Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EAP-FAST Authentication Issue with Wireless 7925G Phones


I have a wireless network configured for a Unified Wireless Voice solution and have started to see some anomolies regarding the EAP-FAST authentication.

I currently have a Wireless Services Module (WiSM) installed into a Catalyst 6509. The software running on the WiSM is and we are authenticating the 7925 handsets using WPA2 (EAP-FAST). The handsets are being authenticated against a Cisco ACS Applicance (version 4.1).

The ACS has a Self-Signed Certificate installed and is doing automatic PAC provisioning.

The issue we are seeing is on the WiSM I have an error message as follows;

AAA Authentication Failure for UserName:anonymous  User Type: WLAN USER

And I can see on the ACS Server in the Failed Attempts log an Authentication Failure against the Username: anonymous. The Auth Failure Code is; ACS MSCHAP password is invalid

I thought that maybe the EAP timeout values could need changing so have set them to the following;

config advanced eap identity-request-timeout 60
config advanced eap identity-request-retries 20
config advanced eap request-timeout 60
config advanced eap request-retries 10
config advanced eap eapol-key-timeout 5
config advanced eap eapol-key-retries 4

I was also reading some other tech notes and blogs about a bug CSCsw88545 but this suggests this is authenticating against a local WLC.

Any suggestions would be helpful




Re: EAP-FAST Authentication Issue with Wireless 7925G Phones

Are the phones authenticating to the WLAN but you are just seeing the entries in the failed attempt log or are they not authenticating at all?

Seeing the failed attempt with annonymous is normal.  During the PAC provisioning of EAP-FAST you will see a failed attempt with the username of annonymous.

New Member

Re: EAP-FAST Authentication Issue with Wireless 7925G Phones

The phones are authenticating to the wireless LAN.

I'm aware that you see a failure in the ACS logs for the Phase 0 of EAP-FAST but usually this would have a message of EAP-FAST user was provisioned a  new PAC

Unless this due to the roam

New Member

Re: EAP-FAST Authentication Issue with Wireless 7925G Phones

The authentication process might need more time. The settings below are what TAC provided me to fix a similar issue but with the older handsets.

EAP-Identity-Request Timeout (seconds)........... 120
EAP-Identity-Request Max Retries................. 20
EAP Key-Index for Dynamic WEP.................... 0
EAP-Request Timeout (seconds).................... 120
EAP-Request Max Retries.......................... 20

Good luck.