Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

eap-fast pac provisioning fails on 350 series adaptors

We are migrating from an autonomous wireless infrastructure to Unified infrastructure and have come across an issue with clients unable to automatically provision a PAC.

The same ACS server is being used for authentication and eap-fast has been working for a number of years now. Upon a failure, the client (ACU 6.4) says "provisioning failed" whilst the ACS failed attempt logs says "EAP-TLS or PEAP authentication failed during SSL handshake"

If I take the client PC into an area where the old infrastructure has coverage the client provisions fine and authenticates. If I then bring the client back into the new coverage area it authenticates fine. It appears it's just the PAC provisioning that is failing.

Interestingly, newer CB21 cards which are ABG provision fine. Anybody else had problems like this?

ACS is v3.3

ACU is v6.4

WLC is

APs are 1240's


Re: eap-fast pac provisioning fails on 350 series adaptors

If the ACS's certificate on the wireless client is invalid (which depends on the certificate's valid "from" and "to" dates, the client's date and time settings, and CA trust), then the client will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." The expected error message in the CSAuth.log file is similar to the following.

AUTH 06/04/2003 14:56:41 E 0345 1644 EAP: buildEAPRequestMsg:

other side probably didn't accept our certificate

For the Further procedure following URL may help you :

New Member

Re: eap-fast pac provisioning fails on 350 series adaptors

If the ACS certificate was invalid, I would expect all clients on the old wireless infrastructure to start failing but this is not the case.

Have now also increased the logging on the ACS server and captured the error;

"EAP: EAP-FAST: ProcessResponse: SSL handshare failed, status = 3 (SSL alert fatal:bad record mac)"

CreatePlease login to create content