Re: PAC Provisioning Fails Without End-User Accepting PAC Pop-up

asafayan · ‎07-21-2009

We have lots of workstation on wheels. We use EAP-Fast with Cisco ACS for authentication. When a user isn't in front of the WOW and the PAC pop-up times out, it disables the WOW and causes problems.

Has anyone used some form of auto-accept method with the Intel PRO-Set so as to not require end-user acceptance of the PAC pop-up message?

hadbou · ‎07-27-2009

The provisioning of the Machine PAC, which is needed for machine context connections, is accomplished using the server certificate or machine security identity (SID). Machine PACs are only supported in newer versions of authentication servers (ACS 4.0 or later) which have been upgraded to support EAP-FAST v1a.

To make a make a machine connection before the PAC has been provisioned, the CA certificate used to trust the server certificate must be placed in the proper Windows Certificate Store (Local Computer-Trusted Root Store).

The host must also provide these machine credentials:

â€¢Active Directory provided machine certificate. The authentication method must support the use of a certificate to provide machine client credentials - the server must be appropriately configured to call for an inner tunnel method of TLS.

â€¢Active Directory provided SID (password). The authentication method must support the use of a password to provide machine client credentials.

Finally, the FAST authentication server must be configured for auto creation of administrator's unique machine PAC information.

http://www.cisco.com/en/US/docs/security/cta/2.1.103.0_supplicant/admin_guide/ctaSuppl.html#wp1026518