Problem with WAP not attempting RADIUS for client AUth.

Unanswered Question
Mar 23rd, 2009


I'm getting frustrated with this access-point. I can't for the life of me get clients to authenticate via RADIUS. I have probably 20 other access-points configured exactly like this one, the only difference is the IP address. Clients get a certificate from our AD Cert Authority and that is used to authenticate on the wireless network. We have two SSIDs, one requires the cert and the other is for guest access. I know the Radis servers are configurd properly on the WAP, I use them to login to the WAP itself. I setup a sniffer on the RADIUS server's port and the WAP is not sending any authentication requests for clients and the "show radius stat" output only shows me logging into it, not for clients. My other APs show an authentication request for each host. Also, the log only shows messages like:

Mar 23 09:29:03.922: %DOT11-7-AUTH_FAILED: Station 000e.354c.ca61 Authentication failed

Is there somthing I'm missing in the config? Is there a helpful debug to diagnose where this is failing? Please help. Thanks!

MHMBSP-AP1#sh radius stat

Auth. Acct. Both

Maximum inQ length: NA NA 1

Maximum waitQ length: NA NA 1

Maximum doneQ length: NA NA 1

Total responses seen: 1 0 1

Packets with responses: 1 0 1

Packets without responses: 0 0 0

Average response delay(ms): 28 0 28

Maximum response delay(ms): 28 0 28

Number of Radius timeouts: 0 0 0

Duplicate ID detects: 0 0 0

Buffer Allocation Failures: 0 0 0

Maximum Buffer Size (bytes): 94 0 94

Source Port Range: (2 ports only)

1645 - 1646

Last used Source Port/Identifier:



Elapsed time since counters last cleared: 1h4m

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jeff.kish Mon, 03/23/2009 - 08:47

Is the AP properly added to the RADIUS server? If so, maybe try deleting the entry and re-adding it will fix the problem. It's possible that the problem is with the RADIUS server, not the AP.

I don't see a problem with the AP config, and since you say that you have the exact same config on other working APs, I imagine the problem isn't with the config itself. Have you tried wiping the AP and reconfiguring? What IOS version are you running?

rtjensen4 Mon, 03/23/2009 - 11:37

THanks for the Tip. We are using a blanket policy for all 10.220.x.x /16 clients on the Radius server. The AP communicates via radius to log into the CLI for it, so I think that part is functioning as expected.

No, I have not wiped it clean and done it again. What would that accomplish? (just wondering, not being sarcastic).

OS is:

Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(8)JEC, RELEASE SOFTWARE (fc1)

Any other ideas? Thanks!


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode