Multiple Radius Servers on AP1142

Unanswered Question
May 17th, 2012

Hi guys

I was wondering if the following is possible

I currently have a Radius Server acting as the authentication endpoint for a one of my SSID's

I now wish to implement a new SSID that uses a different Radius server.

I noticed that in the AP settings one can configure order of preference for which Radius server to authenticate with however I would like to point my new SSID to use the new Radius server that I wish to implement.

Is this possible to setup?

Your help is much apppreciated.

Kind Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Scott Fella Thu, 05/17/2012 - 04:43

If you have a wlc you can, but I don't thing you can if the APs are autonomous.

Sent from Cisco Technical Support iPhone App

Mohamed Hamid Thu, 05/17/2012 - 04:59

Ah, I currently dont have a wlc in place, I have 10 standalone AP's which I have copied the same config over to each manually.

You definately sure there is no way of getting seperate SSIDs to use seperate radius servers?

maldehne Fri, 05/18/2012 - 00:46

Who said so , ofcourse we can?

Lets assume the following sdenarios, I have an AP with two ssids:

ssid1 configured for EAP Authentication , where the user credentials should be submitted agains the following radius servers:

ssid2 is configured for EAP Authentication as well, but this time the authentication is submitted to the following RADIUS servers:

How to configure it?

AP(config)# aaa new-model

AP(config)#radius-server host auth-port 1812 acct-port 1813 key ......

AP(config)#radius-server host auth-port 1812 acct-port 1813 key ......

AP(config)#radius-server host 1812 acct-port 1813 key ......

AP(config)#radius-server host auth-port 1812 acct-port 1813 key ......

AP(config)#aaa group server radius group1




AP(config)#aaa group server radius group2




AP(config)#dot11 ssid ssid1

               #authenticaton open eap eap1

               #authentication network-eap eap1

               #authentication key-management wpa

               #vlan x


AP(config)#dot11 ssid ssid2

               #vlan y

               #authentication open eap eap2

               #authentication network-eap eap2

               #authentication key-management wpa


AP(config)#aaa authentication login eap1 group group1

AP(config)#aaa authentication login eap2 group group2


Then you complete the other config parts


Please make sure to rate correct answers

Scott Fella Fri, 05/18/2012 - 00:49

Thanks for the correction. Didn't think it was possible.

Sent from Cisco Technical Support iPhone App

Mohamed Hamid Fri, 06/08/2012 - 06:02

Hi Mate

Thank you very much for your reply, I have only just go on to implement this.. I am having an issue when I run

AP(config)#aaa authentication login eap1 group group1

it seems it doesnt like the number 1 it says invalid input detected although I have created this group without the space


Ok I resolved the above by not using numbers in the naming however i believe you said there were other config parts involved? because I am still not able to radius auth I have the following defined

aaa group server radius dmz

server auth-port 1645 acct-port 1646


aaa authentication login eap1 group dmz



dot11 ssid CDN02_test

   vlan 4

   authentication open eap eap1

   authentication network-eap eap1

   authentication key-management wpa version 2

   dot1x credentials AP2

   dot1x eap profile test

   mbssid guest-mode

Message was edited by: Mohamed Hamid

nkarthikeyan Sun, 06/10/2012 - 03:34

you can configure something like this

aaa group server radius ssid1

server auth-port 1812 acct-port 1813

aaa group server radius ssid2

server auth-port 1812 acct-port 1813


aaa authentication login eap_1 group ssid1

aaa authentication login wds_infra_methods group ssid1

aaa authentication login wds_client_methods group ssid1

aaa authentication login eap_1 group ssid2
aaa authentication login wds_infra_methods group ssid2
aaa authentication login wds_client_methods group ssid2

dot11 ssid 1

   authentication open eap eap_1

   authentication network-eap eap_1

   authentication key-management wpa


dot11 ssid 2

   authentication open eap eap_2

   authentication network-eap eap_2

   authentication key-management wpa


Mohamed Hamid Wed, 06/13/2012 - 04:56

Hi Guys

Thank you for your replies

I have followed the above and I am pretty sure I have followed it correctly, however users still cannot auth onto the secondary RADIUS server. In the logs I can see the following

Jun 13 09:26:10.095: %DOT11-7-AUTH_FAILED: Station 442a.60f5.c7da Authentication failed

Jun 13 09:26:22.254: %RADIUS-4-RADIUS_DEAD: RADIUS server :1645,1646 is not responding.

Jun 13 09:26:22.255: %RADIUS-4-RADIUS_ALIVE: RADIUS server :1645,1646 is being marked alive.

I have done some research and came accross this article

The following is output of the version of my AP

Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)

Technical Support:

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Wed 16-Sep-09 18:09 by prod_rel_team

ROM: Bootstrap program is C1140 boot loader

BOOTLDR: C1140 Boot Loader (C1140-BOOT-M) Version 12.4(23c)JA, RELEASE SOFTWARE (fc3)

AP10 uptime is 4 days, 1 hour, 41 minutes

System returned to ROM by power-on

System restarted at 11:13:09 GMT Sat Jun 9 2012

System image file is "flash:/c1140-k9w7-mx.124-21a.JA1/c1140-k9w7-mx.124-21a.JA1"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

cisco AIR-AP1142N-E-K9     (PowerPC405ex) processor (revision A0) with 98294K/32768K bytes of memory.

Processor board ID FCZ1527W1T5

PowerPC405ex CPU at 586Mhz, revision number 0x147E

Last reset from power-on

1 Gigabit Ethernet interface

2 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 30:E4:DB:45:56:66

Part Number                          : 73-12836-02

PCA Assembly Number                  : 800-33767-02

PCA Revision Number                  : A0

PCB Serial Number                    : FOC152447U1

Top Assembly Part Number             : 800-33775-01

Top Assembly Serial Number           : FCZ1527W1T5

Top Revision Number                  : A0

Product/Model Number                 : AIR-AP1142N-E-K9

Configuration register is 0xF

maldehne Wed, 06/13/2012 - 06:08

well , in the frist place please make sure that your radius server is logging something on the failed authentication.

If not , there are two possibilities , either the request is not received at the radius server side or it is received and the reply is not being received on the AP side or not sent by the server at all.

So , to figure out what is going on ,

traces on AP and traces on server side while the issue is happenning.


Mohamed Hamid Wed, 06/13/2012 - 07:27

thank you for your reply mate.

Just a quick one.. when you say traces, you mean using a tool like tcpdump right?

How would I be able to run this on the AP?

Much appreciated

Mohamed Hamid Wed, 06/13/2012 - 08:42

This is quite weird, I changed some rules on my firewall to allow all traffic through and now I am presented with a self assigned cert from my radius server which means some traffic is passing through however  leads me to beleive that the actual radius traffic that passes the ticket accross is not working.

I can open a telnet session from the AP to the server fine..

I keep getting this

Jun 13 15:37:43.317: %DOT11-7-AUTH_FAILED: Station 442a.60f5.c7da Authentication failed

Jun 13 15:37:43.319: %DOT11-4-MAXRETRIES: Packet to client 442a.60f5.c7da reached max retries, removing the client

Jun 13 15:38:13.444: %DOT11-7-AUTH_FAILED: Station 442a.60f5.c7da Authentication failed

Jun 13 15:38:26.998: %DOT11-7-AUTH_FAILED: Station 442a.60f5.c7da Authentication failed

Jun 13 15:40:52.620: %DOT11-7-AUTH_FAILED: Station 442a.60f5.c7da Authentication failed


maldehne Wed, 06/13/2012 - 22:58

First of all , how can you collect sniffer traces :

Very simple have two span port sessions on switch ports connected to AP and RADIUS server.

Have two laptobs with wireshark installed on each .

connect those two pcs to other switch ports where one can receive traffic from span port session ojne and another can receive traffic from span port session 2.

Collect the traces results and send them back to me.

Mohamed Hamid Thu, 06/14/2012 - 02:25

Hi Mate

Ok what I done in the end is put my freeradius server in debug mode and then analyse what was happening.

It seems like it is trying to do a MSCHAPv2 authentication which is failing. When I carry out a radtest it uses LDAP and works fine. I have pasted both debug outputs below and removed ip's and usernames.

So my question is, how can I get the AP to use LDAP instead of MSCHAP?

Cisco AP Output using MSCHAP

[ldap] user authorized to use remote access\

  [ldap] ldap_release_conn: Release Id: 0\

++[ldap] returns ok\

++[expiration] returns noop\

++[logintime] returns noop\

++[pap] returns noop\

Found Auth-Type = MSCHAP\

+- entering group MS-CHAP \{...\}\

[mschap] No Cleartext-Password configured.  Cannot create LM-Password.\

[mschap] No Cleartext-Password configured.  Cannot create NT-Password.\

[mschap] Told to do MS-CHAPv2 for with NT-Password\

[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.\

[mschap] FAILED: MS-CHAP2-Response is incorrect\

++[mschap] returns reject\

Failed to authenticate the user.\

\} # server inner-tunnel\

[ttls] Got tunneled reply code 3\

    MS-CHAP-Error = "tE=691 R=1"\

[ttls] Got tunneled Access-Reject\

[eap] Handler failed in EAP/ttls\

[eap] Failed in EAP select\

++[eap] returns invalid\

Failed to authenticate the user.\

Using Post-Auth-Type Reject\

+- entering group REJECT \{...\}\

[attr_filter.access_reject]     expand: %\{User-Name\} -> \

attr_filter: Matched entry DEFAULT at line 11\

++[attr_filter.access_reject] returns updated\

Delaying reject of request 3 for 1 seconds\

Going to the next request\

Waking up in 0.9 seconds.\

Sending delayed reject for request 3\

Sending Access-Reject of id 120 to port 14053\

RADTEST Output using LDAP

++[pap] returns noop

Found Auth-Type = LDAP

+- entering group LDAP {...}

[ldap] login attempt by "username" with password "password"

[ldap] user DN: uid=username,cn=users,dc=digital,dc=dc,dc=dc,dc=dc

  [ldap] (re)connect to fqdn:389, authentication 1

  [ldap] bind as uid=username,cn=users,dc=digital,dc=dc,dc=dc,dc=dc/password to fqdn:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

[ldap] user username authenticated succesfully

++[ldap] returns ok

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 80 to port 45207


This Discussion

Related Content



Trending Topics - Security & Network