Hi Stephen ,

Thanks for your response.

First;

Wired lab is working on 802.1x, There are no problems(802.1x authentication etc..)

Use ​​Equipment: Three Cisco AP 1130, ACS 4.2, Windows Active Directory Database(Group Mapping), Windows DHCP, Cisco 2960 Switch

We use three VLAN; VLAN ID 100 (Management) , Vlan 2 and Vlan 3, Single SSID:WSVMYK

but its still not working on wireless network,.

Looking at the problem does not appear in the radius logs

(Radius Log: passed Authentication ok),, but wireless client can not get ip..

First Trial;

Radius(ACS 4.2)

For Group 2 setting

Tunnel-Type (64)     :GRE

Tunnel-Medium-Type(65) :IP4

Tunnel-Private-Group-ID (81):2

its still not working

Last Trial:

Tunnel-Type (64)     :Vlan

Tunnel-Medium-Type(65) :802

Tunnel-Private-Group-ID (81):2

Cisco AP 1100 Config

aaa new-model

aaa group server radius rad_eap

server 192.168.1.2 auth-port 1645 acct-port 1646

aaa group server radius rad_mac

aaa group server radius rad_acct

aaa group server radius rad_admin

aaa group server tacacs+ tac_admin

aaa group server radius rad_pmip

aaa group server radius dummy

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 syslog

dot11 vlan-name muhasebe vlan 2

dot11 vlan-name satis vlan 3

dot11 ssid WSVMYK

   vlan 100  (How to config, 2 or 3 from the set vlan so there is no problem,It’s working,but removed the vlan radio interface is down)

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   guest-mode

bridge irb

interface Dot11Radio0

no ip address

no ip route-cache

encryption mode ciphers aes-ccm tkip

encryption vlan 100 mode ciphers aes-ccm tkip

ssid WSVMYK

channel 2412

station-role root

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

interface Dot11Radio0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

interface FastEthernet0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

interface FastEthernet0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

interface FastEthernet0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

interface BVI1

ip address 192.168.1.252 255.255.255.0

no ip route-cache

ip default-gateway 192.168.1.254

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key 7 121A0C041104

radius-server vsa send accounting

bridge 1 route ip