Cisco 7925G Deployment Manual page 21

which in turn selects the appropriate PAC. The client (phone) returns a PAC-Opaque to the RADIUS server. The server
decrypts the PAC with its master-key. Both endpoints now have the PAC key and a TLS tunnel is created. EAP-FAST supports
automatic PAC provisioning, but it must enabled on the RADIUS server.
To enable EAP-FAST, a certificate must be installed on to the RADIUS server.
The Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G currently support automatic provisioning of the PAC
only, so enable Allow anonymous in-band PAC provisioning on the RADIUS server as shown below.
Both EAP-GTC and EAP-MSCHAPv2 must be enabled when Allow anonymous in-band PAC provisioning is enabled.
EAP-FAST requires that a user account be created on the authentication server.
If anonymous PAC provisioning is not allowed in the product wireless LAN environment then a staging Cisco ACS can be
setup for initial PAC provisioning of the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G.
This requires that the staging ACS server be setup as a slave EAP-FAST server and components are replicated from the product
master EAP-FAST server, which include user and group database and EAP-FAST master key and policy info.
Ensure the production master EAP-FAST ACS server is setup to send the EAP-FAST master keys and policies to the staging
slave EAP-FAST ACS server, which will then allow the Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G to use
the provisioned PAC in the production environment where Allow anonymous in-band PAC provisioning is disabled.
Cisco Unified Wireless IP Phone 7925G, 7925G-EX, and 7926G Deployment Guide
21