ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

Similar Messages

• ISE - EAP-FAST PAC Provisioning - Identity field??

  Hi all, very simple question regarding the fields in the PAC provisioning section of ISE. Basically wondering what the "identity" field under machine and tunnel PAC is meant to be? I am currently planning an EAP-FAST deployment and this is the only area I am wondering about. Essentially planning to auto-provision the PAC hopefully using authenticate in-band. The Cisco doco is a little vague on this particular field.
  Thanks in advance - have googled this for a day or so and frankly cannot find the information that I want.

  Use
  PAC
  •Tunnel PAC Time To Live—The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.
  •Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.
  •Allow Anonymous In-band PAC Provisioning—Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.
  •Allow Authenticated In-band PAC Provisioning—Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.
  When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.
  –Server Returns Access Accept After Authenticated Provisioning—Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning.
  •Allow Machine Authentication—Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed.
  When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).
  •Enable Stateless Session Resume—Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).
  Uncheck this check box in the following cases:
  –If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients
  –To always perform phase two of EAP-FAST
  When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.
  •Preferred EAP Protocol—Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field.

• Connect to EAP-FAST corporate network

  Hi. I'm trying to setup my new macbook to connect to my company's wireless network but no luck. Here are the details from my WinXP laptop's Intel PROSet profile:
  +Enterprise Security:+
  +Wireless Network Name (SSID): protected+
  +Network Authentication: Open+
  +Data Encryption: CKIP+
  +Authentication Type: EAP-FAST+
  +Desable EAP-FAST Enhancments (CCXv4): checked+
  +Allow unauthenticated provisioning: checked+
  +Default server: ACS_wifi+
  +User Credentials: Use Windows logon+
  +Server Verification is not required.+
  *Any idea how to setup my macbook/airport to connect to this network?*
  Thanks

  I've already did try to create there various profiles but no luck. Even when I try 'Join other network' and select 'Show networks' I don't get my corporate network on the list. Maybe it's hidden. Where I can see a Log what's going on?

• Authorization rule for EAP-FAST (inner EAP-TLS)

  We have an ISE deployment where we are looking to use EAP-FAST as our authentication method with EAP-TLS as the inner method. We are checking both machine and user certificate. We initally had the following condition in our AuthZ rule -> EapChainingResult = User and machine both succeeded, however we found that intially machine succeeds and the user doesnt succeed until after windows login. If we change the condition to EapTunnelType = EAPFAST then it works fine, logs show that while initially user fails and machine succeeds, after login to windows shell then both user and machine succeded log message is visible. My preference would be to get it working with the first condition as it is a more valid check but it doesnt work due to the initial failure, anyone else got EAP-FAST (EAP-TLS) working.
  Regards

  I have it running at a customer, and as you discovered only machine auth succeeds initially, this is because the user store where the users certificate is not opened until they have logged ind, this is working as intended.
  What you can do is to have two different authz rules, one for eapchainingresult=machine succeded and user failed, and another one for when both succeed. This way you can give granular access by using another ACL for the machine, so the machine doesn't get full access to the network before a user has logged in.

• ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

  Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
  Long story short, what I'd like to do is: 
  User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
  Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
  personally owned devices only allowed to do ICA,
  corporate device can use SQL, RDP, etc...
  Thoughts, ideas?

  Not sure i understand your response, or perhaps my original question isn't clear.
  User authenticates with EAP-TLS / User cert
  User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
  Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
  My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

• EAP-TLS and EAP-FAST

  Hi NetPro.
  EAP-TLS is working now, but how to configure EAP-FAST as the backup in case TLS is failure then user still able to use FAST as the second choice ?
  your reply will be highly appreciated.
  thanks heaps.
  Jack

  All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• EAP-FAST Security level

  Hi all,
  I use EAP-FAST in my network and I have some questions about it.
  1) is there any vulnerability detected with EAP-FAST?
  2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
  3) Can I use EAP-FAST with MAC address filtering through ACS?
  4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
  Thanks for your reply.
  Thanks.

  1)
  Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
  What will happen? see
  The in-band provisioning mode  operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH  or RSA algorithm for key agreement.
  To minimize the risk of exposing the user's credentials, a clear text  password should not be used outside of the protected tunnel. Therefore,  EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials  within the protected tunnel. The information contained in the PAC is  also available for further authentication sessions after the inner EAP  method has completed.
  Automatic In-Band PAC Provisioning, which is the  same as EAP-FAST phase zero, sends a new PAC to an end-user client over a  secured network connection. Automatic In-Band PAC Provisioning requires  no intervention of the network user or an ACS administrator, provided  that you configure ACS and the end-user client to support Automatic  In-Band PAC Provisioning.
  In general, phase zero of EAP-FAST does not authorize network access. In  this general case, after the client has successfully performed phase  zero PAC provisioning, the client must send a new EAP-FAST request in  order to begin a new round of phase one tunnel establishment, followed  by phase two authentication.
  However, if you choose the Accept Client on Authenticated Provisioning  option, ACS sends a RADIUS Access-Accept (that contains an EAP Success)  at the end of a successful phase zero PAC provisioning, and the client  is not forced to reauthenticate again. This option can be enabled only  when the Allow Authenticated In-Band PAC Provisioning option is also  enabled.
  Because transmission of PACs in phase zero is secured by MSCHAPv2  authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we  recommend that you limit use of Automatic In-Band PAC Provisioning to  initial deployment of EAP-FAST.
  After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
  EAP-FAST has been enhanced to support an authenticated tunnel (by using  the server certificate) inside which PAC provisioning occurs. The new  cipher suites that are enhancements to EAP-FAST, and specifically the  server certificate, are used.
  2) Max user sessions
  3)Yes
  4)PEAP ( EAP TLS )
  Side note:
  EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
  Please make sure to rate correct answers and rate the thread as answered

• ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

  Hi All,
  I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
  Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
  Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
  I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
  Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
  Thanks,
  Rob

  Hello,
  Did you find a guide for EAP-FAST with AD ?
  I'm facing the same problem, I can't make EAP-FAST working with AD Account,
  Thanks to you
  Regards,
  Gérald

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• WET200 Could firmware allow EAP-FAST

  Hi,
  I have been looking to utilise the above authentication using a PAC file.
  This is the system used by one of our clients. Although Cisco aironet 1300
  series supports this, they are a good deal more expensive as a solution.
  My question to see what your thought are is whether a device like this WET200
  would ever be able to support this type of authentication with the likes of a firmware
  upgrade? I know it's not worth holding your breath on, but the unit had originally
  been purchased since cisco compatibility was a prerequesite. Only once we went
  to setup did it become apparent as to the authentication method they used.
  TIA
  Andrew

  Yes and no. For 2 weeks my iPad would fail every time I tried to connect to the wireless, and I would get the same error message in ACS stating that the supplicant did not respond correctly. Yesterday, I noticed it was connected. I checked the logs in ACS, and saw a successful connection using EAP-FAST. So it did work, but I have no idea why. Nothing changed on either system config wise. Maybe a new PAC file was generated? I need to check the logs to see if that was the case. Regardless, my iPad can now connect using EAP-FAST. Excited about this news, I pushed the profile from the iPhone config utility to 2 additional devices, another iPad, and an iPhone. Both failed, with the same supplicant did not respond correctly message in ACS. So the 3 apple devices have the exact same config on them - 1 now works after 2 weeks of failing, and 2 failed upon first day attempts yesterday. Very odd, and very frustrating. ACS provides very little in the way of help (the supplicant did not respond correctly, but in what way did it not respond correctly??), and the iPad logs even less. So it seems to be impossbile to really know what is going on here. If you or anyone has any suggestions I am definetly open to hearing them.

• Cisco 871w, radius server local, and leap or eap-fast will not authenticate

  Hello, i trying to setup eap-fast or leap on my 871w.  i belive i have it confiured correctly but i can not get any device to authenticate to router.  Below is the confiureation that i being used.  any help would be welcome!
  ! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
  ! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
  version 12.4
  configuration mode exclusive auto
  service nagle
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service linenumber
  service pt-vty-logging
  service sequence-numbers
  hostname router871
  boot-start-marker
  boot-end-marker
  logging count
  logging message-counter syslog
  logging buffered 4096
  logging rate-limit 512 except critical
  logging console critical
  enable secret 5 <omitted>
  aaa new-model
  aaa group server radius rad-test3
  server 192.168.16.49 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login eap-methods group rad-test3
  aaa authorization exec default local
  aaa session-id common
  clock timezone AZT -7
  clock save interval 8
  dot11 syslog
  dot11 ssid test2
  vlan 2
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii 7 <omitted>
  dot11 ssid test1
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <omitted>
  dot11 ssid test3
  vlan 3
  authentication open eap eap-methods
  authentication network-eap eap-methods
  no ip source-route
  no ip gratuitous-arps
  ip options drop
  ip dhcp bootp ignore
  ip dhcp excluded-address 192.162.16.49 192.162.16.51
  ip dhcp excluded-address 192.168.16.33
  ip dhcp excluded-address 192.168.16.1 192.168.16.4
  ip dhcp pool vlan1pool
     import all
     network 192.168.16.0 255.255.255.224
     default-router 192.168.16.1
     domain-name test1.local.home
     lease 4
  ip dhcp pool vlan2pool
     import all
     network 192.168.16.32 255.255.255.240
     default-router 192.168.16.33
     domain-name test2.local.home
     lease 0 6
  ip dhcp pool vlan3pool
     import all
     network 192.168.16.48 255.255.255.240
     default-router 192.168.16.49
     domain-name test3.local.home
     lease 2
  ip cef
  ip inspect alert-off
  ip inspect max-incomplete low 25
  ip inspect max-incomplete high 50
  ip inspect one-minute low 25
  ip inspect one-minute high 50
  ip inspect udp idle-time 15
  ip inspect tcp idle-time 1800
  ip inspect tcp finwait-time 30
  ip inspect tcp synwait-time 60
  ip inspect tcp block-non-session
  ip inspect tcp max-incomplete host 25 block-time 2
  ip inspect name firewall tcp router-traffic
  ip inspect name firewall ntp
  ip inspect name firewall ftp
  ip inspect name firewall udp router-traffic
  ip inspect name firewall pop3
  ip inspect name firewall pop3s
  ip inspect name firewall imap
  ip inspect name firewall imap3
  ip inspect name firewall imaps
  ip inspect name firewall smtp
  ip inspect name firewall ssh
  ip inspect name firewall icmp router-traffic timeout 10
  ip inspect name firewall dns
  ip inspect name firewall h323
  ip inspect name firewall hsrp
  ip inspect name firewall telnet
  ip inspect name firewall tftp
  no ip bootp server
  no ip domain lookup
  ip domain name local.home
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip accounting-threshold 100
  ip accounting-list 192.168.16.0 0.0.0.31
  ip accounting-list 192.168.16.32 0.0.0.15
  ip accounting-list 192.168.16.48 0.0.0.15
  ip accounting-transits 25
  login block-for 120 attempts 5 within 60
  login delay 5
  login on-failure log
  memory free low-watermark processor 65536
  memory free low-watermark IO 16384
  username testtest password 7 <omitted>
  archive
  log config
    logging enable
    logging size 255
    notify syslog contenttype plaintext
    hidekeys
  path tftp://<omitted>/archive-config
  write-memory
  ip tcp synwait-time 10
  ip ssh time-out 20
  ip ssh authentication-retries 2
  ip ssh logging events
  ip ssh version 2
  bridge irb
  interface Loopback0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  interface Null0
  no ip unreachables
  interface FastEthernet0
  switchport mode trunk
  shutdown
  interface FastEthernet1
  switchport mode trunk
  shutdown
  interface FastEthernet2
  shutdown
  spanning-tree portfast
  interface FastEthernet3
  spanning-tree portfast
  interface FastEthernet4
  description Cox Internet Connection
  ip address dhcp
  ip access-group ingress-filter in
  ip access-group egress-filter out
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip accounting access-violations
  ip flow ingress
  ip flow egress
  ip inspect firewall out
  ip nat outside
  ip virtual-reassembly
  ip tcp adjust-mss 1460
  load-interval 30
  duplex auto
  speed auto
  no cdp enable
  interface Dot11Radio0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  encryption vlan 1 mode ciphers aes-ccm
  encryption vlan 2 mode ciphers aes-ccm
  encryption key 1 size 128bit 7 <omitted> transmit-key
  encryption mode wep mandatory
  broadcast-key vlan 1 change <omitted> membership-termination
  broadcast-key vlan 3 change <omitted> membership-termination
  broadcast-key vlan 2 change <omitted> membership-termination
  ssid test2
  ssid test1
  ssid test3
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  rts threshold 2312
  no cdp enable
  interface Dot11Radio0.1
  description <omitted>
  encapsulation dot1Q 1 native
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.2
  description <omitted>
  encapsulation dot1Q 2
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio0.3
  description <omitted>
  encapsulation dot1Q 3
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan1
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Vlan2
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 2
  bridge-group 2 spanning-disabled
  interface Vlan3
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 3
  bridge-group 3 spanning-disabled
  interface BVI1
  description <omitted>
  ip address 192.168.16.1 255.255.255.224
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  interface BVI2
  description <omitted>
  ip address 192.168.16.33 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  interface BVI3
  description <omitted>
  ip address 192.168.16.49 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
  ip http timeout-policy idle 5 life 43200 requests 5
  ip flow-top-talkers
  top 10
  sort-by bytes
  ip nat inside source list 1 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
  ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
  ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
  ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
  ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
  ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
  ip access-list extended egress-filter
  deny   ip any host <omitted>
  deny   ip any host <omitted>
  deny   ip host <omitted> any
  deny   ip host <omitted> any
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.10.9.255 any
  deny   ip 10.0.0.0 0.10.13.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.15.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  permit ip <omitted> 0.0.0.3 any
  deny   ip any any log
  ip access-list extended ingress-filter
  remark ----- To get IP form COX -----
  permit udp any eq bootps any eq bootpc
  deny   icmp any any log
  deny   udp any any eq echo
  deny   udp any eq echo any
  deny   tcp any any fragments
  deny   udp any any fragments
  deny   ip any any fragments
  deny   ip any any option any-options
  deny   ip any any ttl lt 4
  deny   ip any host <omitted>
  deny   ip any host <omitted>
  deny   udp any any range 33400 34400
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  deny   ip 10.10.10.0 0.0.0.255 any
  deny   ip 10.10.11.0 0.0.0.255 any
  deny   ip 10.10.12.0 0.0.0.255 any
  deny   ip any any log
  access-list 1 permit 192.168.16.0 0.0.0.63
  access-list 20 permit 127.127.1.1
  access-list 20 permit 204.235.61.9
  access-list 20 permit 173.201.38.85
  access-list 20 permit 216.229.4.69
  access-list 20 permit 152.2.21.1
  access-list 20 permit 130.126.24.24
  access-list 21 permit 192.168.16.0 0.0.0.63
  radius-server local
  no authentication mac
  eapfast authority id <omitted>
  eapfast authority info <omitted>
  eapfast server-key primary 7 <omitted>
  nas 192.168.16.49 key 7 <omitted>
  group rad-test3
    vlan 3
    ssid test3
  user test nthash 7 <omitted> group rad-test3
  user testtest nthash 7 <omitted> group rad-test3
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
  radius-server vsa send accounting
  control-plane host
  control-plane transit
  control-plane cef-exception
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 2 protocol ieee
  bridge 2 route ip
  bridge 3 protocol ieee
  bridge 3 route ip
  line con 0
  password 7 <omitted>
  logging synchronous
  no modem enable
  transport output telnet
  line aux 0
  password 7 <omitted>
  logging synchronous
  transport output telnet
  line vty 0 4
  password 7 <omitted>
  logging synchronous
  transport preferred ssh
  transport input ssh
  transport output ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  process cpu threshold type total rising 80 interval 10 falling 40 interval 10
  ntp authentication-key 1 md5 <omitted> 7
  ntp authenticate
  ntp trusted-key 1
  ntp source FastEthernet4
  ntp access-group peer 20
  ntp access-group serve-only 21
  ntp master 1
  ntp server 152.2.21.1 maxpoll 4
  ntp server 204.235.61.9 maxpoll 4
  ntp server 130.126.24.24 maxpoll 4
  ntp server 216.229.4.69 maxpoll 4
  ntp server 173.201.38.85 maxpoll 4
  end

  so this what i am getting now for debug? any thoughs?
  010724: Jan  5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
  010725: Jan  5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
  010726: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  010727: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
  010728: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  010729: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  010730: Jan  5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
  010731: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
  010732: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
  010733: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
  010734: Jan  5 16:26:08.976 AZT: EAPOL pak dump tx
  010735: Jan  5 16:26:08.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
  010736: Jan  5 16:26:08.976 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
  0AD05650:                   01000004 04010004          ........
  0AD05660:
  010737: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010738: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010739: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  010740: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
  010741: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 0
  010742: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
  010743: Jan  5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010744: Jan  5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
  010745: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010746: Jan  5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010747: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010748: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010749: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010750: Jan  5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010751: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010752: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010753: Jan  5 16:26:09.624 AZT: EAPOL pak dump tx
  010754: Jan  5 16:26:09.624 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010755: Jan  5 16:26:09.624 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0AD05B50:                   01000031 01010031          ...1...1
  0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
  010756: Jan  5 16:26:09.644 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010757: Jan  5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010758: Jan  5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010759: Jan  5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010760: Jan  5 16:26:09.656 AZT: EAPOL pak dump rx
  010761: Jan  5 16:26:09.656 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
  010762: Jan  5 16:26:09.656 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
  0B060D50:                   01000009 02010009          ........
  0B060D60: 01746573 74                          .test
  010763: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
  010764: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
  010765: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  010766: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
  010767: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
  010768: Jan  5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
  010769: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
  010770: Jan  5 16:26:09.664 AZT: RADIUS:   36                                               [6]
  010771: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
  010772: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
  010773: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
  010774: Jan  5 16:26:09.664 AZT: RADIUS(00000198): sending
  010775: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
  010776: Jan  5 16:26:09.664 AZT: RADIUS:  authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
  010777: Jan  5 16:26:09.664 AZT: RADIUS:  User-Name           [1]   6   "test"
  010778: Jan  5 16:26:09.664 AZT: RADIUS:  Framed-MTU          [12]  6   1400
  010779: Jan  5 16:26:09.664 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
  010780: Jan  5 16:26:09.664 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
  010781: Jan  5 16:26:09.668 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
  010782: Jan  5 16:26:09.668 AZT: RADIUS:  Message-Authenticato[80]  18
  010783: Jan  5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6  [[?G???Kq?`nN?7??]
  010784: Jan  5 16:26:09.668 AZT: RADIUS:  EAP-Message         [79]  11
  010785: Jan  5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
  010786: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  010787: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port            [5]   6   661
  010788: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Id         [87]  5   "661"
  010789: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
  010790: Jan  5 16:26:09.668 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
  010791: Jan  5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010792: Jan  5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010793: Jan  5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010794: Jan  5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010795: Jan  5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010796: Jan  5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010797: Jan  5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010798: Jan  5 16:26:39.794 AZT: EAPOL pak dump rx
  010799: Jan  5 16:26:39.794 AZT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
  0AD053D0:                   01010000                   ....
  010800: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
  010801: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
  router871#
  010802: Jan  5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010803: Jan  5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
  010804: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  010805: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
  010806: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  010807: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  010808: Jan  5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
  010809: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
  010810: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
  010811: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
  010812: Jan  5 16:26:47.336 AZT: EAPOL pak dump tx
  010813: Jan  5 16:26:47.336 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
  010814: Jan  5 16:26:47.336 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
  0B060710:                   01000004 04010004          ........
  0B060720:
  010815: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010816: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010817: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  010818: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
  010819: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 0
  010820: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
  router871#
  010821: Jan  5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010822: Jan  5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
  010823: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010824: Jan  5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010825: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010826: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010827: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010828: Jan  5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010829: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010830: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010831: Jan  5 16:26:47.976 AZT: EAPOL pak dump tx
  010832: Jan  5 16:26:47.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010833: Jan  5 16:26:47.976 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0AD05B50:                   01000031 01010031          ...1...1
  0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
  010834: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010835: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010836: Jan  5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010837: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
  010838: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
  router871#
  010839: Jan  5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  router871#
  010840: Jan  5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010841: Jan  5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010842: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010843: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010844: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010845: Jan  5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010846: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010847: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010848: Jan  5 16:26:58.638 AZT: EAPOL pak dump tx
  010849: Jan  5 16:26:58.638 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010850: Jan  5 16:26:58.638 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0B060710:                   01000031 01010031          ...1...1
  0B060720: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0B060730: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
  010851: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010852: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010853: Jan  5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010854: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
  010855: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
  010856: Jan  5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010857: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
  010858: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
  010859: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010860: Jan  5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010861: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010862: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010863: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010864: Jan  5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010865: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010866: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010867: Jan  5 16:27:12.261 AZT: EAPOL pak dump tx
  010868: Jan  5 16:27:12.261 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010869: Jan  5 16:27:12.261 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0B060FD0:                   01000031 01010031          ...1...1
  0B060FE0: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
  010870: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010871: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010872: Jan  5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010873: Jan  5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010874: Jan  5 16:27:12.293 AZT: EAPOL pak dump rx
  010875: Jan  5 16:27:12.293 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
  010876: Jan  5 16:27:12.293 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
  0AD05290:                   01000009 02010009          ........
  0AD052A0: 01746573 74                          .test
  010877: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
  010878: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
  010879: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  010880: Jan  5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
  010881: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
  010882: Jan  5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
  010883: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
  010884: Jan  5 16:27:12.305 AZT: RADIUS:   36                                               [6]
  010885: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
  010886: Jan  5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
  010887: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
  010888: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): sending
  010889: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
  010890: Jan  5 16:27:12.305 AZT: RADIUS:  authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
  010891: Jan  5 16:27:12.305 AZT: RADIUS:  User-Name           [1]   6   "test"
  010892: Jan  5 16:27:12.305 AZT: RADIUS:  Framed-MTU          [12]  6   1400
  010893: Jan  5 16:27:12.305 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
  010894: Jan  5 16:27:12.305 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
  010895: Jan  5 16:27:12.305 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
  010896: Jan  5 16:27:12.305 AZT: RADIUS:  Message-Authenticato[80]  18
  010897: Jan  5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64  [??b?8??0:C????Cd]
  010898: Jan  5 16:27:12.305 AZT: RADIUS:  EAP-Message         [79]  11
  010899: Jan  5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
  010900: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  010901: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port            [5]   6   664
  010902: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-Port-Id         [87]  5   "664"
  010903: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
  010904: Jan  5 16:27:12.309 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
  010905: Jan  5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4

• NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

  Hi!
  (Sorry, if this is a wrong forum.)
  Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
  I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
  Access-Requests with User-Name="anonymous"
  Access-Challenges (I see certificate is sent from ACS)
  Access-Reject
  CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
  So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
  The following is excerpt from the CS ACS documentation:
  "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
  SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
  So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
  Any help is greatly appreciated.

  Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
  POD1-SW#sh run int fa1/0/1
  Building configuration...
  Current configuration : 378 bytes
  interface FastEthernet1/0/1
  switchport access vlan 999
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x timeout tx-period 10
  dot1x reauthentication
  dot1x critical
  dot1x critical recovery action reinitialize
  dot1x guest-vlan 91
  dot1x critical vlan 11
  spanning-tree portfast
  end
  After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
  Thx.

• EAP-Fast or PEAP ??

  Dear All,
  we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.

  Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that
  it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.
  regards. Kristjan Edvardsson
  Sensa ehf. Cisco Silver Partner

• Vista EAP-FAST Module

  Anyone know where I can get this module?
  http://www.cisco.com/en/US/docs/wireless/wlan_adapter/eap_types/fast/admin/guide/EF_instl.html
  Also, can I use EAP-TLS or EAP-FAST (with certs only, no PACs) and authenticate users via LDAP (AD) without the need of ACS or RADIUS?
  Thanks,
  Todd

  The following link allows you to download the EAP-FAST module for vista:
  http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=WinClient-802.11a-b-g-Vista-Ins-Wizard-v10.exe&advUrl=null&defInd=N&mdfid=278853375&sftType=Aironet+Client+Installation+Wizard+%28Firmware%2C+Driver%2C+Utility%29&optPlat=Windows+Vista&nodecount=2&relVer=1.0&md5=87fec40fd940e4bb6a80e17e4bc4f90b&modifmdfid=278853375&imname=&hybrid=null&imst=null&modelName=Cisco+Aironet+802.11a%2Fb%2Fg+CardBus+Wireless+LAN+Client+Adapter+%28CB21AG%29&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2
  If the page does not come up for the first time while using the link above try opening the same link in a new browser page one more time.