Mac OS X 10.4.8 adds EAP-FAST support

From the release notes of Mac OS X 10.4.8 update:
http://docs.info.apple.com/article.html?artnum=304200
- Improves security by adding support for EAP-FAST for AirPort wireless authentication.

Mac OS X 10.4.8 is now out, and many people were
hoping that Apple would take the opportunity to
update iSync at the same time.
After examining this update I can confirm that iSync
remains at v2.3 and no new phone support has been
added.
Therefore Sony Ericsson M600, P990 and W950 owners
still have no way to iSync their phones. (For
workarounds
see here.
Owners of Sony Ericsson W850, K610, K510, K800, W300,
W700, K790, V630, Z550 and Z525 phones can continue
to use the iSync Phone Plugins available below to
sync these models:
http://mobile.feisar.com/phoneplugins23.html
Jools
This is really bad news! Apple is disappointing a whole lot of new phone owners. I bought my first Apple computer especially for Isync and Ical. Now it seems that the users are no longer important. Innovation and big numbers are the new targets.
Without the proper use of Ical and Isync, OS X becomes incomplete and therefore less interesting for all users.
I think Apple is making a big mistake here!
I’m not willing to let Apple decide witch phone to buy!
So how about it Steve?
Powerbook G4   Mac OS X (10.4.7)  

Similar Messages

  • EAP-FAST for Cisco a/b/g card ?

    Per Cisco
    Cisco Compatible client devices and Cisco Aironet 802.11a/b/g PCI and CardBus WLAN client adapters will support EAP-FAST in the fourth quarter of 2004.
    Anyone have an idea when this will be supported?

    Hello,
    Currently EAP-FAST support for the ADU software will be available at the end of next month. Sorry for no firmer date but the last week of January is when it appears it will be released.
    Regards,
    Aaron

  • How do you connect a Mac to an EAP-FAST wireless network?

    Although this guy doesn't seem to like it much:
    http://www.lanarchitect.net/Articles/Wireless/EAP-FAST/
    my company is deploying EAP-FAST according to this spec:
    http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast-03.txt
    And some additiona info:
    http://www.ciscopress.com/articles/article.asp?p=369223&seqNum=5&rl=1
    Anyone know of any third-party options?
    Otherwise I'll have to buy a long ethernet cable.
    1.5 Ghz PB   Mac OS X (10.4.6)  

    To add to John's comment, I think there are about 1500 of us affected by not having EAP-FAST as an option on our PowerBooks/MacBook Pros at the office. It'd be great to have Apple add support for EAP-FAST to the Airport but failing that a decent third-party option will have to suffice.

  • I shifted from a windows to a mac.. I want to add songs to my ipod tpuch 4th gen.. but if i try to sync with itunes it says my songs will be replaced by the new songs.. Is there any way that i can have my previous data safe??

    i shifted from a windows to a mac.. I want to add songs to my ipod tpuch 4th gen.. but if i try to sync with itunes it says my songs will be replaced by the new songs.. Is there any way that i can have my previous data safe??

    Your iPod can only be synced with one computer at a time.  If you try to sync it with a new computer/iTunes library, it will replace the contents of the iPod with whatever is in the new library. You should probably disable the autosync functionality first by going to Edit -> Preferences, clicking the Devices tab, and enabling the prevent iPods,iPhones, and iPads from automatically syncing option.
    Before doing anything else,  authorize the new computer with your iTunes Account.  In iTunes, choose Store -> Authorize This Computer and enter in the correct credentials. Either copy a backup file from your old computer to your new one or create a new backup of your iPod in iTunes before letting it sync.
    Then right->click on your iPod Touch from under the Devices section in the left hand pane of iTunes and choose Backup. You might also want to take a look at this article to see what it all included in the backup.
    iOS: How to back up
    Now onto synced content such as music, videos, photos, etc.  For iTunes purchases you can copy them back into iTunes by choosing File -> Transfer Purchases.  For all other nonpurchased iTunes content, see this excellent user tip from another forum member turingtest2 outlining the different methods and software available to help you copy content from your iPod back to your PC and into iTunes.
    Recovering your iTunes library from your iPod or iOS device
    Once the backup has been made and all other synced content such as music, videos, and photos are back in your iTunes library, restore your iPod from that backup you made earlier.  Here is more on backing up and restoring your iPod.
    iTunes: Backing up, updating, and restoring iOS software
    If you do happen to lose any purchased content, you can always redownload it from the iTunes Store again at no cost via iCloud.  See this article for information.
    Downloading past purchases from the App Store, iBookstore, and iTunes Store
    B-rock

  • ACS EAP-FAST and LEAP restrictions. regarding 7920 wireless phones

    Hello, The 7920 still doesn´t support EAP-FAST. So I´m wondering if it is possible to restcrict EAP-FAST users from turning LEAP on. Is there a way in ACS to do that ?

    Hi
    Kristjan's question above is a good one - I'm looking for a similar answer...
    I.e. can I add all my 7920 handset usernames to a group, and only allow these to do LEAP?
    Also can I restrict LEAP users to a set of pre-defined MAC addresses?
    Thanks
    Aaron

  • EAP-FAST on Local Radius Server : Can't Get It Working

    Hi all
    I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
    I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
    the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
    sh radius local-server s
    Successes              : 1           Unknown usernames      : 0        
    Client blocks          : 0           Invalid passwords      : 0        
    Unknown NAS            : 0           Invalid packet from NAS: 17      
    NAS : 172.27.44.1
    Successes              : 1           Unknown usernames      : 0        
    Client blocks          : 0           Invalid passwords      : 0        
    Corrupted packet       : 0           Unknown RADIUS message : 0        
    No username attribute  : 0           Missing auth attribute : 0        
    Shared key mismatch    : 0           Invalid state attribute: 0        
    Unknown EAP message    : 0           Unknown EAP auth type  : 17       
    Auto provision success : 0           Auto provision failure : 0        
    PAC refresh            : 0           Invalid PAC received   : 0       
    Can anyone suggest what I might be doing wrong?
    Regs, Tim

    Thanks Nicolas, relevant snippets from config:
    aaa new-model
    aaa group server radius rad_eap
    server 172.27.44.1 auth-port 1812 acct-port 1813
    aaa authentication login eap_methods group rad_eap
    aaa authorization exec default local
    aaa session-id common
    dot11 ssid home
    vlan 3
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    ip dhcp pool home
       import all
       network 192.168.1.0 255.255.255.0
       default-router 192.168.1.1
       dns-server 194.74.65.68 194.74.65.69
    ip inspect name ethernetin tcp
    ip inspect name ethernetin udp
    ip inspect name ethernetin pop3
    ip inspect name ethernetin ssh
    ip inspect name ethernetin dns
    ip inspect name ethernetin ftp
    ip inspect name ethernetin tftp
    ip inspect name ethernetin smtp
    ip inspect name ethernetin icmp
    ip inspect name ethernetin telnet
    interface Dot11Radio0
    no ip address
    encryption vlan 1 mode ciphers aes-ccm tkip
    encryption vlan 2 mode ciphers aes-ccm tkip
    encryption vlan 3 mode ciphers aes-ccm tkip
    broadcast-key vlan 1 change 30
    broadcast-key vlan 2 change 30
    broadcast-key vlan 3 change 30
    ssid home
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    interface Dot11Radio0.3
    encapsulation dot1Q 3
    no cdp enable
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 spanning-disabled
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    interface Vlan3
    no ip address
    bridge-group 3
    interface BVI3
    ip address 192.168.1.1 255.255.255.0
    ip inspect ethernetin in
    ip nat inside
    ip virtual-reassembly
    radius-server local
    no authentication mac
    nas 172.27.44.1 key 0 123456
    user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
    user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
    user test3 nthash 0 0CB6948805F797BF2A82807973B89537
    radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
    radius-server vsa send accounting

  • Cisco 871w, radius server local, and leap or eap-fast will not authenticate

    Hello, i trying to setup eap-fast or leap on my 871w.  i belive i have it confiured correctly but i can not get any device to authenticate to router.  Below is the confiureation that i being used.  any help would be welcome!
    ! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
    ! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
    version 12.4
    configuration mode exclusive auto
    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service linenumber
    service pt-vty-logging
    service sequence-numbers
    hostname router871
    boot-start-marker
    boot-end-marker
    logging count
    logging message-counter syslog
    logging buffered 4096
    logging rate-limit 512 except critical
    logging console critical
    enable secret 5 <omitted>
    aaa new-model
    aaa group server radius rad-test3
    server 192.168.16.49 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login eap-methods group rad-test3
    aaa authorization exec default local
    aaa session-id common
    clock timezone AZT -7
    clock save interval 8
    dot11 syslog
    dot11 ssid test2
    vlan 2
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 <omitted>
    dot11 ssid test1
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 <omitted>
    dot11 ssid test3
    vlan 3
    authentication open eap eap-methods
    authentication network-eap eap-methods
    no ip source-route
    no ip gratuitous-arps
    ip options drop
    ip dhcp bootp ignore
    ip dhcp excluded-address 192.162.16.49 192.162.16.51
    ip dhcp excluded-address 192.168.16.33
    ip dhcp excluded-address 192.168.16.1 192.168.16.4
    ip dhcp pool vlan1pool
       import all
       network 192.168.16.0 255.255.255.224
       default-router 192.168.16.1
       domain-name test1.local.home
       lease 4
    ip dhcp pool vlan2pool
       import all
       network 192.168.16.32 255.255.255.240
       default-router 192.168.16.33
       domain-name test2.local.home
       lease 0 6
    ip dhcp pool vlan3pool
       import all
       network 192.168.16.48 255.255.255.240
       default-router 192.168.16.49
       domain-name test3.local.home
       lease 2
    ip cef
    ip inspect alert-off
    ip inspect max-incomplete low 25
    ip inspect max-incomplete high 50
    ip inspect one-minute low 25
    ip inspect one-minute high 50
    ip inspect udp idle-time 15
    ip inspect tcp idle-time 1800
    ip inspect tcp finwait-time 30
    ip inspect tcp synwait-time 60
    ip inspect tcp block-non-session
    ip inspect tcp max-incomplete host 25 block-time 2
    ip inspect name firewall tcp router-traffic
    ip inspect name firewall ntp
    ip inspect name firewall ftp
    ip inspect name firewall udp router-traffic
    ip inspect name firewall pop3
    ip inspect name firewall pop3s
    ip inspect name firewall imap
    ip inspect name firewall imap3
    ip inspect name firewall imaps
    ip inspect name firewall smtp
    ip inspect name firewall ssh
    ip inspect name firewall icmp router-traffic timeout 10
    ip inspect name firewall dns
    ip inspect name firewall h323
    ip inspect name firewall hsrp
    ip inspect name firewall telnet
    ip inspect name firewall tftp
    no ip bootp server
    no ip domain lookup
    ip domain name local.home
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip accounting-threshold 100
    ip accounting-list 192.168.16.0 0.0.0.31
    ip accounting-list 192.168.16.32 0.0.0.15
    ip accounting-list 192.168.16.48 0.0.0.15
    ip accounting-transits 25
    login block-for 120 attempts 5 within 60
    login delay 5
    login on-failure log
    memory free low-watermark processor 65536
    memory free low-watermark IO 16384
    username testtest password 7 <omitted>
    archive
    log config
      logging enable
      logging size 255
      notify syslog contenttype plaintext
      hidekeys
    path tftp://<omitted>/archive-config
    write-memory
    ip tcp synwait-time 10
    ip ssh time-out 20
    ip ssh authentication-retries 2
    ip ssh logging events
    ip ssh version 2
    bridge irb
    interface Loopback0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    interface Null0
    no ip unreachables
    interface FastEthernet0
    switchport mode trunk
    shutdown
    interface FastEthernet1
    switchport mode trunk
    shutdown
    interface FastEthernet2
    shutdown
    spanning-tree portfast
    interface FastEthernet3
    spanning-tree portfast
    interface FastEthernet4
    description Cox Internet Connection
    ip address dhcp
    ip access-group ingress-filter in
    ip access-group egress-filter out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    ip flow ingress
    ip flow egress
    ip inspect firewall out
    ip nat outside
    ip virtual-reassembly
    ip tcp adjust-mss 1460
    load-interval 30
    duplex auto
    speed auto
    no cdp enable
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encryption vlan 1 mode ciphers aes-ccm
    encryption vlan 2 mode ciphers aes-ccm
    encryption key 1 size 128bit 7 <omitted> transmit-key
    encryption mode wep mandatory
    broadcast-key vlan 1 change <omitted> membership-termination
    broadcast-key vlan 3 change <omitted> membership-termination
    broadcast-key vlan 2 change <omitted> membership-termination
    ssid test2
    ssid test1
    ssid test3
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    rts threshold 2312
    no cdp enable
    interface Dot11Radio0.1
    description <omitted>
    encapsulation dot1Q 1 native
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.2
    description <omitted>
    encapsulation dot1Q 2
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 2
    bridge-group 2 subscriber-loop-control
    bridge-group 2 spanning-disabled
    bridge-group 2 block-unknown-source
    no bridge-group 2 source-learning
    no bridge-group 2 unicast-flooding
    interface Dot11Radio0.3
    description <omitted>
    encapsulation dot1Q 3
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 spanning-disabled
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    interface Vlan1
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface Vlan2
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 2
    bridge-group 2 spanning-disabled
    interface Vlan3
    description <omitted>
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    bridge-group 3
    bridge-group 3 spanning-disabled
    interface BVI1
    description <omitted>
    ip address 192.168.16.1 255.255.255.224
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI2
    description <omitted>
    ip address 192.168.16.33 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    interface BVI3
    description <omitted>
    ip address 192.168.16.49 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
    ip http timeout-policy idle 5 life 43200 requests 5
    ip flow-top-talkers
    top 10
    sort-by bytes
    ip nat inside source list 1 interface FastEthernet4 overload
    ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
    ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
    ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
    ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
    ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
    ip access-list extended egress-filter
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   ip host <omitted> any
    deny   ip host <omitted> any
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.10.9.255 any
    deny   ip 10.0.0.0 0.10.13.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.15.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    permit ip <omitted> 0.0.0.3 any
    deny   ip any any log
    ip access-list extended ingress-filter
    remark ----- To get IP form COX -----
    permit udp any eq bootps any eq bootpc
    deny   icmp any any log
    deny   udp any any eq echo
    deny   udp any eq echo any
    deny   tcp any any fragments
    deny   udp any any fragments
    deny   ip any any fragments
    deny   ip any any option any-options
    deny   ip any any ttl lt 4
    deny   ip any host <omitted>
    deny   ip any host <omitted>
    deny   udp any any range 33400 34400
    remark ----- Bogons Filter -----
    deny   ip 0.0.0.0 0.255.255.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 127.0.0.0 0.255.255.255 any
    deny   ip 169.254.0.0 0.0.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    deny   ip 192.0.0.0 0.0.0.255 any
    deny   ip 192.0.2.0 0.0.0.255 any
    deny   ip 192.168.0.0 0.0.255.255 any
    deny   ip 198.18.0.0 0.1.255.255 any
    deny   ip 198.51.100.0 0.0.0.255 any
    deny   ip 203.0.113.0 0.0.0.255 any
    deny   ip 224.0.0.0 31.255.255.255 any
    remark ----- Internal networks -----
    deny   ip 10.10.10.0 0.0.0.255 any
    deny   ip 10.10.11.0 0.0.0.255 any
    deny   ip 10.10.12.0 0.0.0.255 any
    deny   ip any any log
    access-list 1 permit 192.168.16.0 0.0.0.63
    access-list 20 permit 127.127.1.1
    access-list 20 permit 204.235.61.9
    access-list 20 permit 173.201.38.85
    access-list 20 permit 216.229.4.69
    access-list 20 permit 152.2.21.1
    access-list 20 permit 130.126.24.24
    access-list 21 permit 192.168.16.0 0.0.0.63
    radius-server local
    no authentication mac
    eapfast authority id <omitted>
    eapfast authority info <omitted>
    eapfast server-key primary 7 <omitted>
    nas 192.168.16.49 key 7 <omitted>
    group rad-test3
      vlan 3
      ssid test3
    user test nthash 7 <omitted> group rad-test3
    user testtest nthash 7 <omitted> group rad-test3
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
    radius-server vsa send accounting
    control-plane host
    control-plane transit
    control-plane cef-exception
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    bridge 2 protocol ieee
    bridge 2 route ip
    bridge 3 protocol ieee
    bridge 3 route ip
    line con 0
    password 7 <omitted>
    logging synchronous
    no modem enable
    transport output telnet
    line aux 0
    password 7 <omitted>
    logging synchronous
    transport output telnet
    line vty 0 4
    password 7 <omitted>
    logging synchronous
    transport preferred ssh
    transport input ssh
    transport output ssh
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    process cpu threshold type total rising 80 interval 10 falling 40 interval 10
    ntp authentication-key 1 md5 <omitted> 7
    ntp authenticate
    ntp trusted-key 1
    ntp source FastEthernet4
    ntp access-group peer 20
    ntp access-group serve-only 21
    ntp master 1
    ntp server 152.2.21.1 maxpoll 4
    ntp server 204.235.61.9 maxpoll 4
    ntp server 130.126.24.24 maxpoll 4
    ntp server 216.229.4.69 maxpoll 4
    ntp server 173.201.38.85 maxpoll 4
    end

    so this what i am getting now for debug? any thoughs?
    010724: Jan  5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
    010725: Jan  5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
    010726: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010727: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010728: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010729: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010730: Jan  5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010731: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010732: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010733: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010734: Jan  5 16:26:08.976 AZT: EAPOL pak dump tx
    010735: Jan  5 16:26:08.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010736: Jan  5 16:26:08.976 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0AD05650:                   01000004 04010004          ........
    0AD05660:
    010737: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010738: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010739: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010740: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010741: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010742: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    010743: Jan  5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010744: Jan  5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010745: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010746: Jan  5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010747: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010748: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010749: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010750: Jan  5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010751: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010752: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010753: Jan  5 16:26:09.624 AZT: EAPOL pak dump tx
    010754: Jan  5 16:26:09.624 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010755: Jan  5 16:26:09.624 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010756: Jan  5 16:26:09.644 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010757: Jan  5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010758: Jan  5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010759: Jan  5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010760: Jan  5 16:26:09.656 AZT: EAPOL pak dump rx
    010761: Jan  5 16:26:09.656 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010762: Jan  5 16:26:09.656 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0B060D50:                   01000009 02010009          ........
    0B060D60: 01746573 74                          .test
    010763: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010764: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010765: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010766: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
    010767: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010768: Jan  5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010769: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010770: Jan  5 16:26:09.664 AZT: RADIUS:   36                                               [6]
    010771: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010772: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
    010773: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
    010774: Jan  5 16:26:09.664 AZT: RADIUS(00000198): sending
    010775: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
    010776: Jan  5 16:26:09.664 AZT: RADIUS:  authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
    010777: Jan  5 16:26:09.664 AZT: RADIUS:  User-Name           [1]   6   "test"
    010778: Jan  5 16:26:09.664 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010779: Jan  5 16:26:09.664 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010780: Jan  5 16:26:09.664 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010781: Jan  5 16:26:09.668 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010782: Jan  5 16:26:09.668 AZT: RADIUS:  Message-Authenticato[80]  18
    010783: Jan  5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6  [[?G???Kq?`nN?7??]
    010784: Jan  5 16:26:09.668 AZT: RADIUS:  EAP-Message         [79]  11
    010785: Jan  5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010786: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010787: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port            [5]   6   661
    010788: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Id         [87]  5   "661"
    010789: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010790: Jan  5 16:26:09.668 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010791: Jan  5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010792: Jan  5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010793: Jan  5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
    router871#
    010794: Jan  5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010795: Jan  5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010796: Jan  5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010797: Jan  5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010798: Jan  5 16:26:39.794 AZT: EAPOL pak dump rx
    010799: Jan  5 16:26:39.794 AZT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
    0AD053D0:                   01010000                   ....
    010800: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
    010801: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
    router871#
    010802: Jan  5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
    router871#
    010803: Jan  5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
    010804: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
    010805: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
    010806: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
    010807: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    010808: Jan  5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
    010809: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
    010810: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
    010811: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
    010812: Jan  5 16:26:47.336 AZT: EAPOL pak dump tx
    010813: Jan  5 16:26:47.336 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
    010814: Jan  5 16:26:47.336 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
    0B060710:                   01000004 04010004          ........
    0B060720:
    010815: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010816: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010817: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    010818: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
    010819: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 0
    010820: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
    router871#
    010821: Jan  5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010822: Jan  5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
    010823: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010824: Jan  5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010825: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010826: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010827: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010828: Jan  5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010829: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010830: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010831: Jan  5 16:26:47.976 AZT: EAPOL pak dump tx
    010832: Jan  5 16:26:47.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010833: Jan  5 16:26:47.976 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0AD05B50:                   01000031 01010031          ...1...1
    0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
    010834: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010835: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010836: Jan  5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010837: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010838: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    router871#
    010839: Jan  5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    router871#
    010840: Jan  5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010841: Jan  5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010842: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010843: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010844: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010845: Jan  5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010846: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010847: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010848: Jan  5 16:26:58.638 AZT: EAPOL pak dump tx
    010849: Jan  5 16:26:58.638 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010850: Jan  5 16:26:58.638 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060710:                   01000031 01010031          ...1...1
    0B060720: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060730: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
    010851: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010852: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010853: Jan  5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010854: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
    010855: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
    010856: Jan  5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
    010857: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
    010858: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
    010859: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
    010860: Jan  5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
    010861: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
    010862: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    010863: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
    010864: Jan  5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
    010865: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    010866: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
    010867: Jan  5 16:27:12.261 AZT: EAPOL pak dump tx
    010868: Jan  5 16:27:12.261 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
    010869: Jan  5 16:27:12.261 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
    0B060FD0:                   01000031 01010031          ...1...1
    0B060FE0: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
    0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
    0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
    010870: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg:  sending data to requestor status 1
    010871: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
    010872: Jan  5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
    010873: Jan  5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
    010874: Jan  5 16:27:12.293 AZT: EAPOL pak dump rx
    010875: Jan  5 16:27:12.293 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
    010876: Jan  5 16:27:12.293 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
    0AD05290:                   01000009 02010009          ........
    0AD052A0: 01746573 74                          .test
    010877: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
    010878: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
    010879: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    010880: Jan  5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
    010881: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
    010882: Jan  5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
    010883: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
    010884: Jan  5 16:27:12.305 AZT: RADIUS:   36                                               [6]
    010885: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010886: Jan  5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
    010887: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
    010888: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): sending
    010889: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
    010890: Jan  5 16:27:12.305 AZT: RADIUS:  authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
    010891: Jan  5 16:27:12.305 AZT: RADIUS:  User-Name           [1]   6   "test"
    010892: Jan  5 16:27:12.305 AZT: RADIUS:  Framed-MTU          [12]  6   1400
    010893: Jan  5 16:27:12.305 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
    010894: Jan  5 16:27:12.305 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
    010895: Jan  5 16:27:12.305 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
    010896: Jan  5 16:27:12.305 AZT: RADIUS:  Message-Authenticato[80]  18
    010897: Jan  5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64  [??b?8??0:C????Cd]
    010898: Jan  5 16:27:12.305 AZT: RADIUS:  EAP-Message         [79]  11
    010899: Jan  5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
    010900: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
    010901: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port            [5]   6   664
    010902: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-Port-Id         [87]  5   "664"
    010903: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
    010904: Jan  5 16:27:12.309 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
    010905: Jan  5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4

  • NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

    Hi!
    (Sorry, if this is a wrong forum.)
    Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
    I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
    Access-Requests with User-Name="anonymous"
    Access-Challenges (I see certificate is sent from ACS)
    Access-Reject
    CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
    So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
    The following is excerpt from the CS ACS documentation:
    "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
    SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
    So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
    Any help is greatly appreciated.

    Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
    POD1-SW#sh run int fa1/0/1
    Building configuration...
    Current configuration : 378 bytes
    interface FastEthernet1/0/1
    switchport access vlan 999
    switchport mode access
    dot1x mac-auth-bypass
    dot1x pae authenticator
    dot1x port-control auto
    dot1x timeout reauth-period server
    dot1x timeout tx-period 10
    dot1x reauthentication
    dot1x critical
    dot1x critical recovery action reinitialize
    dot1x guest-vlan 91
    dot1x critical vlan 11
    spanning-tree portfast
    end
    After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
    Thx.

  • EAP-FAST Security level

    Hi all,
    I use EAP-FAST in my network and I have some questions about it.
    1) is there any vulnerability detected with EAP-FAST?
    2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
    3) Can I use EAP-FAST with MAC address filtering through ACS?
    4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
    Thanks for your reply.
    Thanks.

    1)
    Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
    What will happen? see
    The in-band provisioning mode  operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH  or RSA algorithm for key agreement.
    To minimize the risk of exposing the user's credentials, a clear text  password should not be used outside of the protected tunnel. Therefore,  EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials  within the protected tunnel. The information contained in the PAC is  also available for further authentication sessions after the inner EAP  method has completed.
    Automatic In-Band PAC Provisioning, which is the  same as EAP-FAST phase zero, sends a new PAC to an end-user client over a  secured network connection. Automatic In-Band PAC Provisioning requires  no intervention of the network user or an ACS administrator, provided  that you configure ACS and the end-user client to support Automatic  In-Band PAC Provisioning.
    In general, phase zero of EAP-FAST does not authorize network access. In  this general case, after the client has successfully performed phase  zero PAC provisioning, the client must send a new EAP-FAST request in  order to begin a new round of phase one tunnel establishment, followed  by phase two authentication.
    However, if you choose the Accept Client on Authenticated Provisioning  option, ACS sends a RADIUS Access-Accept (that contains an EAP Success)  at the end of a successful phase zero PAC provisioning, and the client  is not forced to reauthenticate again. This option can be enabled only  when the Allow Authenticated In-Band PAC Provisioning option is also  enabled.
    Because transmission of PACs in phase zero is secured by MSCHAPv2  authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we  recommend that you limit use of Automatic In-Band PAC Provisioning to  initial deployment of EAP-FAST.
    After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
    EAP-FAST has been enhanced to support an authenticated tunnel (by using  the server certificate) inside which PAC provisioning occurs. The new  cipher suites that are enhancements to EAP-FAST, and specifically the  server certificate, are used.
    2) Max user sessions
    3)Yes
    4)PEAP ( EAP TLS )
    Side note:
    EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
    Please make sure to rate correct answers and rate the thread as answered

  • Other LEAP upgrade options besides PEAP and EAP-FAST?

    Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
    Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

    A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
    TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
    Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
    You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
    If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
    There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
    Good Luck
    Scott

  • EAP-FAST - PEAP etc - Installing server cert on OS X - How ?

    We are running EAP-FAST, but my Mac will not log on to the wireless network. The radius server says that the client probably did not like the server certificate (self-signed).
    How do I get the server certificate installed under Leopard ? And how do I associate that with the specific SSID of the EAP-FAST network ? (So as to prevent the same cert from working on other SSIDs).

    have you tried setting up a new network location and then configure your wireless connection as laid out in the following how to?
    http://www.csupomona.edu/~ehelp/wireless/setup_leopard.shtml

  • EAP-AKA Support in OS x and iOS

    As you know, EAP is an authentication framework. It simply provides some common functions and negotiation of the desired authentication mechanism. Such mechanisms are called EAP methods and there are currently about 40 of them. Some famous EAP types currently included in the Wi-Fi alliance certification program are:
    - EAP-SIM: Based on SIM card: uses cryptographic algorithm for 2G network authentication.
    - EAP-AKA (since 19/05/2009) : Based on (U)SIM card: uses cryptographic algorithm for 3G network authentication.
    In our company we are trying to use EAP-AKA to provide seamless authentication of WiFi network based on the user's (U)SIM.
    I wonder if EAP-AKA is considered to be part of accepted EAP types supported in the iPhone or Mac OS x Airport?  
    Thanks.

    Hi Dave, Thanks for your answer. you are right (according to the Guide) iOS supports the all the protocols mentioned, however i was looking after the EAP-AKA (for the 3G authentication) based on (U)SIM. it is simply not there on the supported protocol lists in iOS.
    According to my recent search on this, it seems in the iPhone/iPad that are running iOS the (U)SIMs inside performs 2G Authentication as well (if the authenticator is asking for EAP-SIM) so EAP-SIM on the iOS (iPad/iPhone) should be ok.
    now the question comes to the OS x, i did not find any hint on EAP-SIM or EAP-AKA authentication support i hope it will be added sometime. Meanwhile i am looking for some OSx software that does the same.
    BRs..

  • I dont recall when I have been more frustrated....  the "loops" I am in on the web for support are endless.  After downloading Yosemite on my Mac my CS6 no longer works.  On your support web site you state the following for downloading and installing prev

    I dont recall when I have been more frustrated....  the "loops" I am in on the web for support are endless.  After downloading Yosemite on my Mac my CS6 no longer works.  On your support web site you state the following for downloading and installing previous versions of apps, such as CS6 " 1. open CC for desktop and go to the apps panel (no link is provided so I explored until I could download a trial version of "application manager" as that was required.  When I attempted to open it to download "Previous Versions" I could not.  I have my license number, my CS6 will not open in Yosemite and after over 2 hours I am really frustrated....  Rich@

    When I go to that link, download and then attempt to install I get the message "Webe encountered the following issues, Installer failed to initialize.  Please down load Adobe Support Advisor to detect the problem"  I then select the link "get adobe support advisor" that takes me to a site that describes a better support link since the one I have been sent to is no longer available.  I then go to that site and am told to go to CC for desktop apps, that requires me to download CC...  I don't want CC.. just want to have my CS6 PS work again....  so frustrating...

  • I have a Mac pro(1 free bay) and a mac mini I need to back both of them  Is it better to use an external NAS HD or an internal hard drive on my mac pro (mid 2010) What option has the faster GB/s?

    I have a Mac pro(1 free bay) and a mac mini I need to back up both of them (time machine)  Is it better to use an external NAS HD or an internal hard drive on my mac pro (mid 2010)
    What option has the faster GB/s?

    Disk drive using native SATA bus interface will allow the drive to copy and always present and ready.
    But once you have backup any hourly changes should be smaller and as long as the NAS and your switch should allow enough.
    You should always have off line backups and don't rely on just one backup set or just TimeMachine.
    WD RED models are designed for RAID and NAS and 7.2k instead of your more standard slower green 5400 rpm green models while still costing less than WD Blacks.
    http://www.amazon.com/gp/product/B008JJLW4M/
    How to clone your system:
    http://macperformanceguide.com/Mac-HowToClone-backup.html
    http://macperformanceguide.com/Mac-HowToClone.html
    http://www.macupdate.com/app/mac/7032/carbon-copy-cloner
    Using Cloning as a Backup Strategy
    http://www.macupdate.com/app/mac/7032/carbon-copy-cloner
    http://www.bombich.com/software/updates/ccc-3.5.html
    Clone to internal, TimeMachine to NAS is one way to go at it.

  • EAP-FAST with local radius on 1242AG

    I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
    I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
    Any help or a basic example you be great.
    thanks,
    Simon

    I think this is what you're looking for;
    Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
    HTH
    Regards,
    Jatin
    Do rate helpful posts~

Maybe you are looking for

  • 64 bit installation in Lightroom 2 for MAC

    The readme file that came with Lightroom 2 for MAC states: "Mac: Lightroom 2 is a 32-bit application by default. For customers using OS X 10.5 on an Intel-based computer, Lightroom 2.0 can be used as a 64-bit application by selecting Adobe Lightroom

  • Open a PDF file in linux using java

    Hi.. How can I open a PDF file in linux using java. I am able to open PDF in windows and mac using this code in Windows Runtime.getRuntime().exec("rundll32 url.dll,FileProtocolHandler " + path_of_PDF); in mac Runtime.getRuntime().exec("open " + path_

  • Importing data error: SIGNEDDATA conversion error

    The complete description is: The number of failing rows exceeds the maximum specified. (Microsoft Data Transformation Services (DTS) Data Pump (8004202c): TransformCopy 'DTSTransformation__13' conversion error:  General conversion failure on column p

  • Several questions from a new user.

    Ok, I figure I'll just put all the questions at once. 1) Loading up the library I'm putting all my music, however I noticed that on occasion when copying from other directories I get multiples in the list. Is there a way to automatically delete multi

  • IMPLEMENTATION IN BW

    Hello friends can anybody let me what the procedure for implementing the mm module in sap bw from the scratch with some good example ? With regard Tushar