EAP-FAST for Cisco a/b/g card ?

Per Cisco
Cisco Compatible client devices and Cisco Aironet 802.11a/b/g PCI and CardBus WLAN client adapters will support EAP-FAST in the fourth quarter of 2004.
Anyone have an idea when this will be supported?

Hello,
Currently EAP-FAST support for the ADU software will be available at the end of next month. Sorry for no firmer date but the last week of January is when it appears it will be released.
Regards,
Aaron

Similar Messages

  • NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

    Hi!
    (Sorry, if this is a wrong forum.)
    Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
    I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
    Access-Requests with User-Name="anonymous"
    Access-Challenges (I see certificate is sent from ACS)
    Access-Reject
    CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
    So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
    The following is excerpt from the CS ACS documentation:
    "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
    SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
    So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
    Any help is greatly appreciated.

    Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
    POD1-SW#sh run int fa1/0/1
    Building configuration...
    Current configuration : 378 bytes
    interface FastEthernet1/0/1
    switchport access vlan 999
    switchport mode access
    dot1x mac-auth-bypass
    dot1x pae authenticator
    dot1x port-control auto
    dot1x timeout reauth-period server
    dot1x timeout tx-period 10
    dot1x reauthentication
    dot1x critical
    dot1x critical recovery action reinitialize
    dot1x guest-vlan 91
    dot1x critical vlan 11
    spanning-tree portfast
    end
    After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
    Thx.

  • EAP-Fast and Cisco 340 Adapters

    Does anyone know if the 340 adapters support EAP-Fast? The docs that I have looked at talk about 350 adapters... I thought the only difference between 340 and 350's was the anntena.

    Based on this document seems like its supported,
    http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a0080204ae1

  • ISE - dot1x EAP TLS for Cisco IP Phones

    Hi Gents,
    I have a question about the CA configs for ISE or ACS.
    As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
    1. Cisco CA Certificate
    2. CUCM Locally signed Certificate or CUCM Identity Certificate
    And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
    Is there any other configs needed?
    I would highly appreicate if someone can clearify me this process.
    Regards,

    I got the answer, for the first part of the EAP TLS authentication: Phone authentication
    In an IEEE 802.1X authentication, the AAA server  is responsible for validating the certificate provided by the phone. To  do this, the AAA server must have a copy of the root CA certificate that  signed the phone's certificate. The root certificates for both LSCs and  MICs can be exported from the CUCM Operating System Administration  interface and imported into your AAA server
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
    As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
    What is needed for this?

  • EAP-Fast

    Hi,
    I have a AP1100 and a repeater AP1100. The AP acts as a Radius server and the clients (all AIR-350) use LEAP, WPA and TKIP. Everything works just fine.
    Now I want to secure my environment a bid more and make use of EAP-Fast. I can't get it work. At the authetication process, it sticks at provisioning. The log at the AP only shows: debugging; Station xxxxx: Authentication failed.
    Does anybody have a clue what I'm doing wrong or is it because the AP is the Radius server i.c.w. EAP-Fast ?
    Thanks,
    Auden

    Cisco Secure ACS is listed as a Prerequisite and in the Required Hardware and Software section;
    http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080262422.html#wp998531
    hth
    Required Hardware and Software
    The following software and hardware are required for configuring EAP-FAST.
    Cisco Aironet Client Utility (ACU) and Aironet
    •Aironet Client Utility version 6.3
    •Cisco Aironet 350 Series Client Adapter
    •Client adapter firmware version 5.40
    •Client driver version 8.5
    •Aironet Client Monitor (ACM) version 2.3
    •Windows XP, SP1
    Cisco Aironet Access Point
    •Cisco Aironet 1100 Series Access Point
    •Cisco IOS Software Release 12.2(13)JA3
    •CiscoSecure Access Control Server (ACS)
    •CiscoSecure ACS v3.2.3 for Windows 2000 SP4
    •Aironet Configuration Administration Tool (ACAT) (optional)
    •Cisco Aironet ACAT v1.3

  • Mac OS X 10.4.8 adds EAP-FAST support

    From the release notes of Mac OS X 10.4.8 update:
    http://docs.info.apple.com/article.html?artnum=304200
    - Improves security by adding support for EAP-FAST for AirPort wireless authentication.

    Mac OS X 10.4.8 is now out, and many people were
    hoping that Apple would take the opportunity to
    update iSync at the same time.
    After examining this update I can confirm that iSync
    remains at v2.3 and no new phone support has been
    added.
    Therefore Sony Ericsson M600, P990 and W950 owners
    still have no way to iSync their phones. (For
    workarounds
    see here.
    Owners of Sony Ericsson W850, K610, K510, K800, W300,
    W700, K790, V630, Z550 and Z525 phones can continue
    to use the iSync Phone Plugins available below to
    sync these models:
    http://mobile.feisar.com/phoneplugins23.html
    Jools
    This is really bad news! Apple is disappointing a whole lot of new phone owners. I bought my first Apple computer especially for Isync and Ical. Now it seems that the users are no longer important. Innovation and big numbers are the new targets.
    Without the proper use of Ical and Isync, OS X becomes incomplete and therefore less interesting for all users.
    I think Apple is making a big mistake here!
    I’m not willing to let Apple decide witch phone to buy!
    So how about it Steve?
    Powerbook G4   Mac OS X (10.4.7)  

  • Lans/Catalyst and EAP-FAST?

    I'd like to use EAP-FAST for both my 802.11 wireless and my lan network.
    However the only EAP-FAST client I have seen is the ACU for the Aironet products, nothing for the Catalyst (am I missing something?)
    Any plans for Ethernet adapter software that does EAP-FAST? I primary use Windows XP-SP2 in my lan.

    All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.

  • Cisco ISE with EAP-FAST and PAC provisioning

    Hi,
    I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
    Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
    If you have any documents, it would be appreciated for me.
    Thanks,
    Pongsatorn

    From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
    Is that what you are trying to get clarification on.
    Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
    Sent from Cisco Technical Support iPad App

  • ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

    Hi All,
    I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
    Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
    Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
    I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
    http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
    Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
    Thanks,
    Rob

    Hello,
    Did you find a guide for EAP-FAST with AD ?
    I'm facing the same problem, I can't make EAP-FAST working with AD Account,
    Thanks to you
    Regards,
    Gérald

  • User profile creation problem for windows 7 clients with eap-fast

    Hi All,
    In our clients locations we implemented eap-fast authentication with domain integration in ACS for wlan users.Every thing working fine.We are facing problem with windows 7 laptops, in which client utility is not available to configure the user profiles.
      In xp laptops client utility softwares are available with all makes, but with win 7 utilitys are not coming by default......
    So what are options and available sourses for creating user profile with EAP-FAST in windows 7 laptops.
    Any free univarsal client utility is available for windows 7 laptop.
    Please guide me..............
    -Subhash

    Windows 7 should be able to do EAP-fast by default. If not you could download the latest Anyconnect client that also has the Cisco wireless supplicant in it.
    HTH,
    Steve
    Sent from Cisco Technical Support iPad App

  • Cisco 871w, radius server local, and leap or eap-fast will not authenticate

    Hello, i trying to setup eap-fast or leap on my 871w.  i belive i have it confiured correctly but i can not get any device to authenticate to router.  Below is the confiureation that i being used.  any help would be welcome!
    ! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
    ! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
    version 12.4
    configuration mode exclusive auto
    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service linenumber
    service pt-vty-logging
    service sequence-numbers
    hostname router871
    boot-start-marker
    boot-end-marker
    logging count
    logging message-counter syslog
    logging buffered 4096
    logging rate-limit 512 except critical
    logging console critical
    enable secret 5 <omitted>
    aaa new-model
    aaa group server radius rad-test3
    server 192.168.16.49 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login eap-methods group rad-test3
    aaa authorization exec default local
    aaa session-id common
    clock timezone AZT -7
    clock save interval 8
    dot11 syslog
    dot11 ssid test2
    vlan 2
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 <omitted>
    dot11 ssid test1
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 <omitted>
    dot11 ssid test3
    vlan 3
    authentication open eap eap-methods
    authentication network-eap eap-methods
    no ip source-route
    no ip gratuitous-arps
    ip options drop
    ip dhcp bootp ignore
    ip dhcp excluded-address 192.162.16.49 192.162.16.51
    ip dhcp excluded-address 192.168.16.33
    ip dhcp excluded-address 192.168.16.1 192.168.16.4
    ip dhcp pool vlan1pool
       import all
       network 192.168.16.0 255.255.255.224
       default-router 192.168.16.1
       domain-name test1.local.home
       lease 4
    ip dhcp pool vlan2pool
       import all
       network 192.168.16.32 255.255.255.240
       default-router 192.168.16.33
       domain-name test2.local.home
       lease 0 6
    ip dhcp pool vlan3pool
       import all
       network 192.168.16.48 255.255.255.240
       default-router 192.168.16.49
       domain-name test3.local.home
       lease 2
    ip cef
    ip inspect alert-off
    ip inspect max-incomplete low 25
    ip inspect max-incomplete high 50
    ip inspect one-minute low 25
    ip inspect one-minute high 50
    ip inspect udp idle-time 15
    ip inspect tcp idle-time 1800
    ip inspect tcp finwait-time 30
    ip inspect tcp synwait-time 60
    ip inspect tcp block-non-session
    ip inspect tcp max-incomplete host 25 block-time 2
    ip inspect name firewall tcp router-traffic
    ip inspect name firewall ntp
    ip inspect name firewall ftp
    ip inspect name firewall udp router-traffic
    ip inspect name firewall pop3
    ip inspect name firewall pop3s
    ip inspect name firewall imap
    ip inspect name firewall imap3
    ip inspect name firewall imaps
    ip inspect name firewall smtp
    ip inspect name firewall ssh
    ip inspect name firewall icmp router-traffic timeout 10
    ip inspect name firewall dns
    ip inspect name firewall h323
    ip inspect name firewall hsrp
    ip inspect name firewall telnet
    ip inspect name firewall tftp
    no ip bootp server
    no ip domain lookup
    ip domain name local.home
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip accounting-threshold 100
    ip accounting-list 192.168.16.0 0.0.0.31
    ip accounting-list 192.168.16.32 0.0.0.15
    ip accounting-list 192.168.16.48 0.0.0.15
    ip accounting-transits 25
    login block-for 120 attempts 5 within 60
    login delay 5
    login on-failure log
    memory free low-watermark processor 65536
    memory free low-watermark IO 16384
    username testtest password 7 <omitted>
    archive
    log config
      logging enable
      logging size 255
      notify syslog contenttype plaintext
      hidekeys
    path tftp://<omitted>/archive-config
    write-memory
    ip tcp synwait-time 10
    ip ssh time-out 20
    ip ssh authentication-retries 2
    ip ssh logging events
    ip ssh version 2
    bridge irb
    interface Loopback0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    interface Null0
    no ip unreachables
    interface FastEthernet0
    switchport mode trunk
    shutdown
    interface FastEthernet1
    switchport mode trunk
    shutdown
    interface FastEthernet2
    shutdown
    spanning-tree portfast
    interface FastEthernet3
    spanning-tree portfast
    interface FastEthernet4
    description Cox Internet Connection
    ip address dhcp
    ip access-group ingress-filter in
    ip access-group egress-filter out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip flow ingress
    ip flow egress
    ip inspect firewall out
    ip nat outside
    ip virtual-reassembly
    ip tcp adjust-mss 1460
    load-interval 30
    duplex auto
    speed auto
    no cdp enable
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encryption vlan 1 mode ciphers aes-ccm
    encryption vlan 2 mode ciphers aes-ccm
    encryption key 1 size 128bit 7 <omitted> transmit-key
    encryption mode wep mandatory
    broadcast-key vlan 1 change <omitted> membership-termination
    broadcast-key vlan 3 change <omitted> membership-termination
    broadcast-key vlan 2 change <omitted> membership-termination
    ssid test2
    ssid test1
    ssid test3
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    rts threshold 2312
    no cdp enable
    interface Dot11Radio0.1
    description <omitted>
    encapsulation dot1Q 1 native
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.2
    description <omitted>
    encapsulation dot1Q 2
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    interface Dot11Radio0.3
    description <omitted>
    encapsulation dot1Q 3
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 spanning-disabled
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    interface Vlan1
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface Vlan2
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 2
    bridge-group 2 spanning-disabled
    interface Vlan3
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 3
    bridge-group 3 spanning-disabled
    interface BVI1
    description <omitted>
    ip address 192.168.16.1 255.255.255.224
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI2
    description <omitted>
    ip address 192.168.16.33 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI3
    description <omitted>
    ip address 192.168.16.49 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
    ip http timeout-policy idle 5 life 43200 requests 5
    ip flow-top-talkers
    top 10
    sort-by bytes
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
    ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
    ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
    ip access-list extended egress-filter
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   ip host <omitted> any
    deny   ip host <omitted> any
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.10.9.255 any
    deny   ip 10.0.0.0 0.10.13.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.15.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    permit ip <omitted> 0.0.0.3 any
    deny   ip any any log
    ip access-list extended ingress-filter
    remark ----- To get IP form COX -----
    permit udp any eq bootps any eq bootpc
    deny   icmp any any log
    deny   udp any any eq echo
    deny   udp any eq echo any
    deny   tcp any any fragments
    deny   udp any any fragments
    deny   ip any any fragments
    deny   ip any any option any-options
    deny   ip any any ttl lt 4
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   udp any any range 33400 34400
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    deny   ip 10.10.10.0 0.0.0.255 any
    deny   ip 10.10.11.0 0.0.0.255 any
    deny   ip 10.10.12.0 0.0.0.255 any
    deny   ip any any log
    access-list 1 permit 192.168.16.0 0.0.0.63
    access-list 20 permit 127.127.1.1
    access-list 20 permit 204.235.61.9
    access-list 20 permit 173.201.38.85
    access-list 20 permit 216.229.4.69
    access-list 20 permit 152.2.21.1
    access-list 20 permit 130.126.24.24
    access-list 21 permit 192.168.16.0 0.0.0.63
    radius-server local
    no authentication mac
    eapfast authority id <omitted>
    eapfast authority info <omitted>
    eapfast server-key primary 7 <omitted>
    nas 192.168.16.49 key 7 <omitted>
    group rad-test3
      vlan 3
      ssid test3
    user test nthash 7 <omitted> group rad-test3
    user testtest nthash 7 <omitted> group rad-test3
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
    radius-server vsa send accounting
    control-plane host
    control-plane transit
    control-plane cef-exception
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    bridge 3 protocol ieee
    bridge 3 route ip
    line con 0
    password 7 <omitted>
    logging synchronous
    no modem enable
    transport output telnet
    line aux 0
    password 7 <omitted>
    logging synchronous
    transport output telnet
    line vty 0 4
    password 7 <omitted>
    logging synchronous
    transport preferred ssh
    transport input ssh
    transport output ssh
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    process cpu threshold type total rising 80 interval 10 falling 40 interval 10
    ntp authentication-key 1 md5 <omitted> 7
    ntp authenticate
    ntp trusted-key 1
    ntp source FastEthernet4
    ntp access-group peer 20
    ntp access-group serve-only 21
    ntp master 1
    ntp server 152.2.21.1 maxpoll 4
    ntp server 204.235.61.9 maxpoll 4
    ntp server 130.126.24.24 maxpoll 4
    ntp server 216.229.4.69 maxpoll 4
    ntp server 173.201.38.85 maxpoll 4
    end

    so this what i am getting now for debug? any thoughs?
    010724: Jan  5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
    010725: Jan  5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
    010726: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010727: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010728: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010729: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010730: Jan  5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010731: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010732: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010733: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010734: Jan  5 16:26:08.976 AZT: EAPOL pak dump tx
    010735: Jan  5 16:26:08.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010736: Jan  5 16:26:08.976 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0AD05650:                   01000004 04010004          ........
    0AD05660:
    010737: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010738: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010739: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010740: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010741: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010742: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    010743: Jan  5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010744: Jan  5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010745: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010746: Jan  5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010747: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010748: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010749: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010750: Jan  5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010751: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010752: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010753: Jan  5 16:26:09.624 AZT: EAPOL pak dump tx
    010754: Jan  5 16:26:09.624 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010755: Jan  5 16:26:09.624 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010756: Jan  5 16:26:09.644 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010757: Jan  5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010758: Jan  5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010759: Jan  5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010760: Jan  5 16:26:09.656 AZT: EAPOL pak dump rx
    010761: Jan  5 16:26:09.656 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010762: Jan  5 16:26:09.656 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0B060D50:                   01000009 02010009          ........
    0B060D60: 01746573 74                          .test
    010763: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010764: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010765: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010766: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
    010767: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010768: Jan  5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010769: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010770: Jan  5 16:26:09.664 AZT: RADIUS:   36                                               [6]
    010771: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010772: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
    010773: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010774: Jan  5 16:26:09.664 AZT: RADIUS(00000198): sending
    010775: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
    010776: Jan  5 16:26:09.664 AZT: RADIUS:  authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
    010777: Jan  5 16:26:09.664 AZT: RADIUS:  User-Name           [1]   6   "test"
    010778: Jan  5 16:26:09.664 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010779: Jan  5 16:26:09.664 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010780: Jan  5 16:26:09.664 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010781: Jan  5 16:26:09.668 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010782: Jan  5 16:26:09.668 AZT: RADIUS:  Message-Authenticato[80]  18
    010783: Jan  5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6  [[?G???Kq?`nN?7??]
    010784: Jan  5 16:26:09.668 AZT: RADIUS:  EAP-Message         [79]  11
    010785: Jan  5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010786: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010787: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port            [5]   6   661
    010788: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Id         [87]  5   "661"
    010789: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010790: Jan  5 16:26:09.668 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010791: Jan  5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010792: Jan  5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010793: Jan  5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010794: Jan  5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010795: Jan  5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010796: Jan  5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010797: Jan  5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010798: Jan  5 16:26:39.794 AZT: EAPOL pak dump rx
    010799: Jan  5 16:26:39.794 AZT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
    0AD053D0:                   01010000                   ....
    010800: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
    010801: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
    router871#
    010802: Jan  5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010803: Jan  5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
    010804: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010805: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010806: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010807: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010808: Jan  5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010809: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010810: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010811: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010812: Jan  5 16:26:47.336 AZT: EAPOL pak dump tx
    010813: Jan  5 16:26:47.336 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010814: Jan  5 16:26:47.336 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0B060710:                   01000004 04010004          ........
    0B060720:
    010815: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010816: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010817: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010818: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010819: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010820: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    router871#
    010821: Jan  5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010822: Jan  5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010823: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010824: Jan  5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010825: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010826: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010827: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010828: Jan  5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010829: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010830: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010831: Jan  5 16:26:47.976 AZT: EAPOL pak dump tx
    010832: Jan  5 16:26:47.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010833: Jan  5 16:26:47.976 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010834: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010835: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010836: Jan  5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010837: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010838: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    router871#
    010839: Jan  5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    router871#
    010840: Jan  5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010841: Jan  5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010842: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010843: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010844: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010845: Jan  5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010846: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010847: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010848: Jan  5 16:26:58.638 AZT: EAPOL pak dump tx
    010849: Jan  5 16:26:58.638 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010850: Jan  5 16:26:58.638 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060710:                   01000031 01010031          ...1...1
    0B060720: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060730: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
    010851: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010852: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010853: Jan  5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010854: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010855: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    010856: Jan  5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010857: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
    010858: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
    010859: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010860: Jan  5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010861: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010862: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010863: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010864: Jan  5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010865: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010866: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010867: Jan  5 16:27:12.261 AZT: EAPOL pak dump tx
    010868: Jan  5 16:27:12.261 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010869: Jan  5 16:27:12.261 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060FD0:                   01000031 01010031          ...1...1
    0B060FE0: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
    010870: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010871: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010872: Jan  5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010873: Jan  5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010874: Jan  5 16:27:12.293 AZT: EAPOL pak dump rx
    010875: Jan  5 16:27:12.293 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010876: Jan  5 16:27:12.293 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0AD05290:                   01000009 02010009          ........
    0AD052A0: 01746573 74                          .test
    010877: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010878: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010879: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010880: Jan  5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
    010881: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010882: Jan  5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010883: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010884: Jan  5 16:27:12.305 AZT: RADIUS:   36                                               [6]
    010885: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010886: Jan  5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
    010887: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010888: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): sending
    010889: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
    010890: Jan  5 16:27:12.305 AZT: RADIUS:  authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
    010891: Jan  5 16:27:12.305 AZT: RADIUS:  User-Name           [1]   6   "test"
    010892: Jan  5 16:27:12.305 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010893: Jan  5 16:27:12.305 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010894: Jan  5 16:27:12.305 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010895: Jan  5 16:27:12.305 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010896: Jan  5 16:27:12.305 AZT: RADIUS:  Message-Authenticato[80]  18
    010897: Jan  5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64  [??b?8??0:C????Cd]
    010898: Jan  5 16:27:12.305 AZT: RADIUS:  EAP-Message         [79]  11
    010899: Jan  5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010900: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010901: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port            [5]   6   664
    010902: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-Port-Id         [87]  5   "664"
    010903: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010904: Jan  5 16:27:12.309 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010905: Jan  5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4

  • EAP Authentication Configuration for EAP-FAST and PEAP

    Hi Everyone,
    I pretty much got EAP working, however using LEAP 
    When I get to EAP-FAST and PEAP, I just can't seem to get it to work
    What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
    Hope you guys can help me on this, stuck on this part xD

    EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation. 
    EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed. 
    Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
    The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password  back to AD for example. 
    Hope this helps .. 

  • Authorization rule for EAP-FAST (inner EAP-TLS)

    We have an ISE deployment where we are looking to use EAP-FAST as our authentication method with EAP-TLS as the inner method. We are checking both machine and user certificate. We initally had the following condition in our AuthZ rule -> EapChainingResult = User and machine both succeeded, however we found that intially machine succeeds and the user doesnt succeed until after windows login. If we change the condition to EapTunnelType = EAPFAST then it works fine, logs show that while initially user fails and machine succeeds, after login to windows shell then both user and machine succeded log message is visible. My preference would be to get it working with the first condition as it is a more valid check but it doesnt work due to the initial failure, anyone else got EAP-FAST (EAP-TLS) working.
    Regards

    I have it running at a customer, and as you discovered only machine auth succeeds initially, this is because the user store where the users certificate is not opened until they have logged ind, this is working as intended.
    What you can do is to have two different authz rules, one for eapchainingresult=machine succeded and user failed, and another one for when both succeed. This way you can give granular access by using another ACL for the machine, so the machine doesn't get full access to the network before a user has logged in.

  • Cisco SAN 9513s Slot dependancy for fc 24 & 48 port cards?

    Newbee Question #1
    I have a customer who is about to populate 2 new 9513s with fc 24 and 48 port cards.  Are there any slot restrictions/dependancies for these FC cards.  We know Slots 7 & 8 are reserved for the Sup-2 Engine cards.
    May we populate slots 1 - 6 and 9 - 13 with 24 and/or 48 port cards?
    Thanks, in advance, for your time and assistance.
    Regards
    R. W.

    Yes, they can be installed in any slot other than the sup slots.  Best practice is to install any Generation 1 cards before Generation 2 cards.

  • Limitations/Issues to use LEAP/EAP-Fast with Airespace

    Hello
    are there any important limitations or issues to use with cisco a/b/g Card the authentication methodes LEAP or EAP-FAST.
    Any input is welcome
    Oliver

    I would suggest that you use LEAP for the client adapters. It is easy to implement and is also secure.

Maybe you are looking for

  • Program terminated error after entering sold to party no. in sales order

    hello friends,                   can any help me, i was doing the topic of user exit for pre-defined sold to party using v45a0002 in cmod and i wrote a program for include 'if sy-uname= 'sapuser'. message e000(0) with ' you are not authorised to crea

  • Posting of retirement/transfer not possible(error in asset)

    Hi All, this is regarding intra company asset transfer through transaction code ABUMN. The issue is like below : Let's say asset code is 764 in 111 asset class & i am transferring this asset to 3615 in 112 asset class through ABUMN. Actaully in 2004,

  • RMAN Obsolete

    Hi Guys, I'm having 15 days of backup in RMAN Catalog and my initial RMAN config is as per below: CONFIGURE RETENTION POLICY TO REDUNDANCY 10; Since I only want to keep the backup for latest 10 days, so I have changed the config to: CONFIGURE RETENTI

  • T-code FAGLB03 drilldown to document level cant view the field cleared/open

    Hi everyone, It is my first time to post a thread here. Currently i using ECC 5.0 GL Balance displayed through FAGLB03: when i drill down to documet level and i need to create my own layout i cant see the field "cleared/open items symbol". But if i u

  • IPhoto: strange behaviour with preview thumbnails

    Is there a simple way in iPhoto 8 to rebuild the thumbnail database? I recently noticed a strange behaviour iPhoto 8 has with previews: In some of my event categories, iPhoto does not display the correct preview thumbnail of the picture, but a previe