First, I have a TAC case open on this problem, but they seem to be stumped and I have been unable to get them to mock it up. Here are the details and the problem(s):
Have Cisco ACS using backend AD for user authentication
Three wireless controllers running ver 220.127.116.11; one controller is 4404 the other two are on WiSM blade in 6509.
Many AP Groups and a few mobility achor setups.
Wifi clients used to test are Intel and have the proper drivers 18.104.22.168 and 22.214.171.124
First authentication problem is via SSIDs associated with anchor contollers. Whenever the SSID is set to use 802.1x, the anchor controller sends message to ACS(RADIUS), but ACS never sees the communication.
Second authentication problem is related to AP Groups. Whenever a client associates with an AP that is in a specific AP group and that SSID is also associated with that AP group's interface, I get the same result as above - the contoller talks to the ACS, but the ACS never sees the communication.
Note that all the above works fine as long as I am not using 802.1x. If I am using PSK, it all works flawlessly.
One other thing to note is that, in the case of the AP Group problem, if withing the AP group I associate the SSID with the management interface, the 802.1x works perfectly. The problem with that is that the client get assigned an IP address from the management Vlan... not what I want, instead, I want the client to get it's IP address from the interface associated with the AP Group.
It is not a routing problem....
I have gone through two TAC engineers and the problem is still not resolved. So close, but not succesfull.
Any interoperability/Security experts out there that can help nail this thing?