I mean EAP-Fast.

Where do I type in the RADIUS entries? In the security tab and I see RADIUS on the left.

I also see EAP-FAST Method Parameters under local EAP

Do I need RADIUS Key Wrap?

Also what ip should I use in ACS? should I use the web auth ip or the ip I use to get the the web page?

You do not need RADIUS key wrap.

Use the controller's management address as the IP address for the AAA client.

RADIUS servers are configured under Security: AAA: Radius servers; then, select the servers under WLANs: your SSID: Security: AAA. You are not using Local EAP; don't configure anything there.

Heres what I have done so far.

I went to the security tab in the controller and under aaa>RADIUS>Authentication

I clicked new

typed in the ACS IP

Shared Secret Format ACSII

Shared key (for a test): aaabbbccc

I left everything else as default

I was able to use the blue arrow on the next screen to ping the ACS server. It worked.

I went to Wlan

Clicked on my ssid

went to security

went to aaa servers

Picked the Authentication Servers from the drop down menu.

I try to connect with my laptop with the settings:

http://img135.imageshack.us/img135/1250/30843309.jpg

http://img135.imageshack.us/img135/7227/38269692.jpg

http://img135.imageshack.us/img135/2061/55455685.jpg

OK, so what happens then? If you're not getting online successfully, what errors do you see on the controller and/or in the ACS authentication logs?

I disabled windows firewall. It was blocking the ports.

I also Had to enable eap-fast on the acs and turn on anonymous pac/authenticated pac.

I'm using a user I made on the ACS.

My next step is to allow Eap-fast to use my novell user name and password with LDAP... This works for our other ssid that uses web auth.

How do I do this?

Just set the controller to use the ACS servers as AAA Authentication on your secure SSID.

its setup like that. I assume that you also need LDAP Servers drop down box filled in to right?

I'm picking the same LDAP in the drop down box as I did when I use LDAP to web auth.

Do I need to configure LDAP on the ACS? Also Do I have to have manual PAC generation to use ldap or can I use automatic?

The LDAP boxes on the right are only used if you are using Local EAP- i.e. if you do not have a RADIUS server. If you're using an ACS, then you are not using Local EAP and will leave those options blank.

ok, so what would be my next step?

I can connect with GTC and MSChapv2. I thought I read MSCHAPv2 can't be used with LDAP.

I can type a username and password in my laptops client. If I connect how do I know its LDAP that let me in?

The MSCHAP+LDAP issue only comes into play when you are using Local EAP. Again, because you are using an ACS server this is not a Local EAP implementation.

If you are able to connect successfully, doesn't that resolve your problems? Is there a specific reason why you are concerned about verifying that the LDAP protocol is being used? I suppose you could sniff the traffic between the ACS and your Novell server if you wanted to be really sure.

I can only connect with the username I made on the ACS server. When I try to use my novell user name and password It doesnt work.

Hmm. This page says that EAP-FAST + LDAP requires manual PAC provisioning:

http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5861/prod_qas09186a00802030dc_ps2706_Products_Q_and_A_Item.html