ACS/RSA authentication failure on EAP-FAST/GTC

Heng Zhang · ‎05-19-2011

I have a Cisco ACS (Release 4.1) and RSA authentication server (7.1, SP2) installed and configured. RSA agent is also installed/configred on ACS server.

I tried to to test both PEAP/GTC and EAP-FAST/GTC with hard token through ACS, The WLAN client is Odyssey Access client running on Windows XP station. There is a user called "wlan_tester" created on both ACS and RSA server. On ACS, I set password authentication to use "RSA Secuire ID token Server" to authenticate this user.

On the Odyssey client, when I used PEAP/GTC for authentication, the authentication was successful. The RSA server showed the request for token authentication.

With the same user id, when I tried to use EAP-FAST/GTC for authentication, the authentication failed. ACS server showed error message of "External DB password invalid", Odyssey kept asking new EAP-FAST credentials. However is there no request showed up on RSA side. It looked like ACS didn't even try it.

The problem drove me nuts. Can someone please give me a hand?

I've also attached the ACS global configuration for EAP-fast in this post.

Thanks much

-hg

Tarik Admani · ‎05-30-2011

Hg,

Only PEAP-GTC is supported for token servers:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wpxref846

Thanks,

Tarik Admani

ACS/RSA authentication failure on EAP-FAST/GTC

SNMP authentication failure

Mac Authentication Bypass (Credential Failure)

IKEv2 Remote Access VPN Failure to Connect

事例 : Authentication attempt timed out について

3.3 MAC Authentication Bypass for Wired and Wireless Access