Thanks for the reply Alvin,
Yes I also had come to the same conclusion. I had manually provisioned the PAC and all was working. I had not thought of provisioning it through local eap (local user) first. That's a good tip! Regards Phil From: Alvin Boey [mailto:[email protected]] Sent: 05 April 2011 10:07 To: Phil Priest; Silverline,Tim; [email protected] Subject: Re: [CCIE Wireless] Local EAP-FAST LDAP ADU Hi, I posted this not long ago. But EAP-FAST with local eap using LDAP does not support MS-CHAP. This is explicitly written in some cisco doc I read a while ago. Problem with anonymous in-band pac provisioning is, it needs ms-chap to perform the pac provisioning. GTC alone does not work with phase 0 pac provisioning. SO when I was debugging the WLC for eap pac and aaa events, I keep getting a ms-chap error even though using Win7 with ms-chap disabled. SO in order for this to work, or to fulfill the lab, you simply switch to local net user authentication instead of ldap to get provisioned with a pac from WLC local eap process. Once you can authenticate successfully (2 tries, once for pac provisioning, 2nd for phase 2 inner methods authentication) your supplicant will have a pac issued and stored from the WLC. You can now switch to LDAP in WLC and eap-fast authentication will work. This problem is also experienced by the 7921 IP Phone, but once we "cheat" the phone and notebook into getting the pac from WLC, local eap with LDAP for EAP-FAST will work. Alvin From: Phil Priest <[email protected]> Date: Fri, 4 Mar 2011 15:29:20 -0000 To: "Silverline,Tim" <[email protected]>, <[email protected]> Subject: Re: [CCIE Wireless] Local EAP-FAST LDAP ADU Hi, Not using ACS, LDAP directly from the controller. When doing a debug aaa ldap. I get a successful response but the client will not authenticate, with or without certs validated. I know the PKI side is OK as the other methods work, including TLS. Regards Phil From: Silverline,Tim [mailto:[email protected]] Sent: 04 March 2011 15:25 To: Phil Priest; [email protected] Subject: RE: Local EAP-FAST LDAP ADU I have had this working. Uncheck validate server certificate or install the CA cert or user cert on the testing machine. What error are you getting? On ACS or client? Tim From: [email protected] [mailto:[email protected]] On Behalf Of Phil Priest Sent: Friday, March 04, 2011 6:03 AM To: [email protected] Subject: [CCIE Wireless] Local EAP-FAST LDAP ADU Hi All, Has anybody else got local EAP-FAST GTC working with the ADU and backing off to LDAP? All other combinations I try are working. EAP-FAST TLS, PEAP all backing off to LDAP work. I can also get EAP-FAST GTC working with a local user on the controller. The Cisco example uses EAP-FAST with TLS and there is no mention of using GTC so I am wondering if there is a bug with the ADU, I don't have a Windows 7 machine to hand to try it yet as per Jason's example in the workbook. http://www.cisco.com/en/US/products/ps6366/products_configuration_exampl e09186a008093f1b9.shtml Regards Phil _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
