Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAC Provisioning Fails Without End-User Accepting PAC Pop-up

We have lots of workstation on wheels. We use EAP-Fast with Cisco ACS for authentication. When a user isn't in front of the WOW and the PAC pop-up times out, it disables the WOW and causes problems.

Has anyone used some form of auto-accept method with the Intel PRO-Set so as to not require end-user acceptance of the PAC pop-up message?

1 REPLY
Bronze

Re: PAC Provisioning Fails Without End-User Accepting PAC Pop-up

The provisioning of the Machine PAC, which is needed for machine context connections, is accomplished using the server certificate or machine security identity (SID). Machine PACs are only supported in newer versions of authentication servers (ACS 4.0 or later) which have been upgraded to support EAP-FAST v1a.

To make a make a machine connection before the PAC has been provisioned, the CA certificate used to trust the server certificate must be placed in the proper Windows Certificate Store (Local Computer-Trusted Root Store).

The host must also provide these machine credentials:

•Active Directory provided machine certificate. The authentication method must support the use of a certificate to provide machine client credentials - the server must be appropriately configured to call for an inner tunnel method of TLS.

•Active Directory provided SID (password). The authentication method must support the use of a password to provide machine client credentials.

Finally, the FAST authentication server must be configured for auto creation of administrator's unique machine PAC information.

http://www.cisco.com/en/US/docs/security/cta/2.1.103.0_supplicant/admin_guide/ctaSuppl.html#wp1026518

282
Views
0
Helpful
1
Replies