EAP-Fast-Windows XP

Similar Messages

• WLAN Access via 802.1x/EAP-FAST ACS & Windows DB

  Hi,
  Does anyone have any useful links about how to configure ACS server to use windows UN/PW for wireless client logins via 802.1x & Eap-fast?
  I can't seem to find a defined example for the ACS to Window DB install?
  Can anyone help?
  Ta
  James

  Check out whether the following links are useful to you.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804b9d57.shtml#set-acs
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml

• User profile creation problem for windows 7 clients with eap-fast

  Hi All,
  In our clients locations we implemented eap-fast authentication with domain integration in ACS for wlan users.Every thing working fine.We are facing problem with windows 7 laptops, in which client utility is not available to configure the user profiles.
    In xp laptops client utility softwares are available with all makes, but with win 7 utilitys are not coming by default......
  So what are options and available sourses for creating user profile with EAP-FAST in windows 7 laptops.
  Any free univarsal client utility is available for windows 7 laptop.
  Please guide me..............
  -Subhash

  Windows 7 should be able to do EAP-fast by default. If not you could download the latest Anyconnect client that also has the Cisco wireless supplicant in it.
  HTH,
  Steve
  Sent from Cisco Technical Support iPad App

• Connect to EAP-FAST corporate network

  Hi. I'm trying to setup my new macbook to connect to my company's wireless network but no luck. Here are the details from my WinXP laptop's Intel PROSet profile:
  +Enterprise Security:+
  +Wireless Network Name (SSID): protected+
  +Network Authentication: Open+
  +Data Encryption: CKIP+
  +Authentication Type: EAP-FAST+
  +Desable EAP-FAST Enhancments (CCXv4): checked+
  +Allow unauthenticated provisioning: checked+
  +Default server: ACS_wifi+
  +User Credentials: Use Windows logon+
  +Server Verification is not required.+
  *Any idea how to setup my macbook/airport to connect to this network?*
  Thanks

  I've already did try to create there various profiles but no luck. Even when I try 'Join other network' and select 'Show networks' I don't get my corporate network on the list. Maybe it's hidden. Where I can see a Log what's going on?

• NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

  Hi!
  (Sorry, if this is a wrong forum.)
  Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
  I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
  Access-Requests with User-Name="anonymous"
  Access-Challenges (I see certificate is sent from ACS)
  Access-Reject
  CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
  So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
  The following is excerpt from the CS ACS documentation:
  "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
  SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
  So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
  Any help is greatly appreciated.

  Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
  POD1-SW#sh run int fa1/0/1
  Building configuration...
  Current configuration : 378 bytes
  interface FastEthernet1/0/1
  switchport access vlan 999
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x timeout tx-period 10
  dot1x reauthentication
  dot1x critical
  dot1x critical recovery action reinitialize
  dot1x guest-vlan 91
  dot1x critical vlan 11
  spanning-tree portfast
  end
  After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
  Thx.

• ACS 3.3 to 4.1 EAP-FAST PAC migration

  Our 3rd party supplicants don't handle EAP-FAST in-band PAC changes well at all. To allow a smooth transition from Windows ACS 3.3 to 4.1, we'd like to migrate the v3.3 master or at least the secondary PAC to ACS 4.1. Replication is not an option between 3.3 & 4.1, so I'm looking for a manual way to accomplish this. TIA.

  So what you want to do is following :
  > Install LMS 4.1 on Windows
  > Decomission LMS 3.2
  > Rename hostname and IP for LMS 4.2 to same as older LMS 3.2
  IP change is not a problem, but for hostname change you should run NMSROOT\bin\hostnamechange.pl script.
  For more details, please check the following document :
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/user/guide/admin/appendixcli.html#wp1041971
  -Thanks

• EAP-Fast

  Hi,
  I have a AP1100 and a repeater AP1100. The AP acts as a Radius server and the clients (all AIR-350) use LEAP, WPA and TKIP. Everything works just fine.
  Now I want to secure my environment a bid more and make use of EAP-Fast. I can't get it work. At the authetication process, it sticks at provisioning. The log at the AP only shows: debugging; Station xxxxx: Authentication failed.
  Does anybody have a clue what I'm doing wrong or is it because the AP is the Radius server i.c.w. EAP-Fast ?
  Thanks,
  Auden

  Cisco Secure ACS is listed as a Prerequisite and in the Required Hardware and Software section;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080262422.html#wp998531
  hth
  Required Hardware and Software
  The following software and hardware are required for configuring EAP-FAST.
  Cisco Aironet Client Utility (ACU) and Aironet
  •Aironet Client Utility version 6.3
  •Cisco Aironet 350 Series Client Adapter
  •Client adapter firmware version 5.40
  •Client driver version 8.5
  •Aironet Client Monitor (ACM) version 2.3
  •Windows XP, SP1
  Cisco Aironet Access Point
  •Cisco Aironet 1100 Series Access Point
  •Cisco IOS Software Release 12.2(13)JA3
  •CiscoSecure Access Control Server (ACS)
  •CiscoSecure ACS v3.2.3 for Windows 2000 SP4
  •Aironet Configuration Administration Tool (ACAT) (optional)
  •Cisco Aironet ACAT v1.3

• Authorization rule for EAP-FAST (inner EAP-TLS)

  We have an ISE deployment where we are looking to use EAP-FAST as our authentication method with EAP-TLS as the inner method. We are checking both machine and user certificate. We initally had the following condition in our AuthZ rule -> EapChainingResult = User and machine both succeeded, however we found that intially machine succeeds and the user doesnt succeed until after windows login. If we change the condition to EapTunnelType = EAPFAST then it works fine, logs show that while initially user fails and machine succeeds, after login to windows shell then both user and machine succeded log message is visible. My preference would be to get it working with the first condition as it is a more valid check but it doesnt work due to the initial failure, anyone else got EAP-FAST (EAP-TLS) working.
  Regards

  I have it running at a customer, and as you discovered only machine auth succeeds initially, this is because the user store where the users certificate is not opened until they have logged ind, this is working as intended.
  What you can do is to have two different authz rules, one for eapchainingresult=machine succeded and user failed, and another one for when both succeed. This way you can give granular access by using another ACL for the machine, so the machine doesn't get full access to the network before a user has logged in.

• Vista EAP-FAST Module

  Anyone know where I can get this module?
  http://www.cisco.com/en/US/docs/wireless/wlan_adapter/eap_types/fast/admin/guide/EF_instl.html
  Also, can I use EAP-TLS or EAP-FAST (with certs only, no PACs) and authenticate users via LDAP (AD) without the need of ACS or RADIUS?
  Thanks,
  Todd

  The following link allows you to download the EAP-FAST module for vista:
  http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=WinClient-802.11a-b-g-Vista-Ins-Wizard-v10.exe&advUrl=null&defInd=N&mdfid=278853375&sftType=Aironet+Client+Installation+Wizard+%28Firmware%2C+Driver%2C+Utility%29&optPlat=Windows+Vista&nodecount=2&relVer=1.0&md5=87fec40fd940e4bb6a80e17e4bc4f90b&modifmdfid=278853375&imname=&hybrid=null&imst=null&modelName=Cisco+Aironet+802.11a%2Fb%2Fg+CardBus+Wireless+LAN+Client+Adapter+%28CB21AG%29&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2
  If the page does not come up for the first time while using the link above try opening the same link in a new browser page one more time.

• Lans/Catalyst and EAP-FAST?

  I'd like to use EAP-FAST for both my 802.11 wireless and my lan network.
  However the only EAP-FAST client I have seen is the ACU for the Aironet products, nothing for the Catalyst (am I missing something?)
  Any plans for Ethernet adapter software that does EAP-FAST? I primary use Windows XP-SP2 in my lan.

  All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.

• EAP-FAST on Local Radius Server : Can't Get It Working

  Hi all
  I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
  I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
  the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
  sh radius local-server s
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Unknown NAS            : 0           Invalid packet from NAS: 17      
  NAS : 172.27.44.1
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Corrupted packet       : 0           Unknown RADIUS message : 0        
  No username attribute  : 0           Missing auth attribute : 0        
  Shared key mismatch    : 0           Invalid state attribute: 0        
  Unknown EAP message    : 0           Unknown EAP auth type  : 17       
  Auto provision success : 0           Auto provision failure : 0        
  PAC refresh            : 0           Invalid PAC received   : 0       
  Can anyone suggest what I might be doing wrong?
  Regs, Tim

  Thanks Nicolas, relevant snippets from config:
  aaa new-model
  aaa group server radius rad_eap
  server 172.27.44.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid home
  vlan 3
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  ip dhcp pool home
     import all
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 194.74.65.68 194.74.65.69
  ip inspect name ethernetin tcp
  ip inspect name ethernetin udp
  ip inspect name ethernetin pop3
  ip inspect name ethernetin ssh
  ip inspect name ethernetin dns
  ip inspect name ethernetin ftp
  ip inspect name ethernetin tftp
  ip inspect name ethernetin smtp
  ip inspect name ethernetin icmp
  ip inspect name ethernetin telnet
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 2 mode ciphers aes-ccm tkip
  encryption vlan 3 mode ciphers aes-ccm tkip
  broadcast-key vlan 1 change 30
  broadcast-key vlan 2 change 30
  broadcast-key vlan 3 change 30
  ssid home
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.3
  encapsulation dot1Q 3
  no cdp enable
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan3
  no ip address
  bridge-group 3
  interface BVI3
  ip address 192.168.1.1 255.255.255.0
  ip inspect ethernetin in
  ip nat inside
  ip virtual-reassembly
  radius-server local
  no authentication mac
  nas 172.27.44.1 key 0 123456
  user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
  user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
  user test3 nthash 0 0CB6948805F797BF2A82807973B89537
  radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
  radius-server vsa send accounting

• Mac OS X 10.4.8 adds EAP-FAST support

  From the release notes of Mac OS X 10.4.8 update:
  http://docs.info.apple.com/article.html?artnum=304200
  - Improves security by adding support for EAP-FAST for AirPort wireless authentication.

  Mac OS X 10.4.8 is now out, and many people were
  hoping that Apple would take the opportunity to
  update iSync at the same time.
  After examining this update I can confirm that iSync
  remains at v2.3 and no new phone support has been
  added.
  Therefore Sony Ericsson M600, P990 and W950 owners
  still have no way to iSync their phones. (For
  workarounds
  see here.
  Owners of Sony Ericsson W850, K610, K510, K800, W300,
  W700, K790, V630, Z550 and Z525 phones can continue
  to use the iSync Phone Plugins available below to
  sync these models:
  http://mobile.feisar.com/phoneplugins23.html
  Jools
  This is really bad news! Apple is disappointing a whole lot of new phone owners. I bought my first Apple computer especially for Isync and Ical. Now it seems that the users are no longer important. Innovation and big numbers are the new targets.
  Without the proper use of Ical and Isync, OS X becomes incomplete and therefore less interesting for all users.
  I think Apple is making a big mistake here!
  I’m not willing to let Apple decide witch phone to buy!
  So how about it Steve?
  Powerbook G4   Mac OS X (10.4.7)  

• EAP-FAST with local radius on 1242AG

  I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
  I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
  Any help or a basic example you be great.
  thanks,
  Simon

  I think this is what you're looking for;
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  HTH
  Regards,
  Jatin
  Do rate helpful posts~

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• WET200 Could firmware allow EAP-FAST

  Hi,
  I have been looking to utilise the above authentication using a PAC file.
  This is the system used by one of our clients. Although Cisco aironet 1300
  series supports this, they are a good deal more expensive as a solution.
  My question to see what your thought are is whether a device like this WET200
  would ever be able to support this type of authentication with the likes of a firmware
  upgrade? I know it's not worth holding your breath on, but the unit had originally
  been purchased since cisco compatibility was a prerequesite. Only once we went
  to setup did it become apparent as to the authentication method they used.
  TIA
  Andrew

  Yes and no. For 2 weeks my iPad would fail every time I tried to connect to the wireless, and I would get the same error message in ACS stating that the supplicant did not respond correctly. Yesterday, I noticed it was connected. I checked the logs in ACS, and saw a successful connection using EAP-FAST. So it did work, but I have no idea why. Nothing changed on either system config wise. Maybe a new PAC file was generated? I need to check the logs to see if that was the case. Regardless, my iPad can now connect using EAP-FAST. Excited about this news, I pushed the profile from the iPhone config utility to 2 additional devices, another iPad, and an iPhone. Both failed, with the same supplicant did not respond correctly message in ACS. So the 3 apple devices have the exact same config on them - 1 now works after 2 weeks of failing, and 2 failed upon first day attempts yesterday. Very odd, and very frustrating. ACS provides very little in the way of help (the supplicant did not respond correctly, but in what way did it not respond correctly??), and the iPad logs even less. So it seems to be impossbile to really know what is going on here. If you or anyone has any suggestions I am definetly open to hearing them.