Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

Hi!

(Sorry, if this is a wrong forum.)

Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?

I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:

Access-Requests with User-Name="anonymous"

Access-Challenges (I see certificate is sent from ACS)

Access-Reject

CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".

So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.

The following is excerpt from the CS ACS documentation:

"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."

SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe

So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?

Any help is greatly appreciated.

4 REPLIES
Cisco Employee

Re: NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.

ACS does not try to authenticate "anonymous". This is just the record ACS cuts in it's log. The problem here is the user is not defined on ACS locally. Or, if you need to point ACS to another server, then take care of that on your unknown user policy.

ovt Bronze
Bronze

Re: NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.

Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):

POD1-SW#sh run int fa1/0/1

Building configuration...

Current configuration : 378 bytes

!

interface FastEthernet1/0/1

switchport access vlan 999

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout reauth-period server

dot1x timeout tx-period 10

dot1x reauthentication

dot1x critical

dot1x critical recovery action reinitialize

dot1x guest-vlan 91

dot1x critical vlan 11

spanning-tree portfast

end

After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?

Thx.

Cisco Employee

Re: NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.

Sounds like the client is hosed somehow. Would recommend the native Windows client, or retail CSSC supplicant either way.

ovt Bronze
Bronze

Re: NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.

Ok, it seems to be a conflict with vmware drivers. Now it works well on Win 2003 R2 Server.

If I need Active Directory authentication, does this mean I absolutely must use machine authentication to download group policy objects from the domain? SSC has an option "Attempt connection before user logon". Could you please explain it? Can it help with downloading GPOs?

477
Views
0
Helpful
4
Replies