Limitations/Issues to use LEAP/EAP-Fast with Airespace

Similar Messages

• EAP-FAST with local radius on 1242AG

  I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
  I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
  Any help or a basic example you be great.
  thanks,
  Simon

  I think this is what you're looking for;
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  HTH
  Regards,
  Jatin
  Do rate helpful posts~

• Issues when using a Pixelink camera with LabView 9.0

  In my lab, we have a program for video acquisition using LabView and the low level camera functions for Pixelink cameras.  We run into some problems trying to run this program and other demo gui programs that came with the Pixelink SDK.  In our data acquisition program, we have problems with our image coming out all scrambled.  We use the low level functions to obtain a frame from the camera in the from of a vector.  We then reshape the vector into an array and then send the array to a vi that turns it into an image.  When we try to view this image using the standard Labview image viewer, the image comes out all scrambled if the zoom factor is not set to .5 on the image viewer.  The full resolution of the image is supposed to be a 1024x1280 image which when we use the Capture OEM software for the camera provided by Pixelink we can see.  The image that we can see through LabView when we have the correct zoom factor seems to be only the top left quarter of what the entire image is supposed to be.  We also encounter strange problems when we attempt to use the demo programs for labview 8.6 that are provided with the SDK.  When trying to run the simpleGUI.vi, for example, the program connects to the camera just fine.  After you hit play to view an image, the problems start.  The program will play the video for a few seconds until it just freezes up and quits responding.  Labview must be exited and restarted in order for the camera to connect again.  I am not sure if it makes a difference that we are running labview 9.0 on our computers or not.  Any help you have on these issues would be of great help.  Attached are pictures of the scrambled/unscrambled image and of the part of our block diagram for camera control.
  Attachments:
  Incorrectimage.jpg ‏126 KB
  Errorexplanation.jpg ‏543 KB
  correct image.jpg ‏22 KB

  IMAQdx is the driver that National Instruments provides to interface Firewire, GigE and USB cameras (Directshow compliant USB).  This is a licensed driver, so if you don't currently have it, then testing in MAX is not an option. 
  So if I understand correctly, you have the Pixelink software which works fine, but you have Pixelink VI's that are used in LabVIEW, but those do not work correctly?  That to me seems like a driver issue, which I'm not sure how much I can help with since it is not our driver. 
  Do you know what dll's the Pixel link VIs are calling into?  Are they Pixelink dlls?  If so, I would suggest speaking with the manufacturer or perhaps on of our other users has worked with Pixelink before.
  Sorry I can't be much more helpful.
  Tejinder Gill
  National Instruments
  Applications Engineer
  Visit ni.com/gettingstarted for step-by-step help in setting up your system.

• Slow Query Using index. Fast with full table Scan.

  Hi;
  (Thanks for the links)
  Here's my question correctly formated.
  The query:
  SELECT count(1)
  from ehgeoconstru  ec
  where ec.TYPE='BAR' 
  AND ( ec.birthDate <= TO_DATE('2009-10-06 11:52:12', 'YYYY-MM-DD HH24:MI:SS') )  
  and deathdate is null
  and substr(ec.strgfd, 1, length('[CIMText')) <> '[CIMText'Runs on 32 seconds!
  Same query, but with one extra where clause:
  SELECT count(1)
  from ehgeoconstru  ec
  where ec.TYPE='BAR' 
  and  ( (ec.contextVersion = 'REALWORLD')     --- ADDED HERE
  AND ( ec.birthDate <= TO_DATE('2009-10-06 11:52:12', 'YYYY-MM-DD HH24:MI:SS') ) ) 
  and deathdate is null
  and substr(ec.strgfd, 1, length('[CIMText')) <> '[CIMText'This runs in 400 seconds.
  It should return data from one table, given the conditions.
  The version of the database is Oracle9i Release 9.2.0.7.0
  These are the parameters relevant to the optimizer:
  SQL> show parameter optimizer
  NAME                                 TYPE        VALUE
  optimizer_dynamic_sampling           integer     1
  optimizer_features_enable            string      9.2.0
  optimizer_index_caching              integer     99
  optimizer_index_cost_adj             integer     10
  optimizer_max_permutations           integer     2000
  optimizer_mode                       string      CHOOSE
  SQL> Here is the output of EXPLAIN PLAN for the first fast query:
  PLAN_TABLE_OUTPUT
  | Id  | Operation                     |  Name               | Rows  | Bytes | Cost  |
  |   0 | SELECT STATEMENT     |                         |           |       |       |
  |   1 |  SORT AGGREGATE       |                         |           |       |       |
  |*  2 |   TABLE ACCESS FULL   | EHCONS            |       |       |       |
  Predicate Information (identified by operation id):
  PLAN_TABLE_OUTPUT
     2 - filter(SUBSTR("EC"."strgfd",1,8)<>'[CIMText' AND "EC"."DEATHDATE"
                IS NULL AND "EC"."BIRTHDATE"<=TO_DATE('2009-10-06 11:52:12', 'yyyy
  -mm-dd
                hh24:mi:ss') AND "EC"."TYPE"='BAR')
  Note: rule based optimizationHere is the output of EXPLAIN PLAN for the slow query:
  PLAN_TABLE_OUTPUT
     |       |
  |   1 |  SORT AGGREGATE              |                             |       |
     |       |
  |*  2 |   TABLE ACCESS BY INDEX ROWID| ehgeoconstru      |       |
     |       |
  |*  3 |    INDEX RANGE SCAN          | ehgeoconstru_VSN  |       |
     |       |
  PLAN_TABLE_OUTPUT
  Predicate Information (identified by operation id):
  2 - filter(SUBSTR("EC"."strgfd",1,8)<>'[CIMText' AND "EC"."DEATHDATE" IS
  NULL AND "EC"."TYPE"='BAR')
  PLAN_TABLE_OUTPUT
     3 - access("EC"."CONTEXTVERSION"='REALWORLD' AND "EC"."BIRTHDATE"<=TO_DATE('2
  009-10-06
                11:52:12', 'yyyy-mm-dd hh24:mi:ss'))
         filter("EC"."BIRTHDATE"<=TO_DATE('2009-10-06 11:52:12', 'yyyy-mm-dd hh24:
  mi:ss'))
  Note: rule based optimizationThe TKPROF output for this slow statement is:
  TKPROF: Release 9.2.0.7.0 - Production on Tue Nov 17 14:46:32 2009
  Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
  Trace file: gen_ora_3120.trc
  Sort options: prsela  exeela  fchela 
  count    = number of times OCI procedure was executed
  cpu      = cpu time in seconds executing
  elapsed  = elapsed time in seconds executing
  disk     = number of physical reads of buffers from disk
  query    = number of buffers gotten for consistent read
  current  = number of buffers gotten in current mode (usually for update)
  rows     = number of rows processed by the fetch or execute call
  SELECT count(1)
  from ehgeoconstru  ec
  where ec.TYPE='BAR'
  and  ( (ec.contextVersion = 'REALWORLD')
  AND ( ec.birthDate <= TO_DATE('2009-10-06 11:52:12', 'YYYY-MM-DD HH24:MI:SS') ) )
  and deathdate is null
  and substr(ec.strgfd, 1, length('[CIMText')) <> '[CIMText'
  call     count       cpu    elapsed       disk      query    current        rows
  Parse        1      0.00       0.00          0          0          0           0
  Execute      1      0.00       0.00          0          0          0           0
  Fetch        2      0.00     538.12     162221    1355323          0           1
  total        4      0.00     538.12     162221    1355323          0           1
  Misses in library cache during parse: 0
  Optimizer goal: CHOOSE
  Parsing user id: 153 
  Rows     Row Source Operation
        1  SORT AGGREGATE
    27747   TABLE ACCESS BY INDEX ROWID OBJ#(73959)
  2134955    INDEX RANGE SCAN OBJ#(73962) (object id 73962)
  alter session set sql_trace=true
  call     count       cpu    elapsed       disk      query    current        rows
  Parse        0      0.00       0.00          0          0          0           0
  Execute      1      0.00       0.02          0          0          0           0
  Fetch        0      0.00       0.00          0          0          0           0
  total        1      0.00       0.02          0          0          0           0
  Misses in library cache during parse: 0
  Misses in library cache during execute: 1
  Optimizer goal: CHOOSE
  Parsing user id: 153 
  OVERALL TOTALS FOR ALL NON-RECURSIVE STATEMENTS
  call     count       cpu    elapsed       disk      query    current        rows
  Parse        1      0.00       0.00          0          0          0           0
  Execute      2      0.00       0.02          0          0          0           0
  Fetch        2      0.00     538.12     162221    1355323          0           1
  total        5      0.00     538.15     162221    1355323          0           1
  Misses in library cache during parse: 0
  Misses in library cache during execute: 1
  OVERALL TOTALS FOR ALL RECURSIVE STATEMENTS
  call     count       cpu    elapsed       disk      query    current        rows
  Parse        0      0.00       0.00          0          0          0           0
  Execute      0      0.00       0.00          0          0          0           0
  Fetch        0      0.00       0.00          0          0          0           0
  total        0      0.00       0.00          0          0          0           0
  Misses in library cache during parse: 0
      2  user  SQL statements in session.
      0  internal SQL statements in session.
      2  SQL statements in session.
  Trace file: gen_ora_3120.trc
  Trace file compatibility: 9.02.00
  Sort options: prsela  exeela  fchela 
         2  sessions in tracefile.
         2  user  SQL statements in trace file.
         0  internal SQL statements in trace file.
         2  SQL statements in trace file.
         2  unique SQL statements in trace file.
        94  lines in trace file.Edited by: PauloSMO on 17/Nov/2009 4:21
  Edited by: PauloSMO on 17/Nov/2009 7:07
  Edited by: PauloSMO on 17/Nov/2009 7:38 - Changed title to be more correct.

  Although your optimizer_mode is choose, it appears that there are no statistics gathered on ehgeoconstru. The lack of cost estimate and estimated row counts from each step of the plan, and the "Note: rule based optimization" at the end of both plans would tend to confirm this.
  Optimizer_mode choose means that if statistics are gathered then it will use the CBO, but if no statistics are present in any of the tables in the query, then the Rule Based Optimizer will be used. The RBO tends to be index happy at the best of times. I'm guessing that the index ehgeoconstru_VSN has contextversion as the leading column and also includes birthdate.
  You can either gather statistics on the table (if all of the other tables have statistics) using dbms_stats.gather_table_stats, or hint the query to use a full scan instead of the index. Another alternative would be to apply a function or operation against the contextversion to preclude the use of the index. something like this:
  SELECT COUNT(*)
  FROM ehgeoconstru  ec
  WHERE ec.type='BAR' and 
        ec.contextVersion||'' = 'REALWORLD'
        ec.birthDate <= TO_DATE('2009-10-06 11:52:12', 'YYYY-MM-DD HH24:MI:SS') and
        deathdate is null and
        SUBSTR(ec.strgfd, 1, LENGTH('[CIMText')) <> '[CIMText'or perhaps UPPER(ec.contextVersion) if that would not change the rows returned.
  John

• What is the compatibility issues restricting use of Dreamweaver MX2004 with Windows 7

  I can't launch an update my website design on Dreamweaver MX2004.  Adobe technicians have informed me the application is not compatible with Windows 7.  The Dreamweaver was already loaded onto this computer when I took over this assignment.  I assumed it was applicable before, so now what are the compatibility issues?  I need to launch these updates.  Can anyone help or provide directions what to do?   

  There are other Forum participants running MX2004 on WIN7, much to my surprise, even on 64bit machines.
  You may wish to be sure that whoever did the installation on your WIN7 machine, knew enough to also install the 7.01 Updater
  http://www.adobe.com/support/dreamweaver/downloads_updaters.html#dwmx2004

• How to resolve issues when using Adobe Reader DC with LEED Online?

  This morning I downloaded Adobe Reader DC however now I am no longer able save the PDF in LEED Online.  How do I resolve this issue or revert back to the older version of Adobe Reader?

  Before the DC version we were able to save our passwords from University of Phoenix and when opening the document saved to our computer it would unlock automatically.  This new version DC will not allow this even when you say Yes.
  The Right Column in previous versions would allow to disable until requested to appear this version it opens regardless.
  Just my opinion here  Adobe Failed at customer satisfaction on this UPGRADE.
  Regards a unhappy Adobe user.

• Cannot use IP-phone-7921 with EAP-Fast using internal WLC Radius

  Hello,
  I Cannot authenticate IP-phone when I use internal WLC-radius with a profile "eap-fast"
  The eror message I recieved on a debug is:
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous
  But of course there is a user configured on my ipphone !
  Note1 : I use a WLC with version : AIR-4400-K9-5-1-163-0 (AES)
  Note2: When I use LEAP it is OK
  Note3: When I try with my PC to autenticate in eap-fast with internal WLC radius, it is OK.
  See attacehement for more detail.
  Many thanks in advance.
  Michel Misonne
  *Mar 09 03:15:09.765: Unable to find requested user entry for anonymous

  ABSOLUTLEY DO NOT DO THIS!
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  This can cause you issues for up to 40 minutes. 20 attempts * 2 minutes apart
  Please take a look at
  https://supportforums.cisco.com/docs/DOC-12110
  config advanced eap identity-request-timeout 5
  config advanced eap identity-request-retries 12
  config advanced eap request-timeout 5
  config advanced eap request-retries 12
  would be much better, as it is only 60 seconds.  No device should take longer than 5 seconds to respond, but sometimes the phones need more than the 1 second default.
  HTH,
  Steve

• EAP-FAST Security level

  Hi all,
  I use EAP-FAST in my network and I have some questions about it.
  1) is there any vulnerability detected with EAP-FAST?
  2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
  3) Can I use EAP-FAST with MAC address filtering through ACS?
  4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
  Thanks for your reply.
  Thanks.

  1)
  Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
  What will happen? see
  The in-band provisioning mode  operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH  or RSA algorithm for key agreement.
  To minimize the risk of exposing the user's credentials, a clear text  password should not be used outside of the protected tunnel. Therefore,  EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials  within the protected tunnel. The information contained in the PAC is  also available for further authentication sessions after the inner EAP  method has completed.
  Automatic In-Band PAC Provisioning, which is the  same as EAP-FAST phase zero, sends a new PAC to an end-user client over a  secured network connection. Automatic In-Band PAC Provisioning requires  no intervention of the network user or an ACS administrator, provided  that you configure ACS and the end-user client to support Automatic  In-Band PAC Provisioning.
  In general, phase zero of EAP-FAST does not authorize network access. In  this general case, after the client has successfully performed phase  zero PAC provisioning, the client must send a new EAP-FAST request in  order to begin a new round of phase one tunnel establishment, followed  by phase two authentication.
  However, if you choose the Accept Client on Authenticated Provisioning  option, ACS sends a RADIUS Access-Accept (that contains an EAP Success)  at the end of a successful phase zero PAC provisioning, and the client  is not forced to reauthenticate again. This option can be enabled only  when the Allow Authenticated In-Band PAC Provisioning option is also  enabled.
  Because transmission of PACs in phase zero is secured by MSCHAPv2  authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we  recommend that you limit use of Automatic In-Band PAC Provisioning to  initial deployment of EAP-FAST.
  After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
  EAP-FAST has been enhanced to support an authenticated tunnel (by using  the server certificate) inside which PAC provisioning occurs. The new  cipher suites that are enhancements to EAP-FAST, and specifically the  server certificate, are used.
  2) Max user sessions
  3)Yes
  4)PEAP ( EAP TLS )
  Side note:
  EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
  Please make sure to rate correct answers and rate the thread as answered

• EAP-Fast or PEAP ??

  Dear All,
  we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.

  Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that
  it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.
  regards. Kristjan Edvardsson
  Sensa ehf. Cisco Silver Partner

• ISE - EAP-FAST PAC Provisioning - Identity field??

  Hi all, very simple question regarding the fields in the PAC provisioning section of ISE. Basically wondering what the "identity" field under machine and tunnel PAC is meant to be? I am currently planning an EAP-FAST deployment and this is the only area I am wondering about. Essentially planning to auto-provision the PAC hopefully using authenticate in-band. The Cisco doco is a little vague on this particular field.
  Thanks in advance - have googled this for a day or so and frankly cannot find the information that I want.

  Use
  PAC
  •Tunnel PAC Time To Live—The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.
  •Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.
  •Allow Anonymous In-band PAC Provisioning—Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.
  •Allow Authenticated In-band PAC Provisioning—Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.
  When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.
  –Server Returns Access Accept After Authenticated Provisioning—Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning.
  •Allow Machine Authentication—Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed.
  When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).
  •Enable Stateless Session Resume—Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).
  Uncheck this check box in the following cases:
  –If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients
  –To always perform phase two of EAP-FAST
  When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.
  •Preferred EAP Protocol—Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field.

• EAP-FAST, local Authentication and PAC provisioning

  Hi everybody,
  I have a litte understanding problem with the deployment of EAP-FAST.
  So here's the deal:
  I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
  When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
  Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
  But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
  Would server sided certificates resolve my concerns here?
  I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
  Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
  Thanks in advance!

  From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
  Is that what you are trying to get clarification on.
  Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
  Sent from Cisco Technical Support iPad App

• ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

  Hi All,
  I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
  Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
  Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
  I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
  http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
  Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
  Thanks,
  Rob

  Hello,
  Did you find a guide for EAP-FAST with AD ?
  I'm facing the same problem, I can't make EAP-FAST working with AD Account,
  Thanks to you
  Regards,
  Gérald

• EAP-Fast

  Hi,
  I have a AP1100 and a repeater AP1100. The AP acts as a Radius server and the clients (all AIR-350) use LEAP, WPA and TKIP. Everything works just fine.
  Now I want to secure my environment a bid more and make use of EAP-Fast. I can't get it work. At the authetication process, it sticks at provisioning. The log at the AP only shows: debugging; Station xxxxx: Authentication failed.
  Does anybody have a clue what I'm doing wrong or is it because the AP is the Radius server i.c.w. EAP-Fast ?
  Thanks,
  Auden

  Cisco Secure ACS is listed as a Prerequisite and in the Required Hardware and Software section;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080262422.html#wp998531
  hth
  Required Hardware and Software
  The following software and hardware are required for configuring EAP-FAST.
  Cisco Aironet Client Utility (ACU) and Aironet
  •Aironet Client Utility version 6.3
  •Cisco Aironet 350 Series Client Adapter
  •Client adapter firmware version 5.40
  •Client driver version 8.5
  •Aironet Client Monitor (ACM) version 2.3
  •Windows XP, SP1
  Cisco Aironet Access Point
  •Cisco Aironet 1100 Series Access Point
  •Cisco IOS Software Release 12.2(13)JA3
  •CiscoSecure Access Control Server (ACS)
  •CiscoSecure ACS v3.2.3 for Windows 2000 SP4
  •Aironet Configuration Administration Tool (ACAT) (optional)
  •Cisco Aironet ACAT v1.3

• Vista EAP-FAST Module

  Anyone know where I can get this module?
  http://www.cisco.com/en/US/docs/wireless/wlan_adapter/eap_types/fast/admin/guide/EF_instl.html
  Also, can I use EAP-TLS or EAP-FAST (with certs only, no PACs) and authenticate users via LDAP (AD) without the need of ACS or RADIUS?
  Thanks,
  Todd

  The following link allows you to download the EAP-FAST module for vista:
  http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=WinClient-802.11a-b-g-Vista-Ins-Wizard-v10.exe&advUrl=null&defInd=N&mdfid=278853375&sftType=Aironet+Client+Installation+Wizard+%28Firmware%2C+Driver%2C+Utility%29&optPlat=Windows+Vista&nodecount=2&relVer=1.0&md5=87fec40fd940e4bb6a80e17e4bc4f90b&modifmdfid=278853375&imname=&hybrid=null&imst=null&modelName=Cisco+Aironet+802.11a%2Fb%2Fg+CardBus+Wireless+LAN+Client+Adapter+%28CB21AG%29&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2
  If the page does not come up for the first time while using the link above try opening the same link in a new browser page one more time.

• EAP Chaining with Machine TLS and User PEAP

  We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
  Thanks a lot.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.