS, I see failed logins on ACS for the user 'anonymous'. I assume that this is something to do with the PAC provisioning (phase 0 failure etc.).

But all I see is continuous login failures on ACS, and no PAC provisioning occurs.

Is there maybe some other setting I'm missing? Anyone else see a similar issue when trying to do this?

TIA.

Nigel.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Here is a screen shot of the wlan

-Scott
*** Please rate helpful posts ***
7 REPLIES
Hall of Fame Super Silver

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Post a screen shot of your EAP-FAST Configuration on ACS along with a screen shot of your group or the user info.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Here is how I had it setup. Hope it helps.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Here is a screen shot of the wlan

-Scott
*** Please rate helpful posts ***
New Member

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Thanks very much for taking the time to post this info, I really appreciate it.

I'll check it out again tomorrow when I get in to work and let you know how it goes.

Regards

Nigel.

New Member

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Yes, those settings worked fine.

One other thing which I also think caused an issue was the client exclusion, which I disabled. The authentication has to fail before the provisioning can take place, and I think this setting on the WLAN may also have caused an issue.

Thanks again.

Nigel.

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Hi Nigel, hope this doesn't come to late. I was just browsing and I just hit this bug

CSCsw88545 and it matches your description too. I was using local EAP on WLC and the same 7921 phones and EAP-FAST. But it was working with this anonymous user entry but when trying to roam I got "username not found" on WLC. Cisco claims that there is no workaround since everything works on a single access point. But I have let them know that when roaming this will fail. So my workaround while waiting for a fix was to use LEAP temporarily and that worked just fine for fast-secure-roaming.

New Member

Re: 7921 EAP-FAST PAC Provisioning Issue (ACS 4.2.0.124.6)

Here is something I ran into regarding EAP-FAST and my 7921's not authenticating. I had to set the EAP-FAST timeouts to higher values due to the version of code i'm running which is 4.2.130.0. I added these commands and it started working.

config advanced eap identity-request-timeout 60

config advanced eap identity-request-retries 20

config advanced eap request-timeout 60

config advanced eap request-retries 10

config advanced eap eapol-key-timeout 5

config advanced eap eapol-key-retries 4

This solved the EAP-FAST timeout issues.

Dave

742
Views
0
Helpful
7
Replies