ACS 3.3 to 4.1 EAP-FAST PAC migration

Similar Messages

• ISE - EAP-FAST PAC Provisioning - Identity field??

  Hi all, very simple question regarding the fields in the PAC provisioning section of ISE. Basically wondering what the "identity" field under machine and tunnel PAC is meant to be? I am currently planning an EAP-FAST deployment and this is the only area I am wondering about. Essentially planning to auto-provision the PAC hopefully using authenticate in-band. The Cisco doco is a little vague on this particular field.
  Thanks in advance - have googled this for a day or so and frankly cannot find the information that I want.

  Use
  PAC
  •Tunnel PAC Time To Live—The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.
  •Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.
  •Allow Anonymous In-band PAC Provisioning—Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.
  •Allow Authenticated In-band PAC Provisioning—Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.
  When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.
  –Server Returns Access Accept After Authenticated Provisioning—Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning.
  •Allow Machine Authentication—Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed.
  When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).
  •Enable Stateless Session Resume—Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).
  Uncheck this check box in the following cases:
  –If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients
  –To always perform phase two of EAP-FAST
  When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.
  •Preferred EAP Protocol—Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field.

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• EAP-Fast or PEAP ??

  Dear All,
  we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.

  Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that
  it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.
  regards. Kristjan Edvardsson
  Sensa ehf. Cisco Silver Partner

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

  Hi All,
  I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
  Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
  Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
  I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
  Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
  Thanks,
  Rob

  Hello,
  Did you find a guide for EAP-FAST with AD ?
  I'm facing the same problem, I can't make EAP-FAST working with AD Account,
  Thanks to you
  Regards,
  Gérald

• WLAN Access via 802.1x/EAP-FAST ACS & Windows DB

  Hi,
  Does anyone have any useful links about how to configure ACS server to use windows UN/PW for wireless client logins via 802.1x & Eap-fast?
  I can't seem to find a defined example for the ACS to Window DB install?
  Can anyone help?
  Ta
  James

  Check out whether the following links are useful to you.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804b9d57.shtml#set-acs
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml

• ACS EAP-FAST and LEAP restrictions. regarding 7920 wireless phones

  Hello, The 7920 still doesn´t support EAP-FAST. So I´m wondering if it is possible to restcrict EAP-FAST users from turning LEAP on. Is there a way in ACS to do that ?

  Hi
  Kristjan's question above is a good one - I'm looking for a similar answer...
  I.e. can I add all my 7920 handset usernames to a group, and only allow these to do LEAP?
  Also can I restrict LEAP users to a set of pre-defined MAC addresses?
  Thanks
  Aaron

• WET200 Could firmware allow EAP-FAST

  Hi,
  I have been looking to utilise the above authentication using a PAC file.
  This is the system used by one of our clients. Although Cisco aironet 1300
  series supports this, they are a good deal more expensive as a solution.
  My question to see what your thought are is whether a device like this WET200
  would ever be able to support this type of authentication with the likes of a firmware
  upgrade? I know it's not worth holding your breath on, but the unit had originally
  been purchased since cisco compatibility was a prerequesite. Only once we went
  to setup did it become apparent as to the authentication method they used.
  TIA
  Andrew

  Yes and no. For 2 weeks my iPad would fail every time I tried to connect to the wireless, and I would get the same error message in ACS stating that the supplicant did not respond correctly. Yesterday, I noticed it was connected. I checked the logs in ACS, and saw a successful connection using EAP-FAST. So it did work, but I have no idea why. Nothing changed on either system config wise. Maybe a new PAC file was generated? I need to check the logs to see if that was the case. Regardless, my iPad can now connect using EAP-FAST. Excited about this news, I pushed the profile from the iPhone config utility to 2 additional devices, another iPad, and an iPhone. Both failed, with the same supplicant did not respond correctly message in ACS. So the 3 apple devices have the exact same config on them - 1 now works after 2 weeks of failing, and 2 failed upon first day attempts yesterday. Very odd, and very frustrating. ACS provides very little in the way of help (the supplicant did not respond correctly, but in what way did it not respond correctly??), and the iPad logs even less. So it seems to be impossbile to really know what is going on here. If you or anyone has any suggestions I am definetly open to hearing them.

• NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

  Hi!
  (Sorry, if this is a wrong forum.)
  Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
  I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
  Access-Requests with User-Name="anonymous"
  Access-Challenges (I see certificate is sent from ACS)
  Access-Reject
  CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
  So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
  The following is excerpt from the CS ACS documentation:
  "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
  SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
  So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
  Any help is greatly appreciated.

  Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
  POD1-SW#sh run int fa1/0/1
  Building configuration...
  Current configuration : 378 bytes
  interface FastEthernet1/0/1
  switchport access vlan 999
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x timeout tx-period 10
  dot1x reauthentication
  dot1x critical
  dot1x critical recovery action reinitialize
  dot1x guest-vlan 91
  dot1x critical vlan 11
  spanning-tree portfast
  end
  After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
  Thx.

• Eap-fast and cckm

  Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.
  It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.

  If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.

• EAP-FAST Security level

  Hi all,
  I use EAP-FAST in my network and I have some questions about it.
  1) is there any vulnerability detected with EAP-FAST?
  2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
  3) Can I use EAP-FAST with MAC address filtering through ACS?
  4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
  Thanks for your reply.
  Thanks.

  1)
  Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
  What will happen? see
  The in-band provisioning mode  operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH  or RSA algorithm for key agreement.
  To minimize the risk of exposing the user's credentials, a clear text  password should not be used outside of the protected tunnel. Therefore,  EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials  within the protected tunnel. The information contained in the PAC is  also available for further authentication sessions after the inner EAP  method has completed.
  Automatic In-Band PAC Provisioning, which is the  same as EAP-FAST phase zero, sends a new PAC to an end-user client over a  secured network connection. Automatic In-Band PAC Provisioning requires  no intervention of the network user or an ACS administrator, provided  that you configure ACS and the end-user client to support Automatic  In-Band PAC Provisioning.
  In general, phase zero of EAP-FAST does not authorize network access. In  this general case, after the client has successfully performed phase  zero PAC provisioning, the client must send a new EAP-FAST request in  order to begin a new round of phase one tunnel establishment, followed  by phase two authentication.
  However, if you choose the Accept Client on Authenticated Provisioning  option, ACS sends a RADIUS Access-Accept (that contains an EAP Success)  at the end of a successful phase zero PAC provisioning, and the client  is not forced to reauthenticate again. This option can be enabled only  when the Allow Authenticated In-Band PAC Provisioning option is also  enabled.
  Because transmission of PACs in phase zero is secured by MSCHAPv2  authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we  recommend that you limit use of Automatic In-Band PAC Provisioning to  initial deployment of EAP-FAST.
  After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
  EAP-FAST has been enhanced to support an authenticated tunnel (by using  the server certificate) inside which PAC provisioning occurs. The new  cipher suites that are enhancements to EAP-FAST, and specifically the  server certificate, are used.
  2) Max user sessions
  3)Yes
  4)PEAP ( EAP TLS )
  Side note:
  EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
  Please make sure to rate correct answers and rate the thread as answered

• EAP-Fast

  Hi,
  I have a AP1100 and a repeater AP1100. The AP acts as a Radius server and the clients (all AIR-350) use LEAP, WPA and TKIP. Everything works just fine.
  Now I want to secure my environment a bid more and make use of EAP-Fast. I can't get it work. At the authetication process, it sticks at provisioning. The log at the AP only shows: debugging; Station xxxxx: Authentication failed.
  Does anybody have a clue what I'm doing wrong or is it because the AP is the Radius server i.c.w. EAP-Fast ?
  Thanks,
  Auden

  Cisco Secure ACS is listed as a Prerequisite and in the Required Hardware and Software section;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080262422.html#wp998531
  hth
  Required Hardware and Software
  The following software and hardware are required for configuring EAP-FAST.
  Cisco Aironet Client Utility (ACU) and Aironet
  •Aironet Client Utility version 6.3
  •Cisco Aironet 350 Series Client Adapter
  •Client adapter firmware version 5.40
  •Client driver version 8.5
  •Aironet Client Monitor (ACM) version 2.3
  •Windows XP, SP1
  Cisco Aironet Access Point
  •Cisco Aironet 1100 Series Access Point
  •Cisco IOS Software Release 12.2(13)JA3
  •CiscoSecure Access Control Server (ACS)
  •CiscoSecure ACS v3.2.3 for Windows 2000 SP4
  •Aironet Configuration Administration Tool (ACAT) (optional)
  •Cisco Aironet ACAT v1.3

• Vista EAP-FAST Module

  Anyone know where I can get this module?
  http://www.cisco.com/en/US/docs/wireless/wlan_adapter/eap_types/fast/admin/guide/EF_instl.html
  Also, can I use EAP-TLS or EAP-FAST (with certs only, no PACs) and authenticate users via LDAP (AD) without the need of ACS or RADIUS?
  Thanks,
  Todd

  The following link allows you to download the EAP-FAST module for vista:
  http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=WinClient-802.11a-b-g-Vista-Ins-Wizard-v10.exe&advUrl=null&defInd=N&mdfid=278853375&sftType=Aironet+Client+Installation+Wizard+%28Firmware%2C+Driver%2C+Utility%29&optPlat=Windows+Vista&nodecount=2&relVer=1.0&md5=87fec40fd940e4bb6a80e17e4bc4f90b&modifmdfid=278853375&imname=&hybrid=null&imst=null&modelName=Cisco+Aironet+802.11a%2Fb%2Fg+CardBus+Wireless+LAN+Client+Adapter+%28CB21AG%29&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2
  If the page does not come up for the first time while using the link above try opening the same link in a new browser page one more time.

• WGB and EAP-FAST

  I try to authenticate a 1300 Worgroup bridge with EAP-FAST.
  Using ACS 3.3(2) Build 2 and 1231 AP's with WDS.
  Is there anyone who has tried this configuration. Ordinary wireless clients are OK.

  Hi,
  a workgroup bridge support only LEAP als EAP Client for EAP authentication.
  You have no option to integrate a PAC File to the device in workgroup bridge mode.
  Look at this link:
  http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804158b3.html#wp1055422