Core Issue
The problem is associated with the NAS-port-type exchanged between the AP1200 and RADIUS. Under the VxWorks operating system on the AP1200, the NAS-port-type value is 19 and under the IOS version, the NAS-port-typebeing sent is 5. The RADIUS server expects to receive a value of 19 which is the RADIUS value for Wireless - IEEE 802.11. See the following RADIUS debug on the AP1200 by issuing debug dot11 aaa dot1x all, debug aaa authentication and debug radius.
Jun 5 20:02:44.437: RADIUS: Send to unknown id 20 10.32.230.23:1645,
Access-Request, len 136
Jun 5 20:02:44.437: RADIUS: authenticator 05 1A 59 32 72 24 FA 2B -
EC 62 12 07 3E 15 5A 5C
Jun 5 20:02:44.437: RADIUS: User-Name [1] 13 "KNOX\NetMan"
Jun 5 20:02:44.437: RADIUS: Framed-MTU [12] 6 1400
Jun 5 20:02:44.437: RADIUS: Called-Station-Id [30] 16 "000c.ce21.1d96"
Jun 5 20:02:44.438: RADIUS: Calling-Station-Id [31] 16 "000c.ce5a.51ff"
Jun 5 20:02:44.438: RADIUS: Message-Authenticato[80] 18 *
Jun 5 20:02:44.438: RADIUS: EAP-Message [79] 18
Jun 5 20:02:44.438: RADIUS: 02 02 00 10 01 4B 4E 4F 58 5C 4E 65 74
4D 61 6E [?????KNOX\NetMan]
Jun 5 20:02:44.439: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jun 5 20:02:44.439: RADIUS: NAS-Port [5] 6 290
Jun 5 20:02:44.439: RADIUS: NAS-IP-Address [4] 6 10.1.225.3
Jun 5 20:02:44.439: RADIUS: Nas-Identifier [32] 11 "CC-IOS-AP"
Jun 5 20:02:44.447: RADIUS: Received from id 20 10.32.230.23:1645,
Access-Reject, len 20
Jun 5 20:02:44.448: RADIUS: authenticator FD 4A 27 A5 D5 C1 C4 77 -
4C B6 B3 6F BF 1A E0 85
Jun 5 20:02:44.448: RADIUS: Received from id 16
Jun 5 20:02:44.449: dot11_dot1x_parse_aaa_resp: Received server response:
FAIL
Resolution
This issue is documented in bug ID: CSCeb36095.
To workaround this issue, re-configure your RADIUS server settings so that it expects the more generic value of 5. To make this configuration change, do the following on the RADIUS server:
- Add the match condition "NAS-Port-Type" must be "Virtual"
- Edit the profile and add "Virtual" to "Restrict dial-in media" setting
Note:This workaround assumes you are running only IOS-based access points.
Problem Type
Client / Device cannot authenticate
Products
AP 1200