1130 authentication debugging problems

Unanswered Question
Apr 24th, 2008


Can anyone help with debugging authentication on a 1130 access point using 12.4(3g)JA?

Basically users are required to authenticate against a radius server, when connected to the SSID

'eduroam'. We are a large site with a lot of access points covering most of it. While all the access

points have pretty much the same configuration, two of them will not allow users to authenticate and

therefor will not pass traffic. The vlan assignments from the switch end appear to be ok.

The one I have picked for debugging is in a fairly isolated area, with no other wireless signals detected

with netstumbler. It is basic office space, so there should not be any other RF interference.

I've turned on a fair bit of debugging (see 'show debug' output below), however the logged messages

are fairly limited:

Apr 24 14:06:45 wapsumand 105675: Apr 24 13:06:44.871: AAA/BIND(00014F21): Bind i/f

Apr 24 14:07:15 wapsumand 105676: Apr 24 13:07:14.859: %DOT11-7-AUTH_FAILED: Station 001c.b3c6.b49b Authentication failed

Apr 24 14:07:15 wapsumand 105677: Apr 24 13:07:14.867: AAA/BIND(00014F22): Bind i/f

Apr 24 14:07:45 wapsumand 105678: Apr 24 13:07:44.866: %DOT11-7-AUTH_FAILED: Station 001c.b3c6.b49b Authentication failed

Apr 24 14:07:45 wapsumand 105679: Apr 24 13:07:44.875: AAA/BIND(00014F23): Bind i/f

Apr 24 14:07:59 wapsumand 105680: Apr 24 13:07:58.522: AAA/BIND(00014F24): Bind i/f

Apr 24 14:07:59 wapsumand 105681: Apr 24 13:07:59.209: %DOT11-7-AUTH_FAILED: Station 0018.de0d.893d Authentication failed

Apr 24 14:07:59 wapsumand 105682: Apr 24 13:07:59.237: AAA/BIND(00014F25): Bind i/f

Apr 24 14:08:00 wapsumand 105683: Apr 24 13:07:59.941: AAA/BIND(00014F26): Bind i/f

Apr 24 14:08:00 wapsumand 105684: Apr 24 13:08:00.638: AAA/BIND(00014F27): Bind i/f

Apr 24 14:08:15 wapsumand 105685: Apr 24 13:08:14.861: %DOT11-7-AUTH_FAILED: Station 001c.b3c6.b49b Authentication failed

Apr 24 14:08:15 wapsumand 105686: Apr 24 13:08:14.870: AAA/BIND(00014F28): Bind i/f

I expected to see more details of which radius server it is talking to, what is sent, what the

response is etc. The radius server itself is not logging much either. I have verified that there is

ping connectivity between the AP and server. Again, I've done the obvious and made sure the client

in question could authenticate using other APs.

The only difference I can see between these two faulty APs and the rest of the network is they are

much newer and previous APs are running IOS 12.3. I'm not aware of any major changes that would

cause these problems.

Can anyone see anything obviously wrong with the config, or suggest some more debugging options to

turn on, so I can really see what is going on?

The config is attached.

#show version

Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)

#show debug

General OS:

TACACS+ authentication debugging is on

AAA Authentication debugging is on

AAA Authorization debugging is on

dot11/wlccp authenticator:

state machine debugging is on

process debugging is on

Mac Authentication debugging is on

Radius protocol debugging is on

Radius packet protocol (authentication) debugging is on


IEEE 802.11 events debugging is on

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bcolvin Sat, 04/26/2008 - 21:31


This appears to be a MAC authentication problem according to this document


One tip they givr is to verify that the MAC address was entered using lowercase only

"When a MAC address authentication fails, check for the accuracy of the characters that are entered in the MAC address. Be sure that you have entered any alphabetic characters in a MAC address in lowercase."




This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode