03-17-2008 09:34 AM - edited 03-10-2019 03:43 PM
Hi!
Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
Access-Requests with User-Name="anonymous"
Access-Challenges (I see certificate is sent from ACS)
Access-Reject
CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
The following is excerpt from the CS ACS documentation:
"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
Any help is greatly appreciated.
03-18-2008 10:26 AM
I have this working using SSC & ACS 4.1.4.
Check your CSAuth.log file. The Failed Attempt Report may show the outer-id (anonymous), but CSAUth.log should show the inner-id that failed authentication. You should see stuff like this:
AuthenProcessResponse: process response for 'anonymous'
EAP: EAP-FAST: INNER: --> EAP Response/EAP-Type=Identity (User Identity = 'Administrator')
In this case "Administrator" would be the inner id that (in your case) could not be found in the internal ACS database.
Hope that helps,
Shelly
08-15-2008 05:31 AM
Hi
Did you solve this issue? I have the same issue with EAP-FAST on 7921 phones, WISM and ACS version 4.2
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide