Cisco Support Community
Community Member

Problem with EAP-FAST in phase 1


I am using eap-fast and I am not able to obtain the PAC file from server.

I can see the following protocols exchanged between client and server.

1. server -> client : (Proto EAP) Request, Identity

2. client -> server : (Proto EAP) Response, Identity

3. server -> client : (Proto EAP) Request. EEAP-TLS

4. client -> server : (Proto EAP) Response, Legacy Nak (Response only)

5. server -> client : (Proto TLSv1) Ignored Unknown Record (EAP Type: EAP-FAST)

6. client -> server : (Proto TLSv1) Client Hello (with empty session ID)

7. server -> client : (Proto TLSv1) Server Hello, Server Key Exchange, Server Hello Done

After this step, I see a "Request, Identity" from server again and the whole thing repeats. Once in multiple attempts, I see the following

8. client -> server : (Proto TLSv1) Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message.

But it starts all over again. I don't understand why this behavior? I suspect that the server times out, but I am not sure.

Has anyone came across this problem before or if anyone knows the reason and fix for this behavior, please share with me.


Everyone's tags (3)

Re: Problem with EAP-FAST in phase 1

Do you have the problem with provisioning the PAC?
If that is, this is EAP-FAST phase 0 not phase 1.

If you have a Cisco unified wireless controller, you may try enabling the following debug on the WLC:

debug client

This would tell where the problem exactly resides, client or server.

Also, what if you provide the client with the PAC file manually, will authentication then work?



Rating useful replies is more useful than saying "Thank you"
Cisco Employee

Re: Problem with EAP-FAST in phase 1

what is the type of PAC provisioning you are using? is it anonymous or authenticated PAC provisioning.

If it is anonymous please make sure that you have enabled EAP -MSCHAP v2 due to the fact that we are using diffie helman key agreement in this phase and we need this type to provide mutual authentication.

Can you send me screen shot for the EAP fast config from client and server.


Community Member

Problem with EAP-FAST in phase 1

Hi Amjad,

I did enable the debug, but I see no problem being printed, I see that the client simply restarts the process all over again (in accordance with the sequence of events listed above. I am using fast_provisioning=3, I figured that it simply failed for 1 and 2.

I was working on it and I observed that Client generated the key after 100sec of getting a server hello; meanwhile server sends 3 server hello’s at an interval of 30 secs and finally de-authenticates the client. As I can’t change the time taken by client to generate the key (vary slow processor), is there a way to change the timings on server? I wanted to test it out by extending the wait time on the server, and I could find no interface to change the timings.


Cisco Employee

Problem with EAP-FAST in phase 1

WLC > config advanced eap request-timeout ...

WLC>config advanced eap request-retries ......


Problem with EAP-FAST in phase 1

Hi Prakash,

You did not answer if it works with manually PAC put on the client?

You can increase the timer. What I see so far that the timeout happens inside the TLS tunnel with the identity request packet  (second identity reqeust. first one was not inside the TLS tunnel).

You can modify controller timers (EAP-identity request, EAP-Request, and EAPOL-Key timeouts).

If you can attach the debug client output that would be fine. But to be honest I have no guarantee when I'll give it a look. you put it anyway. maybe maldehne will look at it if I did not do quickly.

Also, You may consider increasing all the timers in the EAP process (so far I believe it is identity time that needs to be increased but you can increase all if you'd like because I am not fully sure about it).

you can either increase the timers from CLI:

config advanced eap

maldehne described increasing hte request-timeout above

or you can increase timers from GUI:

Security-> Local EAP-> General.

Hope there will be some improvement.



Rating useful replies is more useful than saying "Thank you"
CreatePlease to create content