Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wireless local radius authentication


I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.

I used the configuration at

and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.

show ver

Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
Technical Support:
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 27-Apr-10 12:52 by alnguyen

ROM: Bootstrap program is C1100 boot loader
BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE

ORP_ROOFDECK uptime is 21 hours, 3 minutes
System returned to ROM by power-on
System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

cisco AIR-AP1121G-A-K9     (PowerPCElvis) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC08370K83
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:01:6B:86:46
Part Number                          : 73-7886-07
PCA Assembly Number                  : 800-21481-07
PCA Revision Number                  : A0
PCB Serial Number                    : XXX
Top Assembly Part Number             : 800-22053-04
Top Assembly Serial Number           : XXX

Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1121G-A-K9

Configuration register is 0xF

show run

Current configuration : 4240 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXX
ip subnet-zero
ip domain name XXX!
ip ssh version 2
aaa new-model
aaa group server radius rad_eap
server auth-port 1812 acct-port 1813
aaa group server radius rad_acct
server auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid YYY
   authentication open eap eap_methods
   authentication network-eap eap_methods
bridge irb
interface Dot11Radio0
no ip address
ip helper-address
no ip route-cache
encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
encryption mode wep mandatory
broadcast-key change 300
ssid YYY
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address
ip helper-address
no ip route-cache
ip default-gateway
ip http server
ip http authentication local
ip http secure-server
ip http help-path
ip radius source-interface BVI1
radius-server local
  no authentication eapfast
  no authentication mac
  nas key 7 VVV
  group YYY
    ssid YYY
    block count 3 time 30
    reauthentication time 300
  user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
5553010B7A group YYY
radius-server attribute 32 include-in-access-req format %h
radius-server host auth-port 1812 acct-port 1813 key 7 VVV
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
access-class 10 in
line vty 5 15

Debug Output:

331: AAA/ACCT(00000000): add node, session 4
*Mar  1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
2cd for application 0x1
*Mar  1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
he client list for application 0x1
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar  1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
*Mar  1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar  1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar  1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
equest to 0023.6c85.32cd
*Mar  1 21:37:37.332: EAPOL pak dump tx
*Mar  1 21:37:37.332: EAPOL Version: 0x1  type: 0x0  length: 0x0036
*Mar  1 21:37:37.332: EAP code: 0x1  id: 0x1  length: 0x0036 type: 0x1
00ECBA00: 01000036 01010036 01006E65 74776F72  ...6...6..networ
00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E  kid=YYY,n
00ECBA20: 61736964 3D4F5250 5F524F4F 46444543  asid=YYY
00ECBA30: 4B2C706F 72746964 3D30               K,portid=0
*Mar  1 21:37:37.333: dot11_auth_send_msg:  sending data to requestor status 1
*Mar  1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar  1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
2cd timer started for 30 seconds
*Mar  1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
MEOUT) for 0023.6c85.32cd
*Mar  1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
or 0023.6c85.32cd
*Mar  1 21:38:07.333: dot11_auth_send_msg:  sending data to requestor status 0
*Mar  1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
85.32cd, node_type 64 for application 0x1
*Mar  1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
for application 0x1
*Mar  1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
n failed
*Mar  1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
*Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
ase 0/0 pre 6861/188 call 6861/188
*Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
djusted, pre 6861/188 call 0/0
*Mar  1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
*Mar  1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
*Mar  1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
85.32cd for application 0x1
*Mar  1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar  1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar  1 21:38:07.336: AAA/ACCT(00000004): Send all stops
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
*Mar  1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar  1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar  1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
*Mar  1 21:41:34.645: AAA/BIND(00000005): Bind i/f
*Mar  1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
*Mar  1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
*Mar  1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
*Mar  1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
*Mar  1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
*Mar  1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
*Mar  1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
*Mar  1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
*Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
*Mar  1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful

Any ideas how I can get simple username/password working on an autonomous AP with local radius server?

Thank you,


Re: Wireless local radius authentication

You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics".  You could also run "debug radius local-server client" and "debug radius local-server error".

New Member

Re: Wireless local radius authentication

Already in the debug

New Member

Re: Wireless local radius authentication

It's also not even asking for the username/password.  I


Re: Wireless local radius authentication

What supplicant are you using?

Is the supplicant have machine authentication enabled?

New Member

Re: Wireless local radius authentication

Whats a supplicant?