There were 2 WLC's in this schenario. But Aps within that office were on the same WLC. Cisco gave me a bugID on it and their only solution was turning to LEAP while waiting for a sw fix. I haven´t checked the more recent versions of WLC if this has been fixed.
Yeah it seems strange. They connected and got PAC on one AP. But when Roaming WLC seemed to cache the anonymous or at least thats the one repored with failed auth. Cisco claimed this was only a problem with Local EAP, not external radius like ACS. regards. Kristjan From: Jason Boyers [mailto:[email protected]] Sent: 26. maí 2011 21:49 To: Kristján Ólafur Eðvarðsson Cc: [email protected] Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 8.3 Phone Security (Leigh Jewell) Was the roaming between APs on the same WLC or different WLCs? And, where was the authentication taking place? This does seem strange, since this what you would normally see on initial connection for anonymous PAC creation. It's almost as if the client doesn't have a PAC created by the EAP-FAST server. Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: [email protected]<mailto:[email protected]> 2011/5/26 Kristján Ólafur Eðvarðsson <[email protected]<mailto:[email protected]>> Funny, I also ran into a bug with 7921 and WLC4400 with Local EAP and EAP-FAST. It worked on one AP (yeah wpa tkip and CCKM) but when roaming WLC returned error log "user anonymous failed authentication" Got a bugID after filing a TAC Case. It was code 5.x if I remember correctly. WLC seems to be trying to cache the outer identity "anonymous" user but not the correct inner one. But I am not sure. I am soon going to do a extensive test with 7920 and 7921 phones on WLC and see if I can fit this one in. regards. Kristjan ---------------------------------------------------------------------- Message: 1 Date: Thu, 26 May 2011 15:58:01 +1000 From: Leigh Jewell <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Subject: [OSL | CCIE_Wireless] Workbook1: Lab 8.3 Phone Security Message-ID: <[email protected]<mailto:[email protected]>> Content-Type: text/plain; charset="windows-1252" In the solution guide for configuring local-eap for 7920's you reference a bug CSCsj11323. I did a bit of reading and according to the release notes<http://www.cisco.com/en/US/partner/docs/wireless/controller/release/notes/crn411810.html>this bug was fixed in v4.1.181 *Resolved* CSCsj11323?The 7920 phone fails EAP-FAST authentication when using local EAP authentication on the controller. So I am proposing that given the lab version is 4.2 we don't need to be concerned and local-eap with eap-fast for 7920's is in fact ok. Thoughts ? Regards, Leigh. -- CCIE Blog - http://leigh-cciewireless.blogspot.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110526/426f3ec4/attachment-0001.html> ------------------------------ ------------------------------ Message: 3 Date: Thu, 26 May 2011 09:32:42 -0400 From: Jason Boyers <[email protected]<mailto:[email protected]>> To: Leigh Jewell <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Wireless] Workbook1: Lab 8.3 Phone Security Message-ID: <[email protected]<mailto:banlktind-6edpkdpv0ejjoaekugz3shy%[email protected]>> Content-Type: text/plain; charset="windows-1252" Interesting. The Bug Toolkit notes don't list a fixed version, so I was going with that. I'll need to lab it up! Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: *[email protected]<mailto:[email protected]> * _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.platinumplacement.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
