I have a 2106 wireless controller set up along with a 1252 access point. I am able to authenticate to the AP via WPA-PSK without issue. However when I configure authentication to use our RSA RADIUS server it fails with several error messages. I am confident the RADIUS server is set up properly because we have been using it to authenticate to your routers/switches for the past year.
Here are the error messages I receive in the controllers logs:
DOT1X-3-ABORT_AUTH: Authentication Aborted
DOT1X-3-AAA_SEND_FAILURE: Unable to send AAA message for client <mac address>
DOT1X-3-MAX_EAP_RETRIES: Max EAP identity request retries (3) exceeded for client <mac address>
AAA-4-RADIUS_RESPONSE_FAILED: RADIUS server <ip address> failed to respond to request (IDxx) for STA <mac address> / user 'unknownUser'
Looking at the accounting logs on the RADIUS server also show that the devices MAC is being sent as the UserName, which doesn't seem right to me which may be the issue but I'm unsure how to fix it, especially since I don't have MAC filtering turned on.
I am trying to authenticate with a MacBook Pro running 10.5.2.
Well I loaded the secure services client on an XP machine and have tried all the different EAP methods using password and token and I get the exact same messages in the logs on the 2106 and the same messages in the accounting logs on the RADIUS server.
I'm at a loss as to what could be configured wrong.
Well having no luck going to my RADIUS server directly from the WLC I decided to try using our test ACS server in the mix. I configured it to talk to the RSA RADIUS server and reconfigured to the WLC to talk to the ACS server.
Except for not selecting the proper protocols I authenticated without a hitch using a token code on an XP machine with the Cisco client.
I then fired up the Mac and it authenticated properly with no issues as well, and even gave me the option to say it was a one time password. I thought I read elsewhere that one time passwords weren't supported? Well apparently they are now.