Configuring Eap-Fast Settings - Cisco ISR Configuration Manual

Chapter 4 Configuring an Access Point as a Local Authenticator

Configuring EAP-FAST Settings

The default settings for EAP-FAST authentication are suitable for most wireless LANs. However, you
can customize the credential timeout values, authority ID, and server keys to match your network
requirements.
Configuring PAC Settings
This section describes how to configure Protected Access Credential (PAC) settings. The first time that
an EAP-FAST client device attempts to authenticate to the local authenticator, the local authenticator
generates a PAC for the client. You can also generate PACs manually and use the Aironet Client Utility
to import the PAC file.
PAC Expiration Times
You can limit the number of days for which PACs are valid, and a grace period during which PACs are
valid after they have expired. By default, PACs are valid for infinite days, with a grace period of infinite
days. You apply the expiration time and the grace period settings to a group of users.
Use this command to configure the expiration time and grace period for PACs:
router(config-radsrv-group)# [no] eapfast pac expiry days [grace days]
Enter a number of days from 2 to 4095. Enter the no form of the command to reset the expiration time
or grace period to infinite days.
In this example, PACs for the user group expire in 100 days with a grace period of two days:
router(config-radsrv-group)# eapfast pac expiry 100 grace 2
Generating PACs Manually
The local authenticator automatically generates PACs for EAP-FAST clients that request them. However,
you might need to generate a PAC manually for some client devices. When you enter the command, the
local authenticator generates a PAC file and writes it to the network location that you specify. The user
imports the PAC file into the client profile.
Use this command to generate a PAC manually:
router# radius local-server pac-generate filename username [password password] [expiry days]
When you enter the PAC filename, enter the full path to which the local authenticator writes the PAC file
(such as tftp://172.1.1.1/test/user.pac). The password is optional and, if not specified, a default password
understood by the CCX client is used. Expiry is also optional and, if not specified, the default period is
1 day.
In this example, the local authenticator generates a PAC for the username joe, password-protects the file
with the password bingo, sets the PAC to expire in 10 days, and writes the PAC file to the TFTP server
at 10.0.0.5:
router# radius local-server pac-generate tftp://10.0.0.5 joe password bingo expiry 10
OL-6415-04
Cisco Wireless ISR and HWIC Access Point Configuration Guide
Configure a Local Authenticator
4-9