Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

Similar Messages

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• HT1430 cannot hear through phone except with speaker on- how do I fix this?

  cannot hear through phone except with speaker on- how do I fix this?  I am handling all calls now through speaker

  Go to settings/general/ accessibility/incoming calls and make sure it is set to default

• User profile creation problem for windows 7 clients with eap-fast

  Hi All,
  In our clients locations we implemented eap-fast authentication with domain integration in ACS for wlan users.Every thing working fine.We are facing problem with windows 7 laptops, in which client utility is not available to configure the user profiles.
    In xp laptops client utility softwares are available with all makes, but with win 7 utilitys are not coming by default......
  So what are options and available sourses for creating user profile with EAP-FAST in windows 7 laptops.
  Any free univarsal client utility is available for windows 7 laptop.
  Please guide me..............
  -Subhash

  Windows 7 should be able to do EAP-fast by default. If not you could download the latest Anyconnect client that also has the Cisco wireless supplicant in it.
  HTH,
  Steve
  Sent from Cisco Technical Support iPad App

• Cannot use internal microphone after upgrading Win 10 Home 64bit

  After upgrading from Windows 7 Home Premium 64 bit to Windows 10 Home 64 bit on my laptop HP 1000 Notebook PC, Windows cannot hear the internal microphone, I think the mic signal is too small. I cannot use Cortana, Skype chat or Hangout. Windows says that the recording driver is still available and connected but there's no recording signal. I already uninstall and reinstall driver from Realtek and HP website  but no effect. Also I used Windows Troubleshooting and HP Support Assistant but it is still not normal.Some one can help me to solve this problem. I really want to use all the function of Cortana.

  Thank you very much for your attention! I checked the BIOS, my Production number: C9M71PA#UUF, HP 1000 Notebook. Also, when I tested with 1 external microphone (run normally with other computer), my latop can recognized the sound and I can use the Cortana, but I have to maximize the the Microphone Boost.I guess that windows driver lower the voice sound too much; because when I followed the instruction get started calibrating the microphone in the thread dv7t-7200: Microphone not compatible with Windows 10, it had improvement but not too much. Please help me to deal with this problem. Thank you again.

• Forgotten password for iPhone 4s and done a remote lock via iCloud and now cannot get into phone! need help fast please!

  Look i really need to know how to get back in my phone as it is for buissness and very desparate please answer asap

  The manual expalins this.
  Restore the iphone.

• Authentication with EAP-MD5/PEAP/FAST

  Version: ISE 1.2p12
  Hello,
  I have trouble authenticating devices that use different protocols:
  - Cisco IP Phones: EAP-MD5
  - Windows machines: EAP-PEAP
  - Cisco APs: EAP-FAST
  1) I'm able to authenticate the IP Phones individually with a authentication rule:
  IP PHONES If Wired_802.1X allowed protocols EAP-MD5
  For EAP-MD5 I selected only EAP-MD5
  Now if I use a generic rule
  DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5
  with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work
  ISE says that there's a protocol mismatch:
  "Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning"
  ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5
  I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5
  2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue"
  Does any of you have hints ?

  I know now the problem. WLC try to connect with "anonymous bind" to the ldap server. It works well with Win2000. With Win2003 it works only if you open the security. See link: http://support.microsoft.com/kb/320528/en
  You haven't the possiblity to configure any username/pwd for a secure ldap query. It's something that is an absolutely need for many customers.
  For the moment I will sugest the "workaround" with AP->WLC->Radius->LDAP
  Kind regards
  Alex

• EAP-FAST with local radius on 1242AG

  I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
  I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
  Any help or a basic example you be great.
  thanks,
  Simon

  I think this is what you're looking for;
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  HTH
  Regards,
  Jatin
  Do rate helpful posts~

• ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

  Just a question surrounding EAP-FAST chaining (EAP-TLS inner)  and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.

  I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
  In my deployment I am using a single SSID with the following protocols:
  EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
  EAP-TLS Machine Certs - Certs deploted via AD GPO
  EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
  EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
  My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
  The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
  I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
  The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
  I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least.

• EAP-FAST - WLC 7.4 Roaming between different FlexConnect (FC) Group

  Dear all,
  WLC 7.4 Release Notes states that with both Local/Central Switching:
  - Mobility in the same Flex Group with CCKM is Fast Roaming if WLAN is mapped to same VLAN
  - Mobility between different Flex Group with CCKM cause a Full Auth
  Using CCK with EAP-Fast during a call with Cisco IP Phone 7921G and 7925G we notice a gap when roaming from an AP belonging to FC GroupA to an AP belonging to FC Group B...so the only solution to do Fast Romaing is to use PMK(OKC) since CCKM will do a complete authentication each time moving from FC Group.
  Where do we enable OKC for a specific WLAN? In the FlexConnect Group Menu?
  Thanks a lot for sharing answer and suggestion
  BR
  O.G.

  Hello Scott,
  thanks for the explanation...
  So if in 7.4.121 OKC is enabled by default I don't understand why I'm having a full Authentication when roaming from AP of FC Group A to AP to FC Group B instead of Fast-Roaming...and this is happening in all FC Group configured (6x).
  Should I disable CCKM flag in the WLAN definition?!?!
  FC Groups and Mobility
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc13
  O.G

• EAP-FAST - packets dropped/slow response times

  We currently have WLC's and 1131 LWAP's.  If a client is in one area (no roaming) and we carry out a constant ping, every minute a packet will either be dropped or have a huge response time (2000ms ish).
  This happens when using EAP-FAST.  If I configure the client to another SSID I have with PEAP over MsCHAP then this does not occur.
  Is there something inherrent with EAP-FAST that anyone is aware of or had this problem before?
  Thanks

  Hi Steve,
  I will make some assumptions and you tell me if they are correct
  1. When you see is the loss pings or high MS returns the phone is idle and not is use correct -
       * This is becuase the phone is "sleeping" to conserve battery life
       * If you kick off a call you will see the pings respond as normal (-150ms)
       * There is a mechanism calls PSM (Power save mode). I dont want to make this a long winded response. Simple google PSM or CAM 802.11.
  2. I dont think EAP is your issue and here is why:
       * EAP is an authentication protocol. Once authenticated your set until you need to reauthenicate again.
       * Unless of course you have an issue whereby your client is always reauth one right after another then that a different issue which isnt normal
  3. I suspect you have different DTIM settings perhaps on the different WLANs. Look under the adavnce tab and look for DTIM .. see how that is set ..
  Oh btw --If you find this helpful in anyway. Please, if you won't mind and take a second and rate the post. I would really appreciate it ! Thanks bud!

• EAP-FAST Security level

  Hi all,
  I use EAP-FAST in my network and I have some questions about it.
  1) is there any vulnerability detected with EAP-FAST?
  2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
  3) Can I use EAP-FAST with MAC address filtering through ACS?
  4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
  Thanks for your reply.
  Thanks.

  1)
  Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
  What will happen? see
  The in-band provisioning mode  operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH  or RSA algorithm for key agreement.
  To minimize the risk of exposing the user's credentials, a clear text  password should not be used outside of the protected tunnel. Therefore,  EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials  within the protected tunnel. The information contained in the PAC is  also available for further authentication sessions after the inner EAP  method has completed.
  Automatic In-Band PAC Provisioning, which is the  same as EAP-FAST phase zero, sends a new PAC to an end-user client over a  secured network connection. Automatic In-Band PAC Provisioning requires  no intervention of the network user or an ACS administrator, provided  that you configure ACS and the end-user client to support Automatic  In-Band PAC Provisioning.
  In general, phase zero of EAP-FAST does not authorize network access. In  this general case, after the client has successfully performed phase  zero PAC provisioning, the client must send a new EAP-FAST request in  order to begin a new round of phase one tunnel establishment, followed  by phase two authentication.
  However, if you choose the Accept Client on Authenticated Provisioning  option, ACS sends a RADIUS Access-Accept (that contains an EAP Success)  at the end of a successful phase zero PAC provisioning, and the client  is not forced to reauthenticate again. This option can be enabled only  when the Allow Authenticated In-Band PAC Provisioning option is also  enabled.
  Because transmission of PACs in phase zero is secured by MSCHAPv2  authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we  recommend that you limit use of Automatic In-Band PAC Provisioning to  initial deployment of EAP-FAST.
  After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
  EAP-FAST has been enhanced to support an authenticated tunnel (by using  the server certificate) inside which PAC provisioning occurs. The new  cipher suites that are enhancements to EAP-FAST, and specifically the  server certificate, are used.
  2) Max user sessions
  3)Yes
  4)PEAP ( EAP TLS )
  Side note:
  EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
  Please make sure to rate correct answers and rate the thread as answered

• WGB and EAP-FAST

  I try to authenticate a 1300 Worgroup bridge with EAP-FAST.
  Using ACS 3.3(2) Build 2 and 1231 AP's with WDS.
  Is there anyone who has tried this configuration. Ordinary wireless clients are OK.

  Hi,
  a workgroup bridge support only LEAP als EAP Client for EAP authentication.
  You have no option to integrate a PAC File to the device in workgroup bridge mode.
  Look at this link:
  http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804158b3.html#wp1055422

• Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

  DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
  In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
  and the internal controller must match. Else, DHCP request from clients are dropped and you
  see this error message on the internal controller......
  However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
  Many Thanks
  Kam

  Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

• ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

  Hi All,
  I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
  Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
  Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
  I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
  Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
  Thanks,
  Rob

  Hello,
  Did you find a guide for EAP-FAST with AD ?
  I'm facing the same problem, I can't make EAP-FAST working with AD Account,
  Thanks to you
  Regards,
  Gérald