Users of Particular SSID not able to get authenticated in WLC

Unanswered Question
May 28th, 2008


We suddenly experiencing issue of getting authenticated for users in particular SSID. These users are setup to use Local LEAP database in the WLC to get authenticated .. The recent trap shows the below message for the users

"AAA Authentication Failure for UserName:test User Type: WLAN USER"

In the message log ,we see the below message

ay 28 19:28:33.552 dtl_arp.c:504 DTL-3-INVALID_ARP_TIMEOUT_ADDR: MAC entry (MAC address) received for timeout is INVALID. Dropping it.

We are not sure ,about the above message and couldn't find an explanation in the WLC meesage guide .....If you have any idea ..Kindly let us know .....



Anantha Subramanian Natarajan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
smalkeric Tue, 06/03/2008 - 12:34

The way on addressing restriction of access per user, is quite different in WLC than in aironet based access points. Using AVP you can "assign" the vlan to the user, but the SSID will remain to what the user connected, which in practical terms, means we can force User A, to be in vlan 10, no matter which SSID he is using. This will require to either use IETF attributes 64,65,81, as described here:

anasubra_2 Tue, 06/03/2008 - 12:56

Hi Smalkeric,

Thanks for the reply ......Actually ,My question is to find out a way for avoiding the Cisco LEAP configured SSID to use that as primary authentication method even though RADIUS is been configured on the WLC.



Anantha Subramanian Natarajan

Scott Fella Tue, 06/03/2008 - 13:24

There is no way to have local eap configured as your primary if you have any Radius configured. You will have to setup LEAP on the ACS if you are using that for a radius server.

anasubra_2 Tue, 06/03/2008 - 15:35

Hi Fella5,

Thanks once again for your inputs


Anantha Subramanian Natarajan

Scott Fella Tue, 06/03/2008 - 15:56

I too wish that you can specify what radius server under a certain ssid. I also wish that if you dont specify a radius server on a n ssid that it wouldn't try to authenticate vai any configured radius server. At least now with the 5 code, you can have the wlc check to make sur the primary is back up in the case it went down.


This Discussion