Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Problems with clients on a 1220 AP with LEAP auth

I am having some problems with all clients on one access point that have this state:

0018.de99.bafe 4500-radio TN1AP01OFF self EAP-Assoc

Here is the config:

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption


hostname xx


logging buffered informational

aaa new-model



aaa group server radius rad_eap

server auth-port 1645 acct-port 1646


aaa authentication login default group tacacs+ local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa session-id common

enable secret 5


username imperbalene privilege 15 secret 5

clock timezone CST -6

clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

ip domain name


no dot11 igmp snooping-helper


bridge irb



interface Dot11Radio0

no ip address

no ip route-cache


encryption mode wep mandatory


ssid accuwireless

authentication open eap eap_methods

authentication network-eap eap_methods


speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2339

rts retries 32

power local 100

packet retries 32

channel 2462

fragment-threshold 2338

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled


interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled


interface BVI1

description bvi1

ip address

no ip route-cache


ip default-gateway

ip http server

ip http help-path

ip http authentication aaa

ip radius source-interface BVI1

logging trap debugging


snmp-server community diff133>>// RO

no snmp-server enable traps tty

snmp-server host diff133>>//

tacacs-server host key

radius-server host auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key 7

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

radius-server vsa send authentication

I have a Cisco ACS server on the backend authenticating just fine, but it seems either the clients are misconfigured or there is something in the AP that needs to be changed.

New Member

Re: Problems with clients on a 1220 AP with LEAP auth

What is the behavior you're seeing?

1.) The client shows up in the association table on the AP, so WLAN configs must match.

2.) ACS shows a passed authentication? So the clients have an appropriate IP address and are able to pass traffic...

Can you ping the GW of the network?

CreatePlease to create content