ISE - EAP-FAST PAC Provisioning - Identity field??

Similar Messages

• ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

  Just a question surrounding EAP-FAST chaining (EAP-TLS inner)  and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.

  I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
  In my deployment I am using a single SSID with the following protocols:
  EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
  EAP-TLS Machine Certs - Certs deploted via AD GPO
  EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
  EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
  My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
  The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
  I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
  The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
  I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least.

• ACS 3.3 to 4.1 EAP-FAST PAC migration

  Our 3rd party supplicants don't handle EAP-FAST in-band PAC changes well at all. To allow a smooth transition from Windows ACS 3.3 to 4.1, we'd like to migrate the v3.3 master or at least the secondary PAC to ACS 4.1. Replication is not an option between 3.3 & 4.1, so I'm looking for a manual way to accomplish this. TIA.

  So what you want to do is following :
  > Install LMS 4.1 on Windows
  > Decomission LMS 3.2
  > Rename hostname and IP for LMS 4.2 to same as older LMS 3.2
  IP change is not a problem, but for hostname change you should run NMSROOT\bin\hostnamechange.pl script.
  For more details, please check the following document :
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/user/guide/admin/appendixcli.html#wp1041971
  -Thanks

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• PAC Provisioning Fails Without End-User Accepting PAC Pop-up

  We have lots of workstation on wheels. We use EAP-Fast with Cisco ACS for authentication. When a user isn't in front of the WOW and the PAC pop-up times out, it disables the WOW and causes problems.
  Has anyone used some form of auto-accept method with the Intel PRO-Set so as to not require end-user acceptance of the PAC pop-up message?

  The provisioning of the Machine PAC, which is needed for machine context connections, is accomplished using the server certificate or machine security identity (SID). Machine PACs are only supported in newer versions of authentication servers (ACS 4.0 or later) which have been upgraded to support EAP-FAST v1a.
  To make a make a machine connection before the PAC has been provisioned, the CA certificate used to trust the server certificate must be placed in the proper Windows Certificate Store (Local Computer-Trusted Root Store).
  The host must also provide these machine credentials:
  •Active Directory provided machine certificate. The authentication method must support the use of a certificate to provide machine client credentials - the server must be appropriately configured to call for an inner tunnel method of TLS.
  •Active Directory provided SID (password). The authentication method must support the use of a password to provide machine client credentials.
  Finally, the FAST authentication server must be configured for auto creation of administrator's unique machine PAC information.
  http://www.cisco.com/en/US/docs/security/cta/2.1.103.0_supplicant/admin_guide/ctaSuppl.html#wp1026518

• EAP-FAST on Local Radius Server : Can't Get It Working

  Hi all
  I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
  I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
  the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
  sh radius local-server s
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Unknown NAS            : 0           Invalid packet from NAS: 17      
  NAS : 172.27.44.1
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Corrupted packet       : 0           Unknown RADIUS message : 0        
  No username attribute  : 0           Missing auth attribute : 0        
  Shared key mismatch    : 0           Invalid state attribute: 0        
  Unknown EAP message    : 0           Unknown EAP auth type  : 17       
  Auto provision success : 0           Auto provision failure : 0        
  PAC refresh            : 0           Invalid PAC received   : 0       
  Can anyone suggest what I might be doing wrong?
  Regs, Tim

  Thanks Nicolas, relevant snippets from config:
  aaa new-model
  aaa group server radius rad_eap
  server 172.27.44.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid home
  vlan 3
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  ip dhcp pool home
     import all
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 194.74.65.68 194.74.65.69
  ip inspect name ethernetin tcp
  ip inspect name ethernetin udp
  ip inspect name ethernetin pop3
  ip inspect name ethernetin ssh
  ip inspect name ethernetin dns
  ip inspect name ethernetin ftp
  ip inspect name ethernetin tftp
  ip inspect name ethernetin smtp
  ip inspect name ethernetin icmp
  ip inspect name ethernetin telnet
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 2 mode ciphers aes-ccm tkip
  encryption vlan 3 mode ciphers aes-ccm tkip
  broadcast-key vlan 1 change 30
  broadcast-key vlan 2 change 30
  broadcast-key vlan 3 change 30
  ssid home
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.3
  encapsulation dot1Q 3
  no cdp enable
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan3
  no ip address
  bridge-group 3
  interface BVI3
  ip address 192.168.1.1 255.255.255.0
  ip inspect ethernetin in
  ip nat inside
  ip virtual-reassembly
  radius-server local
  no authentication mac
  nas 172.27.44.1 key 0 123456
  user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
  user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
  user test3 nthash 0 0CB6948805F797BF2A82807973B89537
  radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
  radius-server vsa send accounting

• Autonomous AP, 12.3.8JE3. EAP-FAST on local radius failure

  Hi all,
  I've been trying to configure EAPFAST on Autonomous AP 1242 with the above firmware using local radius. Here are the config:
  aaa new
  aaa group server radius rad_eap
  server x.x.x.x auth 1812 acct 1813
  aaa authentication login eap_methods group rad_eap
  dot11 ssid EAPFAST
  vlan 10
  authentication open eap eap_methods
  authentication key wpa
  int d0
  encryption vlan 10 mode cipher aes
  ssid EAPFAST
  no shut
  int d0.10
  en do 10
  bridge 10
  int f0.10
  en do 10
  bridge 10
  int f0.100
  en do 100 na
  bridge 1
  int bvi
  ip add x.x.x.x 255.255.255.0
  radius-server local
  eapfast authority info XYZ
  eapfast server-key primary auto
  nas x.x.x.x key ####
  group FAST
    eapfast pac expiry 2 grace 2
  username eapfast password eapfast group FAST
  radius-server host x.x.x.x auth 1812 acct 1813 key ####
  For all my tests, I can get the 7921 phone to work. But using CSSC or even win7 supplicant, I can never get the authentication to go through. I think the eap authentication is stuck at pac provisioning. If i am to manual provision the pac using tftp, it will work. Any clue?
  Alvin

  Hi,
  I was thinking it might be a firmware issue because during some debugs with pac provisoning, there are some errors reporting of some missing cipher suites. I shall try with a new firmware.
  Alvin

• ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

  Hi All,
  I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
  Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
  Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
  I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
  Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
  Thanks,
  Rob

  Hello,
  Did you find a guide for EAP-FAST with AD ?
  I'm facing the same problem, I can't make EAP-FAST working with AD Account,
  Thanks to you
  Regards,
  Gérald

• Eap-fast and cckm

  Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.
  It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.

  If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.

• EAP-FAST Security level

  Hi all,
  I use EAP-FAST in my network and I have some questions about it.
  1) is there any vulnerability detected with EAP-FAST?
  2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
  3) Can I use EAP-FAST with MAC address filtering through ACS?
  4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
  Thanks for your reply.
  Thanks.

  1)
  Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
  What will happen? see
  The in-band provisioning mode  operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH  or RSA algorithm for key agreement.
  To minimize the risk of exposing the user's credentials, a clear text  password should not be used outside of the protected tunnel. Therefore,  EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials  within the protected tunnel. The information contained in the PAC is  also available for further authentication sessions after the inner EAP  method has completed.
  Automatic In-Band PAC Provisioning, which is the  same as EAP-FAST phase zero, sends a new PAC to an end-user client over a  secured network connection. Automatic In-Band PAC Provisioning requires  no intervention of the network user or an ACS administrator, provided  that you configure ACS and the end-user client to support Automatic  In-Band PAC Provisioning.
  In general, phase zero of EAP-FAST does not authorize network access. In  this general case, after the client has successfully performed phase  zero PAC provisioning, the client must send a new EAP-FAST request in  order to begin a new round of phase one tunnel establishment, followed  by phase two authentication.
  However, if you choose the Accept Client on Authenticated Provisioning  option, ACS sends a RADIUS Access-Accept (that contains an EAP Success)  at the end of a successful phase zero PAC provisioning, and the client  is not forced to reauthenticate again. This option can be enabled only  when the Allow Authenticated In-Band PAC Provisioning option is also  enabled.
  Because transmission of PACs in phase zero is secured by MSCHAPv2  authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we  recommend that you limit use of Automatic In-Band PAC Provisioning to  initial deployment of EAP-FAST.
  After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
  EAP-FAST has been enhanced to support an authenticated tunnel (by using  the server certificate) inside which PAC provisioning occurs. The new  cipher suites that are enhancements to EAP-FAST, and specifically the  server certificate, are used.
  2) Max user sessions
  3)Yes
  4)PEAP ( EAP TLS )
  Side note:
  EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
  Please make sure to rate correct answers and rate the thread as answered

• Configuring EAP-FAST to use with Symbol MC3090

  I have configured EAP-FAST local authentication on a 5508 running 7.0.116.0.  I am trying to connect using a motorola/symbol MC3090.  In the handheld, It appears to be failing due to receiving no PAC.  On the 5508, it just looks like a timeout.  Are the PACs created on the 5508 automatically, or do I need to generate one? 

  From config guide :
  If you want to enable anonymous provisioning, select the
  Anonymous Provision
  check box. This feature allows PACs to be sent automatically to clients  that do not have one during PAC provisioning. If you disable this  feature, PACS must be manually provisioned. The default setting is  enabled.
  Some clients don't support Anonymous PAC Provisioning. You should check about your motorola

• EAP-FAST with local radius on 1242AG

  I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
  I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
  Any help or a basic example you be great.
  thanks,
  Simon

  I think this is what you're looking for;
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  HTH
  Regards,
  Jatin
  Do rate helpful posts~

• Connect to EAP-FAST corporate network

  Hi. I'm trying to setup my new macbook to connect to my company's wireless network but no luck. Here are the details from my WinXP laptop's Intel PROSet profile:
  +Enterprise Security:+
  +Wireless Network Name (SSID): protected+
  +Network Authentication: Open+
  +Data Encryption: CKIP+
  +Authentication Type: EAP-FAST+
  +Desable EAP-FAST Enhancments (CCXv4): checked+
  +Allow unauthenticated provisioning: checked+
  +Default server: ACS_wifi+
  +User Credentials: Use Windows logon+
  +Server Verification is not required.+
  *Any idea how to setup my macbook/airport to connect to this network?*
  Thanks

  I've already did try to create there various profiles but no luck. Even when I try 'Join other network' and select 'Show networks' I don't get my corporate network on the list. Maybe it's hidden. Where I can see a Log what's going on?

• WET200 Could firmware allow EAP-FAST

  Hi,
  I have been looking to utilise the above authentication using a PAC file.
  This is the system used by one of our clients. Although Cisco aironet 1300
  series supports this, they are a good deal more expensive as a solution.
  My question to see what your thought are is whether a device like this WET200
  would ever be able to support this type of authentication with the likes of a firmware
  upgrade? I know it's not worth holding your breath on, but the unit had originally
  been purchased since cisco compatibility was a prerequesite. Only once we went
  to setup did it become apparent as to the authentication method they used.
  TIA
  Andrew

  Yes and no. For 2 weeks my iPad would fail every time I tried to connect to the wireless, and I would get the same error message in ACS stating that the supplicant did not respond correctly. Yesterday, I noticed it was connected. I checked the logs in ACS, and saw a successful connection using EAP-FAST. So it did work, but I have no idea why. Nothing changed on either system config wise. Maybe a new PAC file was generated? I need to check the logs to see if that was the case. Regardless, my iPad can now connect using EAP-FAST. Excited about this news, I pushed the profile from the iPhone config utility to 2 additional devices, another iPad, and an iPhone. Both failed, with the same supplicant did not respond correctly message in ACS. So the 3 apple devices have the exact same config on them - 1 now works after 2 weeks of failing, and 2 failed upon first day attempts yesterday. Very odd, and very frustrating. ACS provides very little in the way of help (the supplicant did not respond correctly, but in what way did it not respond correctly??), and the iPad logs even less. So it seems to be impossbile to really know what is going on here. If you or anyone has any suggestions I am definetly open to hearing them.