WET200 Could firmware allow EAP-FAST
Hi,
I have been looking to utilise the above authentication using a PAC file.
This is the system used by one of our clients. Although Cisco aironet 1300
series supports this, they are a good deal more expensive as a solution.
My question to see what your thought are is whether a device like this WET200
would ever be able to support this type of authentication with the likes of a firmware
upgrade? I know it's not worth holding your breath on, but the unit had originally
been purchased since cisco compatibility was a prerequesite. Only once we went
to setup did it become apparent as to the authentication method they used.
TIA
Andrew
Yes and no. For 2 weeks my iPad would fail every time I tried to connect to the wireless, and I would get the same error message in ACS stating that the supplicant did not respond correctly. Yesterday, I noticed it was connected. I checked the logs in ACS, and saw a successful connection using EAP-FAST. So it did work, but I have no idea why. Nothing changed on either system config wise. Maybe a new PAC file was generated? I need to check the logs to see if that was the case. Regardless, my iPad can now connect using EAP-FAST. Excited about this news, I pushed the profile from the iPhone config utility to 2 additional devices, another iPad, and an iPhone. Both failed, with the same supplicant did not respond correctly message in ACS. So the 3 apple devices have the exact same config on them - 1 now works after 2 weeks of failing, and 2 failed upon first day attempts yesterday. Very odd, and very frustrating. ACS provides very little in the way of help (the supplicant did not respond correctly, but in what way did it not respond correctly??), and the iPad logs even less. So it seems to be impossbile to really know what is going on here. If you or anyone has any suggestions I am definetly open to hearing them.
Similar Messages
-
EAP-FAST with local radius on 1242AG
I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
Any help or a basic example you be great.
thanks,
SimonI think this is what you're looking for;
Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
HTH
Regards,
Jatin
Do rate helpful posts~ -
EAP-FAST, local Authentication and PAC provisioning
Hi everybody,
I have a litte understanding problem with the deployment of EAP-FAST.
So here's the deal:
I want to the deploy EAP-FAST with autonomous APs with an ACS as Authentication server. So far so good.
When the ACS is not reachable, the autonomous AP should act as local Authenticator for the clients as backup. Is this possible when doing manual PAC provisioning? I guess not, because the PAC master key is not synced between ACS and the AP local Authenticator.
Would automatic PAC provisioning resolve that issue? If the ACS server fails, the local Authenticator AP will create new PACs for the clients, right?
But - I have doubts regarding automatic provisioning of PACs. From my understanding the Phase-0 is just performed in MS-CHAPv2, which is dictionary attackable. Furthermore a MITM attack could be possible during phase-0.
Would server sided certificates resolve my concerns here?
I would prefer PEAP, but the autonomous APs don't support this EAP type as local authenticator method, right?
Btw. .... is there any good document regarding FAST on CCO? I couldn't find anything. The Q&A page is just scratching the surface. The best document I could find so far is the ACS user configuration page. But I'm not 100% happy with this. Is there some kind of EAP-FAST deployment guide out there? I need best practices regarding PAC provisioning and so on :-)
Thanks in advance!From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
Is that what you are trying to get clarification on.
Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
Sent from Cisco Technical Support iPad App -
Connect to EAP-FAST corporate network
Hi. I'm trying to setup my new macbook to connect to my company's wireless network but no luck. Here are the details from my WinXP laptop's Intel PROSet profile:
+Enterprise Security:+
+Wireless Network Name (SSID): protected+
+Network Authentication: Open+
+Data Encryption: CKIP+
+Authentication Type: EAP-FAST+
+Desable EAP-FAST Enhancments (CCXv4): checked+
+Allow unauthenticated provisioning: checked+
+Default server: ACS_wifi+
+User Credentials: Use Windows logon+
+Server Verification is not required.+
*Any idea how to setup my macbook/airport to connect to this network?*
ThanksI've already did try to create there various profiles but no luck. Even when I try 'Join other network' and select 'Show networks' I don't get my corporate network on the list. Maybe it's hidden. Where I can see a Log what's going on?
-
ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD
Just a question surrounding EAP-FAST chaining (EAP-TLS inner) and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.
I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
In my deployment I am using a single SSID with the following protocols:
EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
EAP-TLS Machine Certs - Certs deploted via AD GPO
EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least. -
Hi NetPro.
EAP-TLS is working now, but how to configure EAP-FAST as the backup in case TLS is failure then user still able to use FAST as the second choice ?
your reply will be highly appreciated.
thanks heaps.
JackAll you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.
-
ACS 3.3 to 4.1 EAP-FAST PAC migration
Our 3rd party supplicants don't handle EAP-FAST in-band PAC changes well at all. To allow a smooth transition from Windows ACS 3.3 to 4.1, we'd like to migrate the v3.3 master or at least the secondary PAC to ACS 4.1. Replication is not an option between 3.3 & 4.1, so I'm looking for a manual way to accomplish this. TIA.
So what you want to do is following :
> Install LMS 4.1 on Windows
> Decomission LMS 3.2
> Rename hostname and IP for LMS 4.2 to same as older LMS 3.2
IP change is not a problem, but for hostname change you should run NMSROOT\bin\hostnamechange.pl script.
For more details, please check the following document :
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.1/user/guide/admin/appendixcli.html#wp1041971
-Thanks -
Hi all,
I use EAP-FAST in my network and I have some questions about it.
1) is there any vulnerability detected with EAP-FAST?
2) Can I restrict the establishment two or more simultaneous sessions using the same account and same PAC? how
3) Can I use EAP-FAST with MAC address filtering through ACS?
4) What is the level of security provided by EAP-FAST? is there technology more security than EAP-FAST?
Thanks for your reply.
Thanks.1)
Everything should be fine with EAP-FAST but you should take into consideration some issues when your clients are being provisioned their PACs through inband PAC provisioning.
What will happen? see
The in-band provisioning mode operates inside a TLS tunnel raised by Anonymous DH or Authenticated DH or RSA algorithm for key agreement.
To minimize the risk of exposing the user's credentials, a clear text password should not be used outside of the protected tunnel. Therefore, EAP-MSCHAPv2 or EAP-GTC are used to authenticate the user's credentials within the protected tunnel. The information contained in the PAC is also available for further authentication sessions after the inner EAP method has completed.
Automatic In-Band PAC Provisioning, which is the same as EAP-FAST phase zero, sends a new PAC to an end-user client over a secured network connection. Automatic In-Band PAC Provisioning requires no intervention of the network user or an ACS administrator, provided that you configure ACS and the end-user client to support Automatic In-Band PAC Provisioning.
In general, phase zero of EAP-FAST does not authorize network access. In this general case, after the client has successfully performed phase zero PAC provisioning, the client must send a new EAP-FAST request in order to begin a new round of phase one tunnel establishment, followed by phase two authentication.
However, if you choose the Accept Client on Authenticated Provisioning option, ACS sends a RADIUS Access-Accept (that contains an EAP Success) at the end of a successful phase zero PAC provisioning, and the client is not forced to reauthenticate again. This option can be enabled only when the Allow Authenticated In-Band PAC Provisioning option is also enabled.
Because transmission of PACs in phase zero is secured by MSCHAPv2 authentication, when MSCHAPv2 is vulnerable to dictionary attacks, we recommend that you limit use of Automatic In-Band PAC Provisioning to initial deployment of EAP-FAST.
After a large EAP-FAST deployment, PAC provisioning should be done manually to ensure the highest security for PACs.
EAP-FAST has been enhanced to support an authenticated tunnel (by using the server certificate) inside which PAC provisioning occurs. The new cipher suites that are enhancements to EAP-FAST, and specifically the server certificate, are used.
2) Max user sessions
3)Yes
4)PEAP ( EAP TLS )
Side note:
EAP FAST is now supported on Micrsofot supplicants , so yeah it should work with third party supplicants
Please make sure to rate correct answers and rate the thread as answered -
Hi,
I have a AP1100 and a repeater AP1100. The AP acts as a Radius server and the clients (all AIR-350) use LEAP, WPA and TKIP. Everything works just fine.
Now I want to secure my environment a bid more and make use of EAP-Fast. I can't get it work. At the authetication process, it sticks at provisioning. The log at the AP only shows: debugging; Station xxxxx: Authentication failed.
Does anybody have a clue what I'm doing wrong or is it because the AP is the Radius server i.c.w. EAP-Fast ?
Thanks,
AudenCisco Secure ACS is listed as a Prerequisite and in the Required Hardware and Software section;
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080262422.html#wp998531
hth
Required Hardware and Software
The following software and hardware are required for configuring EAP-FAST.
Cisco Aironet Client Utility (ACU) and Aironet
Aironet Client Utility version 6.3
Cisco Aironet 350 Series Client Adapter
Client adapter firmware version 5.40
Client driver version 8.5
Aironet Client Monitor (ACM) version 2.3
Windows XP, SP1
Cisco Aironet Access Point
Cisco Aironet 1100 Series Access Point
Cisco IOS Software Release 12.2(13)JA3
CiscoSecure Access Control Server (ACS)
CiscoSecure ACS v3.2.3 for Windows 2000 SP4
Aironet Configuration Administration Tool (ACAT) (optional)
Cisco Aironet ACAT v1.3 -
Dear All,
we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that
it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.
regards. Kristjan Edvardsson
Sensa ehf. Cisco Silver Partner -
ISE - EAP-FAST PAC Provisioning - Identity field??
Hi all, very simple question regarding the fields in the PAC provisioning section of ISE. Basically wondering what the "identity" field under machine and tunnel PAC is meant to be? I am currently planning an EAP-FAST deployment and this is the only area I am wondering about. Essentially planning to auto-provision the PAC hopefully using authenticate in-band. The Cisco doco is a little vague on this particular field.
Thanks in advance - have googled this for a day or so and frankly cannot find the information that I want.Use
PAC
•Tunnel PAC Time To Live—The Time to Live (TTL) value restricts the lifetime of the PAC. Specify the lifetime value and units. The default is 90 days. The range is between 1 and 1825 days.
•Proactive PAC Update When: of PAC TTL is Left—The Update value ensures that the client has a valid PAC. Cisco ISE initiates an update after the first successful authentication but before the expiration time that is set by the TTL. The update value is a percentage of the remaining time in the TTL. The default is 90%.
•Allow Anonymous In-band PAC Provisioning—Check this check box for Cisco ISE to establish a secure anonymous TLS handshake with the client and provision it with a PAC by using phase zero of EAP-FAST with EAP-MSCHAPv2. To enable anonymous PAC provisioning, you must choose both of the inner methods, EAP-MSCHAPv2 and EAP-GTC.
•Allow Authenticated In-band PAC Provisioning—Cisco ISE uses SSL server-side authentication to provision the client with a PAC during phase zero of EAP-FAST. This option is more secure than anonymous provisioning but requires that a server certificate and a trusted root CA be installed on Cisco ISE.
When you check this option, you can configure Cisco ISE to return an Access-Accept message to the client after successful authenticated PAC provisioning.
–Server Returns Access Accept After Authenticated Provisioning—Check this check box if you want Cisco ISE to return an access-accept package after authenticated PAC provisioning.
•Allow Machine Authentication—Check this check box for Cisco ISE to provision an end-user client with a machine PAC and perform machine authentication (for end-user clients who do not have the machine credentials). The machine PAC can be provisioned to the client by request (in-band) or by the administrator (out-of-band). When Cisco ISE receives a valid machine PAC from the end-user client, the machine identity details are extracted from the PAC and verified in the Cisco ISE external identity source. Cisco ISE only supports Active Directory as an external identity source for machine authentication. After these details are correctly verified, no further authentication is performed.
When you check this option, you can enter a value for the amount of time that a machine PAC is acceptable for use. When Cisco ISE receives an expired machine PAC, it automatically reprovisions the end-user client with a new machine PAC (without waiting for a new machine PAC request from the end-user client).
•Enable Stateless Session Resume—Check this check box for Cisco ISE to provision authorization PACs for EAP-FAST clients and always perform phase two of EAP-FAST (default = enabled).
Uncheck this check box in the following cases:
–If you do not want Cisco ISE to provision authorization PACs for EAP-FAST clients
–To always perform phase two of EAP-FAST
When you check this option, you can enter the authorization period of the user authorization PAC. After this period, the PAC expires. When Cisco ISE receives an expired authorization PAC, it performs phase two EAP-FAST authentication.
•Preferred EAP Protocol—Check this check box to choose your preferred EAP protocols from any of the following options: EAP-FAST, PEAP, LEAP, EAP-TLS, and EAP-MD5. By default, LEAP is the preferred protocol to use if you do not enable this field. -
Anyone know where I can get this module?
http://www.cisco.com/en/US/docs/wireless/wlan_adapter/eap_types/fast/admin/guide/EF_instl.html
Also, can I use EAP-TLS or EAP-FAST (with certs only, no PACs) and authenticate users via LDAP (AD) without the need of ACS or RADIUS?
Thanks,
ToddThe following link allows you to download the EAP-FAST module for vista:
http://tools.cisco.com/support/downloads/go/IPCheck.x?isk=Y&defAdv=N&sftAdv=N&filename=WinClient-802.11a-b-g-Vista-Ins-Wizard-v10.exe&advUrl=null&defInd=N&mdfid=278853375&sftType=Aironet+Client+Installation+Wizard+%28Firmware%2C+Driver%2C+Utility%29&optPlat=Windows+Vista&nodecount=2&relVer=1.0&md5=87fec40fd940e4bb6a80e17e4bc4f90b&modifmdfid=278853375&imname=&hybrid=null&imst=null&modelName=Cisco+Aironet+802.11a%2Fb%2Fg+CardBus+Wireless+LAN+Client+Adapter+%28CB21AG%29&treeMdfId=278875243&treeName=Wireless&edesignator=null&lr=Y&nodecount=2
If the page does not come up for the first time while using the link above try opening the same link in a new browser page one more time. -
Other LEAP upgrade options besides PEAP and EAP-FAST?
Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
Good Luck
Scott -
I'd like to use EAP-FAST for both my 802.11 wireless and my lan network.
However the only EAP-FAST client I have seen is the ACU for the Aironet products, nothing for the Catalyst (am I missing something?)
Any plans for Ethernet adapter software that does EAP-FAST? I primary use Windows XP-SP2 in my lan.All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.
-
User profile creation problem for windows 7 clients with eap-fast
Hi All,
In our clients locations we implemented eap-fast authentication with domain integration in ACS for wlan users.Every thing working fine.We are facing problem with windows 7 laptops, in which client utility is not available to configure the user profiles.
In xp laptops client utility softwares are available with all makes, but with win 7 utilitys are not coming by default......
So what are options and available sourses for creating user profile with EAP-FAST in windows 7 laptops.
Any free univarsal client utility is available for windows 7 laptop.
Please guide me..............
-SubhashWindows 7 should be able to do EAP-fast by default. If not you could download the latest Anyconnect client that also has the Cisco wireless supplicant in it.
HTH,
Steve
Sent from Cisco Technical Support iPad App
Maybe you are looking for
-
Why do black lines appear to invisible frames when I print from a pdf and how do I stop it?
As an indesign newcomer I am frustrated to find that occass ionaly when I convert the artwork into a pdf to pri nt I get a thin black line ap pering where the edges of the invisible frame must be. What causes this and how c an I eliminate it. The fru
-
java.io.FileNotFoundException: C:\jdeveloper\jdev\system\oracle.j2ee.10.1.3.36.73\embedded-oc4j\config\server.xml (The system cannot find the file specified) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(F
-
Nothing happens anymore when I click purchase. Apple support area does not address anything about this. You would think Apple would want my money.
-
Archive PO in SRM 5.0 - meaning of "In Transfer to Execution System"
Hi SRM Guru, A purchase order from the extended classic scenario receives the status Can be Archived if it has the status "In Transfer to Execution System". What the meaning of "In Transfer to Execution System"? Thanks. Regards, Kim
-
Strange display behaviour inputfields on screens
Hi, I noticed strange behaviour with inputfields on screens. When a certain inputfield has a maximum length of 50 and a visible length of 50, it depends on the number of spaces whether the inputfield is fulled filled or not. When I have 50 characters