Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

eap-fast and cckm

Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.

It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.

12 REPLIES
New Member

Re: eap-fast and cckm

Have the same problem with v4.0.155.0 on the controller. v3.2 works with WPA. Anybody have a 4.0 version that works?

Silver

Re: eap-fast and cckm

Charles, You may want to note that 4.0.155.0 had some serious issues with APs rebooting regularly. You may want to consider a newer version. There is a 4.0.155.5 with just fixes for that bug, or the newest just came out today 4.0.179.11. If you are running WiSMs, I highly recommend looking at 179.11, due to an issue on WiSMs some of us have been dealing with.

-Eric

Please remember to rate all helpful posts.

Silver

Re: eap-fast and cckm

Yep. The trick is that you have to choose AKM for Authentication instead of EAP on the 7920. I have them working on 4.0.179.x without an issue.

-Eric

Please remember to rate all helpful posts.

New Member

Re: eap-fast and cckm

Eric,

Wich issue is corrected on version .11 that require an upgrade on wism.

Three bugs are corrected according to release notes.

Cheers

Simon

Silver

Re: eap-fast and cckm

Secoffey: there is a WiSM reboot bug that a lot of use have been dealing with. It affects all version prior to 4.0.179.11 as far as I have been told, but only impacts WiSMs.

-Eric

Please remember to rate all helpful posts.

Cisco Employee

Re: eap-fast and cckm

Yes, but must increase the 802.1x timeout on the Airespace controller. See the 3.0 release notes where is states the following:

If using EAP-FAST with Cisco Airespace technology, the EAP session timeout needs to be increased to at least 20 seconds.

1) SSH or Telnet to Airespace controller(s)

2) Type ?config advanced eap request-timeout 20?

3) Type ?save config? and ?y? to confirm

Also need to ensure that WPA1 policy has only TKIP enabled as the 7920 doesn't support AES.

Silver

Re: eap-fast and cckm

Good catch migilles. I didn't mention it, but you are correct. TKIP is required. You can have AES and WPA2 enabled as well, if you happen to be sharing the SSID with other clients. Also a good find on the timeout. I already set that, so I didn't know it was required for 7920s. Either way, it is a good practice to enable that timeout since any clients can timeout with the default timer.

-Eric

Please remember to rate all helpful posts.

New Member

Re: eap-fast and cckm

thanks for the info eap timer was already modified.

This config is working with LEAP

Config with EAP-FAST only working with wep encryption.

7920: 4.0-03-01

wism: 4.0.179.11

Any idea ?

thanks

Silver

Re: eap-fast and cckm

The WLAN config looks solid. It looks the same as my working config. Are you getting errors on your radius server? I didn't see you confirm, you do have the phone set to authentication type AKM?

-Eric

Please remember to rate all helpful posts.

New Member

Re: eap-fast and cckm

I'm using AKM on Phone.

I saw an event in the failed attempt report saying "EAP-FAST user was provisioned with new PAC". I didn't dig deeper in ACS logs yet.

thanks

New Member

Re: eap-fast and cckm

Mea culpa !!!

ACS's servers where out of sync and EAP-FAST was not accepeted on the secondary server.

So I confirm EAP-FAST is working with CCKM and WPA1 on 7920.

More generally does anybody has a production environment based on eap-fast with 7920? Is there any issue ? I there some recommandations about PAC TTL or default setting are OK ?

Cisco Employee

Re: eap-fast and cckm

If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.

378
Views
10
Helpful
12
Replies