ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

Hi All,
I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
Thanks,
Rob

Hello,
Did you find a guide for EAP-FAST with AD ?
I'm facing the same problem, I can't make EAP-FAST working with AD Account,
Thanks to you
Regards,
Gérald

Similar Messages

  • WLAN Access via 802.1x/EAP-FAST ACS & Windows DB

    Hi,
    Does anyone have any useful links about how to configure ACS server to use windows UN/PW for wireless client logins via 802.1x & Eap-fast?
    I can't seem to find a defined example for the ACS to Window DB install?
    Can anyone help?
    Ta
    James

    Check out whether the following links are useful to you.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804b9d57.shtml#set-acs
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml

  • NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

    Hi!
    (Sorry, if this is a wrong forum.)
    Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
    I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
    Access-Requests with User-Name="anonymous"
    Access-Challenges (I see certificate is sent from ACS)
    Access-Reject
    CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
    So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
    The following is excerpt from the CS ACS documentation:
    "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
    SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
    So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
    Any help is greatly appreciated.

    Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
    POD1-SW#sh run int fa1/0/1
    Building configuration...
    Current configuration : 378 bytes
    interface FastEthernet1/0/1
    switchport access vlan 999
    switchport mode access
    dot1x mac-auth-bypass
    dot1x pae authenticator
    dot1x port-control auto
    dot1x timeout reauth-period server
    dot1x timeout tx-period 10
    dot1x reauthentication
    dot1x critical
    dot1x critical recovery action reinitialize
    dot1x guest-vlan 91
    dot1x critical vlan 11
    spanning-tree portfast
    end
    After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
    Thx.

  • EAP-TLS problems with Cisco AP541N and Server 2008 NPS

    Hi,
    I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
    I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
    Oct 18 15:42:58
    info
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
    Oct 18 15:42:58
    warn
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
    Oct 18 15:42:58
    info
    hostapd
    The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
    NPS logs this:
    Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
    Netzwerkrichtlinienname: XXXXXX
    Authentifizierungsanbieter: Windows
    Authentifizierungsserver: XXXXX
    Authentifizierungstyp: EAP
    EAP-Typ: -
    Kontositzungs-ID: -
    Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
    Ursachencode: 22
    Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
    I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
    I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
    Did anybody encounter something like this before? Or just knows what to do?
    Thanks in advance
    Lenni

    Joe:
    Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
    EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
    PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
    for PEAP-MSCHAPv2, Your options are:
    - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
    - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
    - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
    You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • 802.1x EAP-TLS for wired users with ACS 5.5

    Hi All,
    We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
    We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
    Kindly suggest on how to get certificates for clients both manually as well as automatically?
    Thanks,
    Vijay

    Hi Vijay,
       for the Wired 802.1x (EAP-TLS) you need to have following certificates:
    On ACS--- Root CA, Intermediate CA, Server Certificate
    On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
     I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
    In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
    This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
    In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
    Cheers
    Minakshi(rate the helpful post)

  • ACS 3.3 to 4.1 EAP-FAST PAC migration

    Our 3rd party supplicants don't handle EAP-FAST in-band PAC changes well at all. To allow a smooth transition from Windows ACS 3.3 to 4.1, we'd like to migrate the v3.3 master or at least the secondary PAC to ACS 4.1. Replication is not an option between 3.3 & 4.1, so I'm looking for a manual way to accomplish this. TIA.

    So what you want to do is following :
    > Install LMS 4.1 on Windows
    > Decomission LMS 3.2
    > Rename hostname and IP for LMS 4.2 to same as older LMS 3.2
    IP change is not a problem, but for hostname change you should run NMSROOT\bin\hostnamechange.pl script.
    For more details, please check the following document :
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/user/guide/admin/appendixcli.html#wp1041971
    -Thanks

  • ACS EAP-FAST and LEAP restrictions. regarding 7920 wireless phones

    Hello, The 7920 still doesn´t support EAP-FAST. So I´m wondering if it is possible to restcrict EAP-FAST users from turning LEAP on. Is there a way in ACS to do that ?

    Hi
    Kristjan's question above is a good one - I'm looking for a similar answer...
    I.e. can I add all my 7920 handset usernames to a group, and only allow these to do LEAP?
    Also can I restrict LEAP users to a set of pre-defined MAC addresses?
    Thanks
    Aaron

  • Eap-fast and cckm

    Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.
    It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.

    If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.

  • Vista EAP-FAST Module

    Anyone know where I can get this module?
    http://www.cisco.com/en/US/docs/wireless/wlan_adapter/eap_types/fast/admin/guide/EF_instl.html
    Also, can I use EAP-TLS or EAP-FAST (with certs only, no PACs) and authenticate users via LDAP (AD) without the need of ACS or RADIUS?
    Thanks,
    Todd

    The following link allows you to download the EAP-FAST module for vista:
    http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=WinClient-802.11a-b-g-Vista-Ins-Wizard-v10.exe&advUrl=null&defInd=N&mdfid=278853375&sftType=Aironet+Client+Installation+Wizard+%28Firmware%2C+Driver%2C+Utility%29&optPlat=Windows+Vista&nodecount=2&relVer=1.0&md5=87fec40fd940e4bb6a80e17e4bc4f90b&modifmdfid=278853375&imname=&hybrid=null&imst=null&modelName=Cisco+Aironet+802.11a%2Fb%2Fg+CardBus+Wireless+LAN+Client+Adapter+%28CB21AG%29&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2
    If the page does not come up for the first time while using the link above try opening the same link in a new browser page one more time.

  • Eap-fast and CWWLSE-1030

    HI,
    I configure a Wireless Lan with 3 AP1131G-E-k9 and a radius serveur CWWLSE and Eap-Fast AND WPA2
    All seem's to be OK but some Laptop are obliged to re-authenticate several time a day ?
    Anybody has a idee if thre is a timer or
    others paramatter I should do set ?
    Thanks for your Help

    I recently ran into this issue. What I found although not that technical....if the user is prompted for the PAC and does not accept, I had a hard time getting them to authenticate afterwards. I was able to remove the user from the AAA server and once I added them back in they were able to authenticate with no issues. Again this is a very basic finding  and I have not had time to test my theory. I believe it has someting to do with the way AAA caches the user account, perhaps there is a denial of service or time-wait before the next login attempt is permitted. If you are using AD and not local accounts use the option, on the Radius server to Remove Dynamic Users.
    hardware userd Version 7.0...5508 WLC, 3500i AP's, WCS, MSE, Cisco ACS/Radius 4.2 WPA2, 802.1x, EAP-FAST

  • EAP-FAST, local Authentication and PAC provisioning

    Hi everybody,
    I have a litte understanding problem with the deployment of EAP-FAST.
    So here's the deal:
    I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
    When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
    Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
    But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
    Would server sided certificates resolve my concerns here?
    I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
    Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
    Thanks in advance!

    From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
    Is that what you are trying to get clarification on.
    Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
    Sent from Cisco Technical Support iPad App

  • WET200 Could firmware allow EAP-FAST

    Hi,
    I have been looking to utilise the above authentication using a PAC file.
    This is the system used by one of our clients. Although Cisco aironet 1300
    series supports this, they are a good deal more expensive as a solution.
    My question to see what your thought are is whether a device like this WET200
    would ever be able to support this type of authentication with the likes of a firmware
    upgrade? I know it's not worth holding your breath on, but the unit had originally
    been purchased since cisco compatibility was a prerequesite. Only once we went
    to setup did it become apparent as to the authentication method they used.
    TIA
    Andrew

    Yes and no. For 2 weeks my iPad would fail every time I tried to connect to the wireless, and I would get the same error message in ACS stating that the supplicant did not respond correctly. Yesterday, I noticed it was connected. I checked the logs in ACS, and saw a successful connection using EAP-FAST. So it did work, but I have no idea why. Nothing changed on either system config wise. Maybe a new PAC file was generated? I need to check the logs to see if that was the case. Regardless, my iPad can now connect using EAP-FAST. Excited about this news, I pushed the profile from the iPhone config utility to 2 additional devices, another iPad, and an iPhone. Both failed, with the same supplicant did not respond correctly message in ACS. So the 3 apple devices have the exact same config on them - 1 now works after 2 weeks of failing, and 2 failed upon first day attempts yesterday. Very odd, and very frustrating. ACS provides very little in the way of help (the supplicant did not respond correctly, but in what way did it not respond correctly??), and the iPad logs even less. So it seems to be impossbile to really know what is going on here. If you or anyone has any suggestions I am definetly open to hearing them.

  • ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

    Just a question surrounding EAP-FAST chaining (EAP-TLS inner)  and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.

    I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
    In my deployment I am using a single SSID with the following protocols:
    EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
    EAP-TLS Machine Certs - Certs deploted via AD GPO
    EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
    EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
    My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
    The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
    I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
    The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
    I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least.

  • Cisco 871w, radius server local, and leap or eap-fast will not authenticate

    Hello, i trying to setup eap-fast or leap on my 871w.  i belive i have it confiured correctly but i can not get any device to authenticate to router.  Below is the confiureation that i being used.  any help would be welcome!
    ! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
    ! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
    version 12.4
    configuration mode exclusive auto
    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service linenumber
    service pt-vty-logging
    service sequence-numbers
    hostname router871
    boot-start-marker
    boot-end-marker
    logging count
    logging message-counter syslog
    logging buffered 4096
    logging rate-limit 512 except critical
    logging console critical
    enable secret 5 <omitted>
    aaa new-model
    aaa group server radius rad-test3
    server 192.168.16.49 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login eap-methods group rad-test3
    aaa authorization exec default local
    aaa session-id common
    clock timezone AZT -7
    clock save interval 8
    dot11 syslog
    dot11 ssid test2
    vlan 2
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 <omitted>
    dot11 ssid test1
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 <omitted>
    dot11 ssid test3
    vlan 3
    authentication open eap eap-methods
    authentication network-eap eap-methods
    no ip source-route
    no ip gratuitous-arps
    ip options drop
    ip dhcp bootp ignore
    ip dhcp excluded-address 192.162.16.49 192.162.16.51
    ip dhcp excluded-address 192.168.16.33
    ip dhcp excluded-address 192.168.16.1 192.168.16.4
    ip dhcp pool vlan1pool
       import all
       network 192.168.16.0 255.255.255.224
       default-router 192.168.16.1
       domain-name test1.local.home
       lease 4
    ip dhcp pool vlan2pool
       import all
       network 192.168.16.32 255.255.255.240
       default-router 192.168.16.33
       domain-name test2.local.home
       lease 0 6
    ip dhcp pool vlan3pool
       import all
       network 192.168.16.48 255.255.255.240
       default-router 192.168.16.49
       domain-name test3.local.home
       lease 2
    ip cef
    ip inspect alert-off
    ip inspect max-incomplete low 25
    ip inspect max-incomplete high 50
    ip inspect one-minute low 25
    ip inspect one-minute high 50
    ip inspect udp idle-time 15
    ip inspect tcp idle-time 1800
    ip inspect tcp finwait-time 30
    ip inspect tcp synwait-time 60
    ip inspect tcp block-non-session
    ip inspect tcp max-incomplete host 25 block-time 2
    ip inspect name firewall tcp router-traffic
    ip inspect name firewall ntp
    ip inspect name firewall ftp
    ip inspect name firewall udp router-traffic
    ip inspect name firewall pop3
    ip inspect name firewall pop3s
    ip inspect name firewall imap
    ip inspect name firewall imap3
    ip inspect name firewall imaps
    ip inspect name firewall smtp
    ip inspect name firewall ssh
    ip inspect name firewall icmp router-traffic timeout 10
    ip inspect name firewall dns
    ip inspect name firewall h323
    ip inspect name firewall hsrp
    ip inspect name firewall telnet
    ip inspect name firewall tftp
    no ip bootp server
    no ip domain lookup
    ip domain name local.home
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip accounting-threshold 100
    ip accounting-list 192.168.16.0 0.0.0.31
    ip accounting-list 192.168.16.32 0.0.0.15
    ip accounting-list 192.168.16.48 0.0.0.15
    ip accounting-transits 25
    login block-for 120 attempts 5 within 60
    login delay 5
    login on-failure log
    memory free low-watermark processor 65536
    memory free low-watermark IO 16384
    username testtest password 7 <omitted>
    archive
    log config
      logging enable
      logging size 255
      notify syslog contenttype plaintext
      hidekeys
    path tftp://<omitted>/archive-config
    write-memory
    ip tcp synwait-time 10
    ip ssh time-out 20
    ip ssh authentication-retries 2
    ip ssh logging events
    ip ssh version 2
    bridge irb
    interface Loopback0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    interface Null0
    no ip unreachables
    interface FastEthernet0
    switchport mode trunk
    shutdown
    interface FastEthernet1
    switchport mode trunk
    shutdown
    interface FastEthernet2
    shutdown
    spanning-tree portfast
    interface FastEthernet3
    spanning-tree portfast
    interface FastEthernet4
    description Cox Internet Connection
    ip address dhcp
    ip access-group ingress-filter in
    ip access-group egress-filter out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip flow ingress
    ip flow egress
    ip inspect firewall out
    ip nat outside
    ip virtual-reassembly
    ip tcp adjust-mss 1460
    load-interval 30
    duplex auto
    speed auto
    no cdp enable
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encryption vlan 1 mode ciphers aes-ccm
    encryption vlan 2 mode ciphers aes-ccm
    encryption key 1 size 128bit 7 <omitted> transmit-key
    encryption mode wep mandatory
    broadcast-key vlan 1 change <omitted> membership-termination
    broadcast-key vlan 3 change <omitted> membership-termination
    broadcast-key vlan 2 change <omitted> membership-termination
    ssid test2
    ssid test1
    ssid test3
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    rts threshold 2312
    no cdp enable
    interface Dot11Radio0.1
    description <omitted>
    encapsulation dot1Q 1 native
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.2
    description <omitted>
    encapsulation dot1Q 2
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    interface Dot11Radio0.3
    description <omitted>
    encapsulation dot1Q 3
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 spanning-disabled
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    interface Vlan1
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface Vlan2
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 2
    bridge-group 2 spanning-disabled
    interface Vlan3
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 3
    bridge-group 3 spanning-disabled
    interface BVI1
    description <omitted>
    ip address 192.168.16.1 255.255.255.224
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI2
    description <omitted>
    ip address 192.168.16.33 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI3
    description <omitted>
    ip address 192.168.16.49 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
    ip http timeout-policy idle 5 life 43200 requests 5
    ip flow-top-talkers
    top 10
    sort-by bytes
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
    ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
    ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
    ip access-list extended egress-filter
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   ip host <omitted> any
    deny   ip host <omitted> any
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.10.9.255 any
    deny   ip 10.0.0.0 0.10.13.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.15.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    permit ip <omitted> 0.0.0.3 any
    deny   ip any any log
    ip access-list extended ingress-filter
    remark ----- To get IP form COX -----
    permit udp any eq bootps any eq bootpc
    deny   icmp any any log
    deny   udp any any eq echo
    deny   udp any eq echo any
    deny   tcp any any fragments
    deny   udp any any fragments
    deny   ip any any fragments
    deny   ip any any option any-options
    deny   ip any any ttl lt 4
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   udp any any range 33400 34400
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    deny   ip 10.10.10.0 0.0.0.255 any
    deny   ip 10.10.11.0 0.0.0.255 any
    deny   ip 10.10.12.0 0.0.0.255 any
    deny   ip any any log
    access-list 1 permit 192.168.16.0 0.0.0.63
    access-list 20 permit 127.127.1.1
    access-list 20 permit 204.235.61.9
    access-list 20 permit 173.201.38.85
    access-list 20 permit 216.229.4.69
    access-list 20 permit 152.2.21.1
    access-list 20 permit 130.126.24.24
    access-list 21 permit 192.168.16.0 0.0.0.63
    radius-server local
    no authentication mac
    eapfast authority id <omitted>
    eapfast authority info <omitted>
    eapfast server-key primary 7 <omitted>
    nas 192.168.16.49 key 7 <omitted>
    group rad-test3
      vlan 3
      ssid test3
    user test nthash 7 <omitted> group rad-test3
    user testtest nthash 7 <omitted> group rad-test3
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
    radius-server vsa send accounting
    control-plane host
    control-plane transit
    control-plane cef-exception
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    bridge 3 protocol ieee
    bridge 3 route ip
    line con 0
    password 7 <omitted>
    logging synchronous
    no modem enable
    transport output telnet
    line aux 0
    password 7 <omitted>
    logging synchronous
    transport output telnet
    line vty 0 4
    password 7 <omitted>
    logging synchronous
    transport preferred ssh
    transport input ssh
    transport output ssh
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    process cpu threshold type total rising 80 interval 10 falling 40 interval 10
    ntp authentication-key 1 md5 <omitted> 7
    ntp authenticate
    ntp trusted-key 1
    ntp source FastEthernet4
    ntp access-group peer 20
    ntp access-group serve-only 21
    ntp master 1
    ntp server 152.2.21.1 maxpoll 4
    ntp server 204.235.61.9 maxpoll 4
    ntp server 130.126.24.24 maxpoll 4
    ntp server 216.229.4.69 maxpoll 4
    ntp server 173.201.38.85 maxpoll 4
    end

    so this what i am getting now for debug? any thoughs?
    010724: Jan  5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
    010725: Jan  5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
    010726: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010727: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010728: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010729: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010730: Jan  5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010731: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010732: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010733: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010734: Jan  5 16:26:08.976 AZT: EAPOL pak dump tx
    010735: Jan  5 16:26:08.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010736: Jan  5 16:26:08.976 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0AD05650:                   01000004 04010004          ........
    0AD05660:
    010737: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010738: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010739: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010740: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010741: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010742: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    010743: Jan  5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010744: Jan  5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010745: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010746: Jan  5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010747: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010748: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010749: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010750: Jan  5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010751: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010752: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010753: Jan  5 16:26:09.624 AZT: EAPOL pak dump tx
    010754: Jan  5 16:26:09.624 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010755: Jan  5 16:26:09.624 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010756: Jan  5 16:26:09.644 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010757: Jan  5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010758: Jan  5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010759: Jan  5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010760: Jan  5 16:26:09.656 AZT: EAPOL pak dump rx
    010761: Jan  5 16:26:09.656 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010762: Jan  5 16:26:09.656 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0B060D50:                   01000009 02010009          ........
    0B060D60: 01746573 74                          .test
    010763: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010764: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010765: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010766: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
    010767: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010768: Jan  5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010769: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010770: Jan  5 16:26:09.664 AZT: RADIUS:   36                                               [6]
    010771: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010772: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
    010773: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010774: Jan  5 16:26:09.664 AZT: RADIUS(00000198): sending
    010775: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
    010776: Jan  5 16:26:09.664 AZT: RADIUS:  authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
    010777: Jan  5 16:26:09.664 AZT: RADIUS:  User-Name           [1]   6   "test"
    010778: Jan  5 16:26:09.664 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010779: Jan  5 16:26:09.664 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010780: Jan  5 16:26:09.664 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010781: Jan  5 16:26:09.668 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010782: Jan  5 16:26:09.668 AZT: RADIUS:  Message-Authenticato[80]  18
    010783: Jan  5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6  [[?G???Kq?`nN?7??]
    010784: Jan  5 16:26:09.668 AZT: RADIUS:  EAP-Message         [79]  11
    010785: Jan  5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010786: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010787: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port            [5]   6   661
    010788: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Id         [87]  5   "661"
    010789: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010790: Jan  5 16:26:09.668 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010791: Jan  5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010792: Jan  5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010793: Jan  5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010794: Jan  5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010795: Jan  5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010796: Jan  5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010797: Jan  5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010798: Jan  5 16:26:39.794 AZT: EAPOL pak dump rx
    010799: Jan  5 16:26:39.794 AZT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
    0AD053D0:                   01010000                   ....
    010800: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
    010801: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
    router871#
    010802: Jan  5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010803: Jan  5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
    010804: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010805: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010806: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010807: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010808: Jan  5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010809: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010810: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010811: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010812: Jan  5 16:26:47.336 AZT: EAPOL pak dump tx
    010813: Jan  5 16:26:47.336 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010814: Jan  5 16:26:47.336 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0B060710:                   01000004 04010004          ........
    0B060720:
    010815: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010816: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010817: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010818: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010819: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010820: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    router871#
    010821: Jan  5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010822: Jan  5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010823: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010824: Jan  5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010825: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010826: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010827: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010828: Jan  5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010829: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010830: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010831: Jan  5 16:26:47.976 AZT: EAPOL pak dump tx
    010832: Jan  5 16:26:47.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010833: Jan  5 16:26:47.976 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010834: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010835: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010836: Jan  5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010837: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010838: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    router871#
    010839: Jan  5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    router871#
    010840: Jan  5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010841: Jan  5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010842: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010843: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010844: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010845: Jan  5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010846: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010847: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010848: Jan  5 16:26:58.638 AZT: EAPOL pak dump tx
    010849: Jan  5 16:26:58.638 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010850: Jan  5 16:26:58.638 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060710:                   01000031 01010031          ...1...1
    0B060720: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060730: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
    010851: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010852: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010853: Jan  5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010854: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010855: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    010856: Jan  5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010857: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
    010858: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
    010859: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010860: Jan  5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010861: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010862: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010863: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010864: Jan  5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010865: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010866: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010867: Jan  5 16:27:12.261 AZT: EAPOL pak dump tx
    010868: Jan  5 16:27:12.261 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010869: Jan  5 16:27:12.261 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060FD0:                   01000031 01010031          ...1...1
    0B060FE0: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
    010870: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010871: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010872: Jan  5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010873: Jan  5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010874: Jan  5 16:27:12.293 AZT: EAPOL pak dump rx
    010875: Jan  5 16:27:12.293 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010876: Jan  5 16:27:12.293 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0AD05290:                   01000009 02010009          ........
    0AD052A0: 01746573 74                          .test
    010877: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010878: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010879: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010880: Jan  5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
    010881: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010882: Jan  5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010883: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010884: Jan  5 16:27:12.305 AZT: RADIUS:   36                                               [6]
    010885: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010886: Jan  5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
    010887: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010888: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): sending
    010889: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
    010890: Jan  5 16:27:12.305 AZT: RADIUS:  authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
    010891: Jan  5 16:27:12.305 AZT: RADIUS:  User-Name           [1]   6   "test"
    010892: Jan  5 16:27:12.305 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010893: Jan  5 16:27:12.305 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010894: Jan  5 16:27:12.305 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010895: Jan  5 16:27:12.305 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010896: Jan  5 16:27:12.305 AZT: RADIUS:  Message-Authenticato[80]  18
    010897: Jan  5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64  [??b?8??0:C????Cd]
    010898: Jan  5 16:27:12.305 AZT: RADIUS:  EAP-Message         [79]  11
    010899: Jan  5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010900: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010901: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port            [5]   6   664
    010902: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-Port-Id         [87]  5   "664"
    010903: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010904: Jan  5 16:27:12.309 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010905: Jan  5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4

  • 802.1x eap-tls machine + user authentication (wired)

    Hi everybody,
    right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
    You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
    Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
    1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
    <key>SetupModes</key>
    <array>
        <string>System</string>
        <string>Loginwindow</string>
    </array>
    <key>PayloadScope</key>
        <string>System</string>
    but it does not work
    2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
    Thanks

    Unfortunatelly this documents do not describe how to do what I want.
    I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
    I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
    Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
    Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
    Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
    Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
    this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
    The certificates are in my System keychain.
    Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
    Any ideas ?

Maybe you are looking for

  • PrivilegedActionException while invoking webservice

    Hi', I am invoking a Web service from BPEL 10G, below is the exception I got. I have checked with the provider of this Webservice, they say there is no security in place, has any one got this error before, what can be the reason for this error. excep

  • How can we help Arch?

    Hello everybody. Often, people do want to help. Just they often dont know where to start off, making packages, helping on the tool development with patches, writing documentation, translating or similar things. How about a little guideline, how a use

  • Adding on a free year

    One of the companies I work for gave me a complimentary 1 year free of Creative Cloud.  I was already a member so I wanted to use this when my agreement ended, which it's going to do at the end of february.  I wanted to know if there was some way I c

  • Buisness Process Monitoring

    Dears, I need to configure Buisness Process Monitoring on my solman 7.0 server. Please share some document for it. Shivam

  • How do i find the basestation password, since i didn't do the installation?

    how do i find the basestation password, since i didn't do the installation?