Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client AAA Authentication Failure

Hi, I have configured a WLAN for AAA authentication and have configured AAA/Radius authentication on the WLC, however the clients don't get authenticated when they try to join. I have run a debug and I am getting an authentication rejected message from the radius server. Below is the output.

Access-Challenge received from RADIUS server for mobile x.x.x.x receiveId = 5

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Processing Access-Challenge for mobile x.x.x.x

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x WARNING: updated EAP-Identifier 1 ===> 27 for STA x.x.x.x

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Sending EAP Request from AAA to mobile x.x.x.x (EAP Id 27)

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAPOL EAPPKT from mobile x.x.x.x

*Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAP Response from mobile x.x.x.x (EAP Id 27, EAP Type 3)

*aaaQueueReader: Nov 18 15:52:47.935: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0

*aaaQueueReader: Nov 18 15:52:47.935: x.x.x.x Successful transmission of Authentication Packet (id 76) to, proxy state x.x.x.x-00:00

*radiusTransportThread: Nov 18 15:52:47.938: ****Enter processIncomingMessages: response code=3

****Enter processRadiusResponse: response code=3

*radiusTransportThread: Nov 18 15:52:47.938: x.x.x.x Access-Reject received from RADIUS server for mobile x.x.x.x receiveId = 5


Client AAA Authentication Failure

Well if you get a reject from the radius server, WLC is doing nothing wrong but you should check on your radius server what is the reason of the reject. There has to be a message there :-)

New Member

Re: Client AAA Authentication Failure

Thanks for the reply, I checked the logs and it shows the correct username who has attempted to login and then for the same user it shows the machine name trying to login. Could it be something to do with the client's configuration?

Are there any specific config that needs to be made on the clients who are mostly windows based devices, the user doesn't get prompted to enter a username or password even when 802.1X is selected for the Authentication.

Cisco Employee

Client AAA Authentication Failure

Take packet capture at the Radius server port, filter for Radius packets with shared secret configured on Wireshark, it should tell why it is failing.