Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Cannot connect client to network due to failed LEAP authentication




Cannot connect client to network due to failed LEAP authentication


Core Issue


This problem may be caused by one of the following:


  • Incorrect username and password
  • Incorrect username and password on the RADIUS server
  • Incorrect LEAP configuration




To resolve this problem, perform the following steps:


  1. Verify that you have entered your username and password correctly.
  2. Verify that the username and password are setup correctly on the RADIUS server.
  3. Verify that LEAP is properly configured, Configuring Access Points Running Cisco IOS Software Release 12.2(4)JA or Later for Cisco LEAP


Step 1                     Browse to the access point.

Step 2                     Click Security.

Step 3                     From the Security submenu, click Server Manager.

Step 4                     Configure the IP address of the Cisco Secure ACS in the Server field.

Step 5          Choose RADIUS from the Server Type drop-down box and enter the shared secret in the Shared Secret field (see Figure 10).

Step 6                     Check the EAP Authentication check box and specify an authentication port if you are not using the default value (1645).

Step 7                     Click Apply to save the server configuration settings.





These CLI commands approximate the GUI steps above:



ap(config)# radius-server host <ip address> auth-port 1645 acct-port 1646 key <shared secret>

ap(config)# radius-server retransmit <number retries>

ap(config)# radius-server timeout <seconds>

ap(config)# aaa group server radius <server groupname for EAP>

ap(config-sg-radius)# server <ip address> auth-port 1645 acct-port 1646

ap(config-sg-radius)# deadtime <minutes>

ap(config)# aaa authentication login <auth list for EAP> group <server groupname>


Step 8                     In the Global Server Properties section of the Server Manager page, configure the non-default RADIUS Server Timeout (the default is 5 seconds), RADIUS Server Retransmit Retries (the default is three attempts), and Dead RADIUS Server List (the default is Disabled). The Dead RADIUS Server function controls the period of time that the access point stays on a secondary or backup before attempting to again authenticate users with the primary server.




If the Dead RADIUS Server List is not enabled, all authentication attempts to the primary server must time out before the access point tries authentication with the backup server. Therefore, the Dead RADIUS Server List should be enabled for all deployments of backup RADIUS servers.


Step 9                     Choose SSID Manager from the Security submenu.

Step 10                     Choose SSID from the Current SSID List (see Figure 11) to configure Cisco LEAP for the active SSID.

Step 11                     Check the Network EAP check box. If you are using non-Cisco client cards, specify Open Authentication, check the Add check box, and specify EAP Authentication in the drop-down box.

Step 12          Click Apply to activate changes to the appropriate radio interface (Radio0 for an internal radio, Radio1 for a modular radio).






This CLI command approximates the GUI steps above:


ap(config-if-ssid)# authentication network-eap <auth list>


Step 13                     Choose WEP Key Manager from the Security submenu.

Step 14                     Choose Optional or Mandatory encryption from the WEP Encryption drop-down box under the Encryption Modes section. Choosing Optional encryption permits non-WEP clients to associate to the access point.

Step 15                     Click Apply to activate changes for the appropriate radio interface.

Step 16          Choose Advanced Security from the Security submenu.

Step 17          Click the Timers tab.

Step 18                     Under Global Client Properties, set the client holdoff time, the period of time that a client is disabled from reauthenticating after unsuccessful EAP retries. In addition, you can configure client EAP settings for (re)authentication and the EAP request interval. The EAP reauthentication interval setting enables the access point to force client reauthentication at a specified interval if not specified by the RADIUS server. The EAP client timeout controls the amount of time that the access point waits for an EAP response from the client before considering an EAP request failed.



These CLI commands approximate the GUI steps above:



ap(config-if)# encryption mode wep mandatory (or optional)

ap(config-if)# dot1x client-timeout (seconds that AP waits for client EAP response)

ap(config-if)# dot1x reauth-period (seconds, reauth interval)

ap(config)# dot11 holdoff-time (seconds, client lockout after unsuccessful EAP)


Special attention should be paid to the use of strong passwords. Cisco LEAP is a password-based algorithm. To minimize the possibility of a successful dictionary attack, use strong passwords, which are difficult to guess. Some characteristics of strong passwords include the following:


  • A minimum of ten characters.
  • A mixture of uppercase and lowercase letters.
  • At least one numeric character or one non-alphanumeric character (example: !#@$%).
  • No form of the user's name or user ID.
  • A word that is not found in the dictionary (domestic or foreign).


Problem Type


Client / Device cannot authenticate




Access point

WLAN adapters (wireless card) / ACU (Aironet Client Utility)




Configuring the Cisco Wireless Security Suite