Problems with clients on a 1220 AP with LEAP auth

Unanswered Question

I am having some problems with all clients on one access point that have this state:

0018.de99.bafe 4500-radio TN1AP01OFF self EAP-Assoc

Here is the config:

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption


hostname xx


logging buffered informational

aaa new-model



aaa group server radius rad_eap

server auth-port 1645 acct-port 1646


aaa authentication login default group tacacs+ local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa session-id common

enable secret 5


username imperbalene privilege 15 secret 5

clock timezone CST -6

clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

ip domain name


no dot11 igmp snooping-helper


bridge irb



interface Dot11Radio0

no ip address

no ip route-cache


encryption mode wep mandatory


ssid accuwireless

authentication open eap eap_methods

authentication network-eap eap_methods


speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2339

rts retries 32

power local 100

packet retries 32

channel 2462

fragment-threshold 2338

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled


interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled


interface BVI1

description bvi1

ip address

no ip route-cache


ip default-gateway

ip http server

ip http help-path

ip http authentication aaa

ip radius source-interface BVI1

logging trap debugging


snmp-server community diff133>>// RO

no snmp-server enable traps tty

snmp-server host diff133>>//

tacacs-server host key

radius-server host auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key 7

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

radius-server vsa send authentication

I have a Cisco ACS server on the backend authenticating just fine, but it seems either the clients are misconfigured or there is something in the AP that needs to be changed.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jwadleigh Tue, 09/30/2008 - 06:42

What is the behavior you're seeing?

1.) The client shows up in the association table on the AP, so WLAN configs must match.

2.) ACS shows a passed authentication? So the clients have an appropriate IP address and are able to pass traffic...

Can you ping the GW of the network?


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode