Lans/Catalyst and EAP-FAST?

Similar Messages

• Other LEAP upgrade options besides PEAP and EAP-FAST?

  Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
  Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

  A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
  TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
  Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
  You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
  If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
  There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
  Good Luck
  Scott

• EAP-TLS and EAP-FAST

  Hi NetPro.
  EAP-TLS is working now, but how to configure EAP-FAST as the backup in case TLS is failure then user still able to use FAST as the second choice ?
  your reply will be highly appreciated.
  thanks heaps.
  Jack

  All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.

• WGB and EAP-FAST

  I try to authenticate a 1300 Worgroup bridge with EAP-FAST.
  Using ACS 3.3(2) Build 2 and 1231 AP's with WDS.
  Is there anyone who has tried this configuration. Ordinary wireless clients are OK.

  Hi,
  a workgroup bridge support only LEAP als EAP Client for EAP authentication.
  You have no option to integrate a PAC File to the device in workgroup bridge mode.
  Look at this link:
  http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804158b3.html#wp1055422

• Eap-fast and CWWLSE-1030

  HI,
  I configure a Wireless Lan with 3 AP1131G-E-k9 and a radius serveur CWWLSE and Eap-Fast AND WPA2
  All seem's to be OK but some Laptop are obliged to re-authenticate several time a day ?
  Anybody has a idee if thre is a timer or
  others paramatter I should do set ?
  Thanks for your Help

  I recently ran into this issue. What I found although not that technical....if the user is prompted for the PAC and does not accept, I had a hard time getting them to authenticate afterwards. I was able to remove the user from the AAA server and once I added them back in they were able to authenticate with no issues. Again this is a very basic finding  and I have not had time to test my theory. I believe it has someting to do with the way AAA caches the user account, perhaps there is a denial of service or time-wait before the next login attempt is permitted. If you are using AD and not local accounts use the option, on the Radius server to Remove Dynamic Users.
  hardware userd Version 7.0...5508 WLC, 3500i AP's, WCS, MSE, Cisco ACS/Radius 4.2 WPA2, 802.1x, EAP-FAST

• NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

  Hi!
  (Sorry, if this is a wrong forum.)
  Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
  I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
  Access-Requests with User-Name="anonymous"
  Access-Challenges (I see certificate is sent from ACS)
  Access-Reject
  CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
  So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
  The following is excerpt from the CS ACS documentation:
  "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
  SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
  So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
  Any help is greatly appreciated.

  Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
  POD1-SW#sh run int fa1/0/1
  Building configuration...
  Current configuration : 378 bytes
  interface FastEthernet1/0/1
  switchport access vlan 999
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x timeout tx-period 10
  dot1x reauthentication
  dot1x critical
  dot1x critical recovery action reinitialize
  dot1x guest-vlan 91
  dot1x critical vlan 11
  spanning-tree portfast
  end
  After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
  Thx.

• EAP Authentication Configuration for EAP-FAST and PEAP

  Hi Everyone,
  I pretty much got EAP working, however using LEAP 
  When I get to EAP-FAST and PEAP, I just can't seem to get it to work
  What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
  Hope you guys can help me on this, stuck on this part xD

  EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation. 
  EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed. 
  Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
  The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password  back to AD for example. 
  Hope this helps .. 

• EAP-FAST with local radius on 1242AG

  I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
  I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
  Any help or a basic example you be great.
  thanks,
  Simon

  I think this is what you're looking for;
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  HTH
  Regards,
  Jatin
  Do rate helpful posts~

• H-REAP Local Authentication eap-fast not working

  Hi, I'm using a central Radius Server and have leap and eap-fast working fine, but when the wan link fail(local authentication) the new user that try to conect via leap get authenticated but eap-fast fail.
  any ideas?. Im using wlc 5.01

  If your radius is centrally located and your WAN links goes down, any authentication thats need to go back centrally will fail, unless you have local authentication. Don't know why LEAP would still work if authentication to the radius server has stopped.
  Howerver, if you are using local EAP configured on the WLC, then you still will fail authentication because your wlc is centrally located.

• PEAP or EAP-FAST, associating but no IP assigned

  All -->
  I have a number of AP's using both PEAP and EAP-FAST...the clients are associating with the SSID's, but are not receiving an IP address via DHCP.
  I've checked VLAN configuration on the AP's, and also the logs on both the AP's and ACS server. Both logs are reporting successful authentication...
  Any suggestions?

  If the DHCP server is on the AP, then it will only serve the native VLAN (or the administrative VLAN ..... usually the same thing) unless you are directing the DHCP requests through a layer 3 device and something like IP Helper.
  Even though the AP is common to all VLANS, (like a switch would be), the native resources are only available to the devices associated with the native / administrative VLAN serving the AP.
  Good Luck
  Scott

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• Cisco ISE with EAP-FAST and PAC provisioning

  Hi,
  I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
  Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
  If you have any documents, it would be appreciated for me.
  Thanks,
  Pongsatorn

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• Eap-fast and cckm

  Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.
  It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.

  If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.

• EAP-Fast and Cisco 340 Adapters

  Does anyone know if the 340 adapters support EAP-Fast? The docs that I have looked at talk about 350 adapters... I thought the only difference between 340 and 350's was the anntena.

  Based on this document seems like its supported,
  http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a0080204ae1

• ACS EAP-FAST and LEAP restrictions. regarding 7920 wireless phones

  Hello, The 7920 still doesn´t support EAP-FAST. So I´m wondering if it is possible to restcrict EAP-FAST users from turning LEAP on. Is there a way in ACS to do that ?

  Hi
  Kristjan's question above is a good one - I'm looking for a similar answer...
  I.e. can I add all my 7920 handset usernames to a group, and only allow these to do LEAP?
  Also can I restrict LEAP users to a set of pre-defined MAC addresses?
  Thanks
  Aaron