Connect to EAP-FAST corporate network

Similar Messages

• How do you connect a Mac to an EAP-FAST wireless network?

  Although this guy doesn't seem to like it much:
  http://www.lanarchitect.net/Articles/Wireless/EAP-FAST/
  my company is deploying EAP-FAST according to this spec:
  http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast-03.txt
  And some additiona info:
  http://www.ciscopress.com/articles/article.asp?p=369223&seqNum=5&rl=1
  Anyone know of any third-party options?
  Otherwise I'll have to buy a long ethernet cable.
  1.5 Ghz PB   Mac OS X (10.4.6)  

  To add to John's comment, I think there are about 1500 of us affected by not having EAP-FAST as an option on our PowerBooks/MacBook Pros at the office. It'd be great to have Apple add support for EAP-FAST to the Airport but failing that a decent third-party option will have to suffice.

• Is it possible to restrict access to individual SharePoint Online sites (or site collections) to users only connecting when on the corporate network?

  Hi,
  We have an Office 365 environment which is linked to our on premise ADFS environment. We have started to make some deployments of sites to our SharePoint Online environment. For the majority of sites this is great and the ability to access the sites
  from anywhere is a real bonus. However, there are some sites and data that I would be much more comfortable in migrating to SharePoint Online if there were a way to make them only accessible via users/computers connected to the corporate network. 
  I have seen articles in how you can configure ADFS to allow all connections to the Office 365 tenant only from the network or not but what I am after is something which can be configured on a site by site basis (i.e. not the whole Office 365 environment
  or SharePoint Online environment) to only allow access when connecting from the corporate network.
  Any advice/help would be much appreciated?
  Many thanks
  Paul

  Hi,
  This is the forum to discuss questions and feedback for Microsoft Office, the issue is more related to SharePoint online, I recommend you post your question to the Microsoft Office 365 Community Sites and document sharing Forum
  http://community.office365.com/en-us/f/154.aspx
  The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
  Thanks
  George Zhao
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click "[email protected]"

• WET200 Could firmware allow EAP-FAST

  Hi,
  I have been looking to utilise the above authentication using a PAC file.
  This is the system used by one of our clients. Although Cisco aironet 1300
  series supports this, they are a good deal more expensive as a solution.
  My question to see what your thought are is whether a device like this WET200
  would ever be able to support this type of authentication with the likes of a firmware
  upgrade? I know it's not worth holding your breath on, but the unit had originally
  been purchased since cisco compatibility was a prerequesite. Only once we went
  to setup did it become apparent as to the authentication method they used.
  TIA
  Andrew

  Yes and no. For 2 weeks my iPad would fail every time I tried to connect to the wireless, and I would get the same error message in ACS stating that the supplicant did not respond correctly. Yesterday, I noticed it was connected. I checked the logs in ACS, and saw a successful connection using EAP-FAST. So it did work, but I have no idea why. Nothing changed on either system config wise. Maybe a new PAC file was generated? I need to check the logs to see if that was the case. Regardless, my iPad can now connect using EAP-FAST. Excited about this news, I pushed the profile from the iPhone config utility to 2 additional devices, another iPad, and an iPhone. Both failed, with the same supplicant did not respond correctly message in ACS. So the 3 apple devices have the exact same config on them - 1 now works after 2 weeks of failing, and 2 failed upon first day attempts yesterday. Very odd, and very frustrating. ACS provides very little in the way of help (the supplicant did not respond correctly, but in what way did it not respond correctly??), and the iPad logs even less. So it seems to be impossbile to really know what is going on here. If you or anyone has any suggestions I am definetly open to hearing them.

• "Unable to connect to the database" when connected to corporate network

  Hi
  Installed Primavera P6 V7 and Oracle 10g in Stand alone on XP 32bit machines with SP3. When our machines are NOT connected to the corporate network it works fine.
  However when connected to the network we can not access the locally stored database. We get message "primavera unable to connect to the database. would you like to configure the database connection now"
  Database on servers that we set up are fine regardless.
  If we connect machines to just the internet, again no issues.
  So something is stopping Primavera opening local database when connect on our corporate network.
  Any ideas please?
  Thanks

  This may be a long shot but look into how your TNSNAMES.ora file is being distributed on the domain (or are you possibly utilizing LDAP.ora on the domain side?).
  Some time ago I remember a company scripting an ENV variable on domain logon that altered where the Oracle client would pull the TNSNAMES from.

• Hosts on corporate network unable to connect to VPN client

  I've got an ASA 5505 set up as an IPSec-VPN server. The VPN client is able to connect okay and can initiate TCP sessions with hosts on the corporate network. But those hosts cannot initiate TCP sessions with the client; the ASA rejects their packets instead of sending them through the encrypted tunnel.
  This sounds like a firewall configuration problem. But the ASA is not set up to firewall VPN connections at all, as far as I can tell.
  Can anyone explain what's wrong or where I should look?

  Thanks for the feedback.
  The client is a Mac running OS-X. Firewalling is turned off; there's no trouble connecting to the client when it is plugged directly into the corporate network.
  The "no-nat" rules on the 5505 look like this:
  access-list inside_nat0_outbound extended permit ip any 10.170.30.0 255.255.255.0
  nat (inside) 0 access-list inside_nat0_outbound
  Here 10.170.30.0/24 is the IP pool dedicated to the VPN. There are no other NAT-related lines in the 5505's configuration.

• Strange "Quicktime not found" error - unless connected to corporate network

  I'm attempting to get iTunes running on a new HP laptop from work running Win 7 64 bit. My user login was created by the corporate IT group as an Active Directory object. I was granted administrator rights on the PC. There is an additional "temp" user that also has admin rights.
  I installed the 64 bit version of iTunes and I get the "Quicktime was not found." error every time I try to launch iTunes. That is except when I'm connected to the corporate network. I can connect and it works and disconnect and it throws the Quicktime error. I have connected and disconnected many times and this behavior is 100% reliable.
  I have tried several complete uninstalls and reinstalls. I have tried both the Active Directory login and the local login and both accounts experience this behavior. I have performed repair installs on both iTunes and Quicktime. Quicktime runs perfectly whether connected to the corporate net or not.
  I'm running out of options. I need this to work as I've gone rather long without updating my iPhone. All I can think of at this point is the fact that the PC shipped with a Win 7 Home license which was upgraded to a Win 7 Pro license. Maybe there is some permission problem or even a group policy issue?
  Any help is greatly appreciated.
  Thank you.

  Many of us on my corporate network are having this problem too. (We are all running 9.1.1.12)
  I am the IT guy for about 1000 users, and most of the users with cells have iphones. Our biggest problem right now is those users with iphones and laptops. We install iTunes so they can sync and all that.
  As soon as they disconnect the network cable off the corporate network, and try to load itunes, they get the "Quicktime could not be found". I can reliably reproduce this.
  1. Plug into corporate network.
  2. Load itunes, works great.
  3. Close itunes.
  4. Disconnect your network cable.
  5. Load itunes, gives error.
  This means, of course, that they can't use itunes at home, or on the road, with this one exception:
  If they are connected to the vpn, it works great.
  I have tried uninstalling itunes, and installing 9.0, but I had the same problem.
  Add me to the list of people having the problem. I would love to get this resolved for my users.
  Things that I have not tried yet, but would like to:
  - Install a version of itunes earlier than 9
  - Install itunes from home, and bring my laptop to work.
  Thanks guys!

• ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

  Just a question surrounding EAP-FAST chaining (EAP-TLS inner)  and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.

  I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
  In my deployment I am using a single SSID with the following protocols:
  EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
  EAP-TLS Machine Certs - Certs deploted via AD GPO
  EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
  EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
  My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
  The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
  I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
  The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
  I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least.

• Cisco 871w, radius server local, and leap or eap-fast will not authenticate

  Hello, i trying to setup eap-fast or leap on my 871w.  i belive i have it confiured correctly but i can not get any device to authenticate to router.  Below is the confiureation that i being used.  any help would be welcome!
  ! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
  ! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
  version 12.4
  configuration mode exclusive auto
  service nagle
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service linenumber
  service pt-vty-logging
  service sequence-numbers
  hostname router871
  boot-start-marker
  boot-end-marker
  logging count
  logging message-counter syslog
  logging buffered 4096
  logging rate-limit 512 except critical
  logging console critical
  enable secret 5 <omitted>
  aaa new-model
  aaa group server radius rad-test3
  server 192.168.16.49 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login eap-methods group rad-test3
  aaa authorization exec default local
  aaa session-id common
  clock timezone AZT -7
  clock save interval 8
  dot11 syslog
  dot11 ssid test2
  vlan 2
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii 7 <omitted>
  dot11 ssid test1
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <omitted>
  dot11 ssid test3
  vlan 3
  authentication open eap eap-methods
  authentication network-eap eap-methods
  no ip source-route
  no ip gratuitous-arps
  ip options drop
  ip dhcp bootp ignore
  ip dhcp excluded-address 192.162.16.49 192.162.16.51
  ip dhcp excluded-address 192.168.16.33
  ip dhcp excluded-address 192.168.16.1 192.168.16.4
  ip dhcp pool vlan1pool
     import all
     network 192.168.16.0 255.255.255.224
     default-router 192.168.16.1
     domain-name test1.local.home
     lease 4
  ip dhcp pool vlan2pool
     import all
     network 192.168.16.32 255.255.255.240
     default-router 192.168.16.33
     domain-name test2.local.home
     lease 0 6
  ip dhcp pool vlan3pool
     import all
     network 192.168.16.48 255.255.255.240
     default-router 192.168.16.49
     domain-name test3.local.home
     lease 2
  ip cef
  ip inspect alert-off
  ip inspect max-incomplete low 25
  ip inspect max-incomplete high 50
  ip inspect one-minute low 25
  ip inspect one-minute high 50
  ip inspect udp idle-time 15
  ip inspect tcp idle-time 1800
  ip inspect tcp finwait-time 30
  ip inspect tcp synwait-time 60
  ip inspect tcp block-non-session
  ip inspect tcp max-incomplete host 25 block-time 2
  ip inspect name firewall tcp router-traffic
  ip inspect name firewall ntp
  ip inspect name firewall ftp
  ip inspect name firewall udp router-traffic
  ip inspect name firewall pop3
  ip inspect name firewall pop3s
  ip inspect name firewall imap
  ip inspect name firewall imap3
  ip inspect name firewall imaps
  ip inspect name firewall smtp
  ip inspect name firewall ssh
  ip inspect name firewall icmp router-traffic timeout 10
  ip inspect name firewall dns
  ip inspect name firewall h323
  ip inspect name firewall hsrp
  ip inspect name firewall telnet
  ip inspect name firewall tftp
  no ip bootp server
  no ip domain lookup
  ip domain name local.home
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip accounting-threshold 100
  ip accounting-list 192.168.16.0 0.0.0.31
  ip accounting-list 192.168.16.32 0.0.0.15
  ip accounting-list 192.168.16.48 0.0.0.15
  ip accounting-transits 25
  login block-for 120 attempts 5 within 60
  login delay 5
  login on-failure log
  memory free low-watermark processor 65536
  memory free low-watermark IO 16384
  username testtest password 7 <omitted>
  archive
  log config
    logging enable
    logging size 255
    notify syslog contenttype plaintext
    hidekeys
  path tftp://<omitted>/archive-config
  write-memory
  ip tcp synwait-time 10
  ip ssh time-out 20
  ip ssh authentication-retries 2
  ip ssh logging events
  ip ssh version 2
  bridge irb
  interface Loopback0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  interface Null0
  no ip unreachables
  interface FastEthernet0
  switchport mode trunk
  shutdown
  interface FastEthernet1
  switchport mode trunk
  shutdown
  interface FastEthernet2
  shutdown
  spanning-tree portfast
  interface FastEthernet3
  spanning-tree portfast
  interface FastEthernet4
  description Cox Internet Connection
  ip address dhcp
  ip access-group ingress-filter in
  ip access-group egress-filter out
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip accounting access-violations
  ip flow ingress
  ip flow egress
  ip inspect firewall out
  ip nat outside
  ip virtual-reassembly
  ip tcp adjust-mss 1460
  load-interval 30
  duplex auto
  speed auto
  no cdp enable
  interface Dot11Radio0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  encryption vlan 1 mode ciphers aes-ccm
  encryption vlan 2 mode ciphers aes-ccm
  encryption key 1 size 128bit 7 <omitted> transmit-key
  encryption mode wep mandatory
  broadcast-key vlan 1 change <omitted> membership-termination
  broadcast-key vlan 3 change <omitted> membership-termination
  broadcast-key vlan 2 change <omitted> membership-termination
  ssid test2
  ssid test1
  ssid test3
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  rts threshold 2312
  no cdp enable
  interface Dot11Radio0.1
  description <omitted>
  encapsulation dot1Q 1 native
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.2
  description <omitted>
  encapsulation dot1Q 2
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio0.3
  description <omitted>
  encapsulation dot1Q 3
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan1
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Vlan2
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 2
  bridge-group 2 spanning-disabled
  interface Vlan3
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 3
  bridge-group 3 spanning-disabled
  interface BVI1
  description <omitted>
  ip address 192.168.16.1 255.255.255.224
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  interface BVI2
  description <omitted>
  ip address 192.168.16.33 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  interface BVI3
  description <omitted>
  ip address 192.168.16.49 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
  ip http timeout-policy idle 5 life 43200 requests 5
  ip flow-top-talkers
  top 10
  sort-by bytes
  ip nat inside source list 1 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
  ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
  ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
  ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
  ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
  ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
  ip access-list extended egress-filter
  deny   ip any host <omitted>
  deny   ip any host <omitted>
  deny   ip host <omitted> any
  deny   ip host <omitted> any
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.10.9.255 any
  deny   ip 10.0.0.0 0.10.13.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.15.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  permit ip <omitted> 0.0.0.3 any
  deny   ip any any log
  ip access-list extended ingress-filter
  remark ----- To get IP form COX -----
  permit udp any eq bootps any eq bootpc
  deny   icmp any any log
  deny   udp any any eq echo
  deny   udp any eq echo any
  deny   tcp any any fragments
  deny   udp any any fragments
  deny   ip any any fragments
  deny   ip any any option any-options
  deny   ip any any ttl lt 4
  deny   ip any host <omitted>
  deny   ip any host <omitted>
  deny   udp any any range 33400 34400
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  deny   ip 10.10.10.0 0.0.0.255 any
  deny   ip 10.10.11.0 0.0.0.255 any
  deny   ip 10.10.12.0 0.0.0.255 any
  deny   ip any any log
  access-list 1 permit 192.168.16.0 0.0.0.63
  access-list 20 permit 127.127.1.1
  access-list 20 permit 204.235.61.9
  access-list 20 permit 173.201.38.85
  access-list 20 permit 216.229.4.69
  access-list 20 permit 152.2.21.1
  access-list 20 permit 130.126.24.24
  access-list 21 permit 192.168.16.0 0.0.0.63
  radius-server local
  no authentication mac
  eapfast authority id <omitted>
  eapfast authority info <omitted>
  eapfast server-key primary 7 <omitted>
  nas 192.168.16.49 key 7 <omitted>
  group rad-test3
    vlan 3
    ssid test3
  user test nthash 7 <omitted> group rad-test3
  user testtest nthash 7 <omitted> group rad-test3
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
  radius-server vsa send accounting
  control-plane host
  control-plane transit
  control-plane cef-exception
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 2 protocol ieee
  bridge 2 route ip
  bridge 3 protocol ieee
  bridge 3 route ip
  line con 0
  password 7 <omitted>
  logging synchronous
  no modem enable
  transport output telnet
  line aux 0
  password 7 <omitted>
  logging synchronous
  transport output telnet
  line vty 0 4
  password 7 <omitted>
  logging synchronous
  transport preferred ssh
  transport input ssh
  transport output ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  process cpu threshold type total rising 80 interval 10 falling 40 interval 10
  ntp authentication-key 1 md5 <omitted> 7
  ntp authenticate
  ntp trusted-key 1
  ntp source FastEthernet4
  ntp access-group peer 20
  ntp access-group serve-only 21
  ntp master 1
  ntp server 152.2.21.1 maxpoll 4
  ntp server 204.235.61.9 maxpoll 4
  ntp server 130.126.24.24 maxpoll 4
  ntp server 216.229.4.69 maxpoll 4
  ntp server 173.201.38.85 maxpoll 4
  end

  so this what i am getting now for debug? any thoughs?
  010724: Jan  5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
  010725: Jan  5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
  010726: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  010727: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
  010728: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  010729: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  010730: Jan  5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
  010731: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
  010732: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
  010733: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
  010734: Jan  5 16:26:08.976 AZT: EAPOL pak dump tx
  010735: Jan  5 16:26:08.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
  010736: Jan  5 16:26:08.976 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
  0AD05650:                   01000004 04010004          ........
  0AD05660:
  010737: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010738: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010739: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  010740: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
  010741: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 0
  010742: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
  010743: Jan  5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010744: Jan  5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
  010745: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010746: Jan  5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010747: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010748: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010749: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010750: Jan  5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010751: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010752: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010753: Jan  5 16:26:09.624 AZT: EAPOL pak dump tx
  010754: Jan  5 16:26:09.624 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010755: Jan  5 16:26:09.624 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0AD05B50:                   01000031 01010031          ...1...1
  0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
  010756: Jan  5 16:26:09.644 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010757: Jan  5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010758: Jan  5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010759: Jan  5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010760: Jan  5 16:26:09.656 AZT: EAPOL pak dump rx
  010761: Jan  5 16:26:09.656 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
  010762: Jan  5 16:26:09.656 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
  0B060D50:                   01000009 02010009          ........
  0B060D60: 01746573 74                          .test
  010763: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
  010764: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
  010765: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  010766: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
  010767: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
  010768: Jan  5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
  010769: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
  010770: Jan  5 16:26:09.664 AZT: RADIUS:   36                                               [6]
  010771: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
  010772: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
  010773: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
  010774: Jan  5 16:26:09.664 AZT: RADIUS(00000198): sending
  010775: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
  010776: Jan  5 16:26:09.664 AZT: RADIUS:  authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
  010777: Jan  5 16:26:09.664 AZT: RADIUS:  User-Name           [1]   6   "test"
  010778: Jan  5 16:26:09.664 AZT: RADIUS:  Framed-MTU          [12]  6   1400
  010779: Jan  5 16:26:09.664 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
  010780: Jan  5 16:26:09.664 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
  010781: Jan  5 16:26:09.668 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
  010782: Jan  5 16:26:09.668 AZT: RADIUS:  Message-Authenticato[80]  18
  010783: Jan  5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6  [[?G???Kq?`nN?7??]
  010784: Jan  5 16:26:09.668 AZT: RADIUS:  EAP-Message         [79]  11
  010785: Jan  5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
  010786: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  010787: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port            [5]   6   661
  010788: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Id         [87]  5   "661"
  010789: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
  010790: Jan  5 16:26:09.668 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
  010791: Jan  5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010792: Jan  5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010793: Jan  5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010794: Jan  5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010795: Jan  5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010796: Jan  5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010797: Jan  5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010798: Jan  5 16:26:39.794 AZT: EAPOL pak dump rx
  010799: Jan  5 16:26:39.794 AZT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
  0AD053D0:                   01010000                   ....
  010800: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
  010801: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
  router871#
  010802: Jan  5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010803: Jan  5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
  010804: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  010805: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
  010806: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  010807: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  010808: Jan  5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
  010809: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
  010810: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
  010811: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
  010812: Jan  5 16:26:47.336 AZT: EAPOL pak dump tx
  010813: Jan  5 16:26:47.336 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
  010814: Jan  5 16:26:47.336 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
  0B060710:                   01000004 04010004          ........
  0B060720:
  010815: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010816: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010817: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  010818: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
  010819: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 0
  010820: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
  router871#
  010821: Jan  5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010822: Jan  5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
  010823: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010824: Jan  5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010825: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010826: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010827: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010828: Jan  5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010829: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010830: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010831: Jan  5 16:26:47.976 AZT: EAPOL pak dump tx
  010832: Jan  5 16:26:47.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010833: Jan  5 16:26:47.976 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0AD05B50:                   01000031 01010031          ...1...1
  0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
  010834: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010835: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010836: Jan  5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010837: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
  010838: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
  router871#
  010839: Jan  5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  router871#
  010840: Jan  5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010841: Jan  5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010842: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010843: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010844: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010845: Jan  5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010846: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010847: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010848: Jan  5 16:26:58.638 AZT: EAPOL pak dump tx
  010849: Jan  5 16:26:58.638 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010850: Jan  5 16:26:58.638 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0B060710:                   01000031 01010031          ...1...1
  0B060720: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0B060730: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
  010851: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010852: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010853: Jan  5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010854: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
  010855: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
  010856: Jan  5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010857: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
  010858: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
  010859: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010860: Jan  5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010861: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010862: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010863: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010864: Jan  5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010865: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010866: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010867: Jan  5 16:27:12.261 AZT: EAPOL pak dump tx
  010868: Jan  5 16:27:12.261 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010869: Jan  5 16:27:12.261 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0B060FD0:                   01000031 01010031          ...1...1
  0B060FE0: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
  010870: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010871: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010872: Jan  5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010873: Jan  5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010874: Jan  5 16:27:12.293 AZT: EAPOL pak dump rx
  010875: Jan  5 16:27:12.293 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
  010876: Jan  5 16:27:12.293 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
  0AD05290:                   01000009 02010009          ........
  0AD052A0: 01746573 74                          .test
  010877: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
  010878: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
  010879: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  010880: Jan  5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
  010881: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
  010882: Jan  5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
  010883: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
  010884: Jan  5 16:27:12.305 AZT: RADIUS:   36                                               [6]
  010885: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
  010886: Jan  5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
  010887: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
  010888: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): sending
  010889: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
  010890: Jan  5 16:27:12.305 AZT: RADIUS:  authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
  010891: Jan  5 16:27:12.305 AZT: RADIUS:  User-Name           [1]   6   "test"
  010892: Jan  5 16:27:12.305 AZT: RADIUS:  Framed-MTU          [12]  6   1400
  010893: Jan  5 16:27:12.305 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
  010894: Jan  5 16:27:12.305 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
  010895: Jan  5 16:27:12.305 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
  010896: Jan  5 16:27:12.305 AZT: RADIUS:  Message-Authenticato[80]  18
  010897: Jan  5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64  [??b?8??0:C????Cd]
  010898: Jan  5 16:27:12.305 AZT: RADIUS:  EAP-Message         [79]  11
  010899: Jan  5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
  010900: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  010901: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port            [5]   6   664
  010902: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-Port-Id         [87]  5   "664"
  010903: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
  010904: Jan  5 16:27:12.309 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
  010905: Jan  5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4

• EAP-FAST Security level

  Hi all,
  I use EAP-FAST in my network and I have some questions about it.
  1) is there any vulnerability detected with EAP-FAST?
  2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
  3) Can I use EAP-FAST with MAC address filtering through ACS?
  4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
  Thanks for your reply.
  Thanks.

  1)
  Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
  What will happen? see
  The in-band provisioning mode  operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH  or RSA algorithm for key agreement.
  To minimize the risk of exposing the user's credentials, a clear text  password should not be used outside of the protected tunnel. Therefore,  EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials  within the protected tunnel. The information contained in the PAC is  also available for further authentication sessions after the inner EAP  method has completed.
  Automatic In-Band PAC Provisioning, which is the  same as EAP-FAST phase zero, sends a new PAC to an end-user client over a  secured network connection. Automatic In-Band PAC Provisioning requires  no intervention of the network user or an ACS administrator, provided  that you configure ACS and the end-user client to support Automatic  In-Band PAC Provisioning.
  In general, phase zero of EAP-FAST does not authorize network access. In  this general case, after the client has successfully performed phase  zero PAC provisioning, the client must send a new EAP-FAST request in  order to begin a new round of phase one tunnel establishment, followed  by phase two authentication.
  However, if you choose the Accept Client on Authenticated Provisioning  option, ACS sends a RADIUS Access-Accept (that contains an EAP Success)  at the end of a successful phase zero PAC provisioning, and the client  is not forced to reauthenticate again. This option can be enabled only  when the Allow Authenticated In-Band PAC Provisioning option is also  enabled.
  Because transmission of PACs in phase zero is secured by MSCHAPv2  authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we  recommend that you limit use of Automatic In-Band PAC Provisioning to  initial deployment of EAP-FAST.
  After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
  EAP-FAST has been enhanced to support an authenticated tunnel (by using  the server certificate) inside which PAC provisioning occurs. The new  cipher suites that are enhancements to EAP-FAST, and specifically the  server certificate, are used.
  2) Max user sessions
  3)Yes
  4)PEAP ( EAP TLS )
  Side note:
  EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
  Please make sure to rate correct answers and rate the thread as answered

• Other LEAP upgrade options besides PEAP and EAP-FAST?

  Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
  Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

  A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
  TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
  Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
  You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
  If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
  There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
  Good Luck
  Scott

• EAP-FAST - PEAP etc - Installing server cert on OS X - How ?

  We are running EAP-FAST, but my Mac will not log on to the wireless network. The radius server says that the client probably did not like the server certificate (self-signed).
  How do I get the server certificate installed under Leopard ? And how do I associate that with the specific SSID of the EAP-FAST network ? (So as to prevent the same cert from working on other SSIDs).

  have you tried setting up a new network location and then configure your wireless connection as laid out in the following how to?
  http://www.csupomona.edu/~ehelp/wireless/setup_leopard.shtml

• EAP-FAST is now in 10.4.9

  The fix for EAP-FAST is suppose to be in 10.4.9.
  the last network update to 10.4.8 had it.

  I have had the system hang on an Intel iMac running OS 10.4.9, with latest Security Updates, after importing an image into Photoshop CS3 via firewire connection to an Epson scanner. No problem previously with the firewire scanner on an iMac G5 running OS 10.4.9. Since everything was more or less updated at the same time, not sure where the problem lies. The scan is complete and just as the image opens in Photoshop, the system hangs, and Force-Quit doesn't work. The Force Quit dialogue box shows 'Photoshop is not responding'. I've had to manually shut down the system by holding the power button down. This has all happened within the last few days, and the issue appears intermittently--some scans complete normally.

• Some websites don't work in Safari when I VPN into my corporate networke

  discussions.apple.com as well as facebook.com don't work if I'm connected to my corporate network using VPN. I am forced to use Camino in I want to access those sites. Does anyone know why?
  Thanks!

  You might try installing a fresh version of SafariStand and see if you still have the problem with dead links. I'm not familiar with the 'Quick Search' feature but you could have a look at Glims. Don't try to run both Glims and SafariStand together.

• EAP-FAST on Local Radius Server : Can't Get It Working

  Hi all
  I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
  I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
  the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
  sh radius local-server s
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Unknown NAS            : 0           Invalid packet from NAS: 17      
  NAS : 172.27.44.1
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Corrupted packet       : 0           Unknown RADIUS message : 0        
  No username attribute  : 0           Missing auth attribute : 0        
  Shared key mismatch    : 0           Invalid state attribute: 0        
  Unknown EAP message    : 0           Unknown EAP auth type  : 17       
  Auto provision success : 0           Auto provision failure : 0        
  PAC refresh            : 0           Invalid PAC received   : 0       
  Can anyone suggest what I might be doing wrong?
  Regs, Tim

  Thanks Nicolas, relevant snippets from config:
  aaa new-model
  aaa group server radius rad_eap
  server 172.27.44.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid home
  vlan 3
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  ip dhcp pool home
     import all
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 194.74.65.68 194.74.65.69
  ip inspect name ethernetin tcp
  ip inspect name ethernetin udp
  ip inspect name ethernetin pop3
  ip inspect name ethernetin ssh
  ip inspect name ethernetin dns
  ip inspect name ethernetin ftp
  ip inspect name ethernetin tftp
  ip inspect name ethernetin smtp
  ip inspect name ethernetin icmp
  ip inspect name ethernetin telnet
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 2 mode ciphers aes-ccm tkip
  encryption vlan 3 mode ciphers aes-ccm tkip
  broadcast-key vlan 1 change 30
  broadcast-key vlan 2 change 30
  broadcast-key vlan 3 change 30
  ssid home
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.3
  encapsulation dot1Q 3
  no cdp enable
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan3
  no ip address
  bridge-group 3
  interface BVI3
  ip address 192.168.1.1 255.255.255.0
  ip inspect ethernetin in
  ip nat inside
  ip virtual-reassembly
  radius-server local
  no authentication mac
  nas 172.27.44.1 key 0 123456
  user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
  user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
  user test3 nthash 0 0CB6948805F797BF2A82807973B89537
  radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
  radius-server vsa send accounting