1240AG as WDS & Local Radius Server

Have 5 1240AG's and want to use one as WDS and Local Radius Server.
Am using the following as a guide:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml#hw
The above example uses a Cisco Secure ACS and designates both an AP and a WSLM as the WDS. I just want to use the AP as the WDS.
Isn't it possible to do the whole thing just using a 1240AG as both the WDS and Local Radius Server and not use a Cisco Secure ACS or WSLM?
Is there an online guide for such a thing? (looked, didn't find it)
Appreciate the guidance
Cheers

Thanks, that's what I thought.
I had found the WDS setup link but wasn't sure if I was missing something.
The link you provided for the Local Radius Server setup is for "partners" only I believe? Can't access it.
But I think I should be able to find some guides/examples somewhere else in the archives. I'm starting w/ these 2 links;
https://www.cisco.com/en/US/products/ps6521/prod_configuration_examples_list.html
and
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
Appreciated the heads up about port 1812.

Similar Messages

EAP-FAST on Local Radius Server : Can't Get It Working

Hi all
I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
sh radius local-server s
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Unknown NAS            : 0           Invalid packet from NAS: 17
NAS : 172.27.44.1
Successes              : 1           Unknown usernames      : 0
Client blocks          : 0           Invalid passwords      : 0
Corrupted packet       : 0           Unknown RADIUS message : 0
No username attribute : 0           Missing auth attribute : 0
Shared key mismatch    : 0           Invalid state attribute: 0
Unknown EAP message    : 0           Unknown EAP auth type : 17
Auto provision success : 0           Auto provision failure : 0
PAC refresh            : 0           Invalid PAC received   : 0
Can anyone suggest what I might be doing wrong?
Regs, Tim

Thanks Nicolas, relevant snippets from config:
aaa new-model
aaa group server radius rad_eap
server 172.27.44.1 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid home
vlan 3
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ip dhcp pool home
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 194.74.65.68 194.74.65.69
ip inspect name ethernetin tcp
ip inspect name ethernetin udp
ip inspect name ethernetin pop3
ip inspect name ethernetin ssh
ip inspect name ethernetin dns
ip inspect name ethernetin ftp
ip inspect name ethernetin tftp
ip inspect name ethernetin smtp
ip inspect name ethernetin icmp
ip inspect name ethernetin telnet
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm tkip
encryption vlan 2 mode ciphers aes-ccm tkip
encryption vlan 3 mode ciphers aes-ccm tkip
broadcast-key vlan 1 change 30
broadcast-key vlan 2 change 30
broadcast-key vlan 3 change 30
ssid home
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan3
no ip address
bridge-group 3
interface BVI3
ip address 192.168.1.1 255.255.255.0
ip inspect ethernetin in
ip nat inside
ip virtual-reassembly
radius-server local
no authentication mac
nas 172.27.44.1 key 0 123456
user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
user test3 nthash 0 0CB6948805F797BF2A82807973B89537
radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
radius-server vsa send accounting

Local radius server : one username for several devices ?

I've just installed a AP 1231g as a local radius server and I've got two devices that are authenticated by the AP with the same username/password .
is not there a problem?

Hi,
Problem ?? no there is no issues. You are using a single user name to access network devices.
Regards,
~JG
Please rate if helps

Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server

I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.
SSID: labssid (Open authentication with EAP)
Cipher: TKIP
Key management: Mandatory (WPA)
I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".
I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:
1. Network authentication: WPA
2. Data encryption: TKIP
3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)
3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)
4. Authenticate as computer whe computer information is avail (UNCHECKED)
5. Authenticate as guest when user or computer is unavailable (UNCHECKED)
When I attempt to provide my test/test credientials the Access Point logs the following:
Station 0016.6f77.9ccd Authentication failed
When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:
"Unknown EAP Type"
If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.
What am I missing?

I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:
1. Station 0016.6f77.9ccd Authentication failed
2. RADIUS server 192.168.102.82:1645,1646 has returned.
3. RADIUS server 192.168.102.82:1645,1646 is not responding.
The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior.

1100 with Local Radius Server problems Atheros Client

I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
Xcon-ap1100#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Xcon-ap1100(config)#radius
Xcon-ap1100(config)#radius-server local
Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
Xcon-ap1100(config-radsrv)#end
Xcon-ap1100#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Xcon-ap1100#term mon
Xcon-ap1100#
*Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:26.962: RADIUS: 32 [2]
*Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
*Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
*Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
*Apr 3 16:26:26.963: RADIUS(000000FC): sending
*Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
*Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
*Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
*Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
*Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
*Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
*Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
*Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
*Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
*Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
*Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
*Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
*Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
*Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
*Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
*Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
*Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
*Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
*Apr 3 16:26:50.071: RADIUS: 32 [2]
*Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
*Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
*Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
*Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
Cheers
Bernhard

How to set local radius with AP 1240AG series

Hi,
I have been trying to set up a AP with AIR-AP1242AG-Ak9 as a local authenticator radius but with no success. I have followed the steps from a lot of posts but no go, even with the most simple and understanable post like this one:
https://supportforums.cisco.com/document/101121/configuring-autonomous-ap-local-radius-authentication
The guy at the end of the post says:
Configuring AP
1. Go to Security>Encryption Manager
2. Specify Encryption (can be WEP or WPA)
3. Specify that WEP is Mandatory
4. Specify the key accordingly
5. Click Apply
6. Go to Security>SSID Manage
7. Select the desired SSID
But when I go via GUI fist of all:
I dont understand why it says it can be WEP o WPA because if I select WEP and follow the rest of the steps, I got an error message: WPA mandatory is supported only with Cipher TKIP or AES CCMP or AES CCMP +TKIP <see encryption managerpage>
Besides WEP, as far as I kknow it only works with a password only and I want the PC clients to aunthenticate with the AP itself as a Radius local server so it should ask for a username and password defined in the AP.
Second of all, the steps from the guy states on item 4, specfy the key acordinly? what this means? I only see keys filed in hexa.
third of all, if I do the steps in the error above, it allows me to set WPA with key management Mandatory but only by selecting the Cipher drop down menu, so which item should I pick ?there are a lot like AES CCMP, AES CCMP+TKIP, etc
But whenever another PC tries to login, it asks for the username and password, but it never get passed just saying error on the network.
I include the debug for the local radius below
I also included the config of the AP
All I want is the AP ask for a username and password, login successfully and thats it.
anybody else or someone that has a function config to share with me? I would appreciate it, cause I have been more than 12 hours in a row trying to set it up but no go

Here is a one of my post related to this topic,see if that helps,
http://mrncciew.com/2013/03/03/autonomous-ap-as-local-radius-server/
If supported use WPA2 with AES as that is most secure. Do not use WEP. If WPA2/AES is not supported then try to use WAP with TKIP.
Here is other useful configuration example on the same topic
https://rscciew.wordpress.com/2014/07/24/autonomous-ap-with-local-radius-server-eap-fast/
HTH
Rasika
**** Pls rate all useful responses ***

EAP-FAST with local radius on 1242AG

I'm trying to get EAP-FAST working using the local radius server on a 1242AG autonomous AP using the latest firmware from Cisco. The cypher I'm using is CCMP. LEAP works fine with all my clients, however if I move to EAP-FAST in the radius config my clients fail to authenticate
I know I need to set PAC to automatic somewhere, but the EAP-FAST configuration in the 1242AG GUI doesn't make this clear what to do.
Any help or a basic example you be great.
thanks,
Simon

I think this is what you're looking for;
Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
HTH
Regards,
Jatin
Do rate helpful posts~

Wireless local radius authentication

Greetings,
I have a AIR-AP1121G-A-K9, and I would like to authenticate users with a username and password on the AP using the local radius server.
I used the configuration at http://www.aironet.info/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
and tried a couple other posted configuration, but are running into the same issue regardless of which method I am using.
show ver
Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(8)JED1, RELEASE
SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 27-Apr-10 12:52 by alnguyen
ROM: Bootstrap program is C1100 boot loader
BOOTLDR: C1100 Boot Loader (C1100-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RE
LEASE SOFTWARE (fc1)
ORP_ROOFDECK uptime is 21 hours, 3 minutes
System returned to ROM by power-on
System image file is "flash:/c1100-k9w7-mx.123-8.JED1/c1100-k9w7-mx.123-8.JED1"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-AP1121G-A-K9     (PowerPCElvis) processor (revision A0) with 15138K/12
36K bytes of memory.
Processor board ID FOC08370K83
PowerPCElvis CPU at 197Mhz, revision number 0x0950
Last reset from power-on
1 FastEthernet interface
1 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:01:6B:86:46
Part Number                          : 73-7886-07
PCA Assembly Number                  : 800-21481-07
PCA Revision Number                  : A0
PCB Serial Number                    : XXX
Top Assembly Part Number             : 800-22053-04
Top Assembly Serial Number           : XXX
Top Revision Number                  : A0
Product/Model Number                 : AIR-AP1121G-A-K9
Configuration register is 0xF
show run
Current configuration : 4240 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname XXX
ip subnet-zero
ip domain name XXX!
ip ssh version 2
aaa new-model
aaa group server radius rad_eap
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa group server radius rad_acct
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid YYY
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
bridge irb
interface Dot11Radio0
no ip address
ip helper-address 172.16.1.1
no ip route-cache
encryption key 1 size 128bit 7 66061D688B874859701297485642 transmit-key
encryption mode wep mandatory
broadcast-key change 300
ssid YYY
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.1.35 255.255.255.0
ip helper-address 172.16.1.1
no ip route-cache
ip default-gateway 172.16.1.1
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication eapfast
no authentication mac
nas 172.16.1.35 key 7 VVV
group YYY
    ssid YYY
    block count 3 time 30
    reauthentication time 300
user zzz nthash 7 0225540F2A2429741C162F3C2636455854560E72760A6A667B315E37
5553010B7A group YYY
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 VVV
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
access-class 10 in
line vty 5 15
end
Debug Output:
331: AAA/ACCT(00000000): add node, session 4
*Mar 1 21:37:37.331: AAA/ACCT/NET(00000004): add, count 1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: Create new client 0023.6c85.3
2cd for application 0x1
*Mar 1 21:37:37.331: dot11_auth_initialize_client: 0023.6c85.32cd is added to t
he client list for application 0x1
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: req->auth_type 4
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar 1 21:37:37.331: dot11_auth_add_client_entry: eap list name: eap_methods
*Mar 1 21:37:37.331: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar 1 21:37:37.331: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 1 21:37:37.331: dot11_auth_dot1x_send_id_req_to_client: Sending identity r
equest to 0023.6c85.32cd
*Mar 1 21:37:37.332: EAPOL pak dump tx
*Mar 1 21:37:37.332: EAPOL Version: 0x1 type: 0x0 length: 0x0036
*Mar 1 21:37:37.332: EAP code: 0x1 id: 0x1 length: 0x0036 type: 0x1
00ECBA00: 01000036 01010036 01006E65 74776F72 ...6...6..networ
00ECBA10: 6B69643D 4F52505F 5075626C 69632C6E kid=YYY,n
00ECBA20: 61736964 3D4F5250 5F524F4F 46444543 asid=YYY
00ECBA30: 4B2C706F 72746964 3D30               K,portid=0
*Mar 1 21:37:37.333: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 21:37:37.333: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 21:37:37.333: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.3
2cd timer started for 30 seconds
*Mar 1 21:38:07.333: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TI
MEOUT) for 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_dot1x_send_client_fail: Authentication failed f
or 0023.6c85.32cd
*Mar 1 21:38:07.333: dot11_auth_send_msg: sending data to requestor status 0
*Mar 1 21:38:07.333: dot11_auth_send_msg: client FAILED to authenticate 0023.6c
85.32cd, node_type 64 for application 0x1
*Mar 1 21:38:07.333: dot11_auth_delete_client_entry: 0023.6c85.32cd is deleted
for application 0x1
*Mar 1 21:38:07.334: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authenticatio
n failed
*Mar 1 21:38:07.334: AAA/ACCT/HC(00000004): Update DOT11/00A83CE0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) b
ase 0/0 pre 6861/188 call 6861/188
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): DOT11/00A83CE0 [pre-sess] (rx/tx) a
djusted, pre 6861/188 call 0/0
*Mar 1 21:38:07.335: AAA/ACCT/HC(00000004): Deregister DOT11/00A83CE0
*Mar 1 21:38:07.335: dot11_auth_client_abort: Received abort request for client
0023.6c85.32cd
*Mar 1 21:38:07.335: dot11_auth_client_abort: No client entry to abort: 0023.6c
85.32cd for application 0x1
*Mar 1 21:38:07.335: AAA/ACCT/EVENT/(00000004): CALL STOP
*Mar 1 21:38:07.335: AAA/ACCT/CALL STOP(00000004): Sending stop requests
*Mar 1 21:38:07.336: AAA/ACCT(00000004): Send all stops
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): STOP
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): Method list not found
*Mar 1 21:38:07.336: AAA/ACCT(00000004): del node, session 4
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004): free_rec, count 0
*Mar 1 21:38:07.336: AAA/ACCT/NET(00000004) reccnt 0, csr TRUE, osr 0
*Mar 1 21:38:07.337: AAA/ACCT/NET(00000004): Last rec in db, intf not enqueued
*Mar 1 21:41:34.645: AAA/BIND(00000005): Bind i/f
*Mar 1 21:41:34.645: AAA/ACCT/EVENT/(00000005): CALL START
*Mar 1 21:41:34.645: Getting session id for NET(00000005) : db=C4EBC0
*Mar 1 21:41:34.645: AAA/ACCT(00000000): add node, session 5
*Mar 1 21:41:34.646: AAA/ACCT/NET(00000005): add, count 1
*Mar 1 21:41:34.646: Getting session id for NONE(00000005) : db=C4EBC0
*Mar 1 21:41:34.646: AAA/AUTHEN/LOGIN (00000005): Pick method list 'Permanent L
ocal'
*Mar 1 21:41:39.002: AAA/AUTHOR (0x5): Pick method list 'default'
*Mar 1 21:41:39.002: AAA/AUTHOR/EXEC(00000005): processing AV cmd=
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): processing AV priv-lvl=15
*Mar 1 21:41:39.003: AAA/AUTHOR/EXEC(00000005): Authorization successful
Any ideas how I can get simple username/password working on an autonomous AP with local radius server?
Thank you,

You could get a better idea of why the auth is being failed with the output of "show radius local-server statistics". You could also run "debug radius local-server client" and "debug radius local-server error".

Aaa radius server control privilege level

I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
Windows 2008 R2 Domain controller with NPS installed.
Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
Network Policies:
NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
Cisco-AV-Pair Cisco shell:priv-lvl=15
My switch config:
aaa new-model
aaa group server radius MTFAAA
server name dc-01
server name dc-02
aaa authentication login NetworkAdmins group MTFAAA local
aaa authorization exec NetworkAdmins group MTFAAA local
radius server dc-01
address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
key 7 ******
radius server dc-02
address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
key 7 ******
No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

Access denied when ssh in window server 2008 after set it as radius server

yesterday i succeed to use aaa to login and can see aaa in sh aaa session
https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/
today i simulate again, it access denied, do not know where is wrong
win 192.168.2.12 --- switch 192.168.2.5 --- 192.168.2.1 R1
R1
conf t
hostname router1
int FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
no shut
end
conf t
ip route 192.168.2.0 255.255.255.0 192.168.2.5
end
enable
configure terminal
enable secret cisco
end
conf t
aaa new-model
username radiusclient privilege 15 password 0 cisco
crypto key generate rsa
ip ssh time-out 60
ip ssh version 2
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit
ip domain-name radius1.local
radius-server host 192.168.2.12
radius-server key cisco
aaa group server radius NPSSERVER
server 192.168.2.12
exit
aaa authentication login default group NPSSERVER local
aaa authorization exec default group NPSSERVER local
exit
R2
conf t
vlan 10
int vlan 10
ip address 192.168.2.5 255.255.255.0
end
conf t
hostname router2
int FastEthernet1/0
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
conf t
hostname router2
int FastEthernet1/1
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
conf t
hostname router2
int FastEthernet1/2
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
R3
conf t
hostname router3
int FastEthernet0/0
ip address 192.168.2.7 255.255.255.0
no shut
end
conf t
ip route 192.168.2.0 255.255.255.0 192.168.2.5
end

Hi,
The configuration looks fine. What do you see in radius server as the reason for authentication failure?
Regards,
Kanwal
Note: Please mark answers if they are helpful.

Local radius question?

Hi,
I was just taking a look at the local radius functionality on a router. I've found a strange problem which doesn't make sense to me and I was wondering if someone could explain what I'm seeing. As a basic lab to learn the ropes with local radius I created a local radius server on my router and got the local vty lines to use it for authentication.
This is my config:
interface Loopback0
ip address 192.168.0.1 255.255.255.255
ip radius source-interface Loopback0
aaa group server radius LOCAL-RADIUS
server 192.168.0.1 auth-port 1812 acct-port 1813
aaa authentication login default group LOCAL-RADIUS
radius-server local
nas 192.168.0.1 key 0 <removed>
user mwhittle nthash 0 <removed>
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.0.1 auth-port 1812 acct-port 1813 key <removed>
radius-server vsa send accounting
Now he's the strange thing... If I configure the radius user to "mwhittle" with the password "mwhittle" it works and I get an Access-Accept. If I configure anything another than the username for the password it doesn't work and I get an Access-Reject. I have tried many combinations but as long as the username and password are the same it works and if they aren't it doesn't. This can't be normal behavior unless I'm missing something.
Any ideas?
Kind regards,
Mike

Hi,
What kind of RADIUS client application are you using with the IOS local RADIUS server? Please note that this server supports *only* wireless clients,
and only for the LEAP and EAP-FAST EAP types, and also MAC authentication. It does not provide support for other kinds of RADIUS clients.
The fact that username=password happens to seem to work is, I believe, an accidental artifact of the MAC authentication support, where username
is always equal to password.
If we are not using the MAC auth, then please feel free to open up a TAC case and we will help you..
lemme know if this answered your question..
Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Local Radius / LEAP only

With a Cisco 1120, does the local radius server only support LEAP? Any way to get support for PEAP?
Thanks,

The "Local Authentication Server" is currently LEAP only.

Flexconnect Radius Server Overwrite interface Question

Hello All,
Can someone confirm/comment on the following:
In a flexconnect scenario, for site 1, i would like to source the radius requests to a remote radius (at the flexconnect site 1). as i can understand i need to enable the RAdius Server Overwrite interface option. Is that all?
Also, for flexconnect sites X this can also be done per WLAN X configuration.
Is this correct?
Thanks

Hi pana,
Answers below :
Meaning that, even if i configure the Flexconnect groups with local authentication, then how does the Flexconnect ap reach the local radius?
When you are working with local authentication, the AP will communicate with the local RADIUS Server using the local routing in the branch office without the 802.1X traffic being sending to the WLC......the AP will communicate directly to the local radius server using it IP address and the local routing. (This communication is transparent if you see from the WLC because the WLC will not intermediate the authentication between the client and RADIUS, who will intermediate is the AP. The WLC will receive informations when the AP is in connected mode about the client and the authentication method and etc after the user was authenticated).
Example :
RADIUS SERVER
WLC ----SWITCH L3------ROUTER----(MPLS Link)-----ROUTER---SWITCH L3---AP
The WLC continues managing the Access Point but will not"talk" to the RADIUS Server, who will "talk" to the RADIUS Server is the AP in the branch office using the SWITCH L3 (Asumming that you have the RADIUS in one network and the AP in another network in the same branch office)
Understand now ?
As i can understand, in a local switching/local authentication scenario the Flexconnect ap can only map a WLAN to local VLAN( route-able network on the remote site) that serves for the users-data plane. Then in conjunction with the radius server override option, how can this FlexconnectAP send requests to the local radius? I can only suppose that it will do so using the users locally mapped VLAN/WLAN but i cant reference this anywhere.
The AP will only send the requests do the local radius only if you configure the FlexConnect Local Auth and FlexConnect Group. Enabling this option the AP will use it IP Address to communicate with RADIUS without the WLC intermedianting this communication.
Without the FlexConnect Local Auth enable in the WLAN the AP will continue directing the 802.1X requests to the WLC and the WLC will send to the RADIUS Server and in this situation if you enabled the radius overwrite interface the WLC will try to reach the RADIUS Server using the WLAN interface and not the management the interface. (You do not need the radius overwrite interface option to work with Local Auth if you want to use the AP as a Authenticatior, you only use this interface if you want that the WLC with central authentication direct the 802.1X authentications to the RADIUS)
One information about the VLAN/WLAN is really mapped statically but you can manipulate it using the RADIUS Atrributes, changing the VLANs from the USERs based in the AD Group and after the authentication. It can work in local auth scenario or central auth scenario.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#pgfId-1103070
I hope it helps and if not helps i think i am not understanding the real question.

ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
We do not know whether we configured switch in proper way or do we need to modify it.
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
server-key 7 12345678
ip device tracking
epm logging
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
radius-server vsa send accounting
radius-server vsa send authentication
Port Configuration
interface GigabitEthernet0/1
switchport access vlan 305
switchport mode access
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 305
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Please help....
Thanks

Tabish-
The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
For more info you should reference the TrustSec design guide located at:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Thank you for rating!

Cisco 871w, radius server local, and leap or eap-fast will not authenticate

Hello, i trying to setup eap-fast or leap on my 871w. i belive i have it confiured correctly but i can not get any device to authenticate to router. Below is the confiureation that i being used. any help would be welcome!
! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
service pt-vty-logging
service sequence-numbers
hostname router871
boot-start-marker
boot-end-marker
logging count
logging message-counter syslog
logging buffered 4096
logging rate-limit 512 except critical
logging console critical
enable secret 5 <omitted>
aaa new-model
aaa group server radius rad-test3
server 192.168.16.49 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login eap-methods group rad-test3
aaa authorization exec default local
aaa session-id common
clock timezone AZT -7
clock save interval 8
dot11 syslog
dot11 ssid test2
vlan 2
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <omitted>
dot11 ssid test1
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 <omitted>
dot11 ssid test3
vlan 3
authentication open eap eap-methods
authentication network-eap eap-methods
no ip source-route
no ip gratuitous-arps
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.162.16.49 192.162.16.51
ip dhcp excluded-address 192.168.16.33
ip dhcp excluded-address 192.168.16.1 192.168.16.4
ip dhcp pool vlan1pool
   import all
   network 192.168.16.0 255.255.255.224
   default-router 192.168.16.1
   domain-name test1.local.home
   lease 4
ip dhcp pool vlan2pool
   import all
   network 192.168.16.32 255.255.255.240
   default-router 192.168.16.33
   domain-name test2.local.home
   lease 0 6
ip dhcp pool vlan3pool
   import all
   network 192.168.16.48 255.255.255.240
   default-router 192.168.16.49
   domain-name test3.local.home
   lease 2
ip cef
ip inspect alert-off
ip inspect max-incomplete low 25
ip inspect max-incomplete high 50
ip inspect one-minute low 25
ip inspect one-minute high 50
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 30
ip inspect tcp synwait-time 60
ip inspect tcp block-non-session
ip inspect tcp max-incomplete host 25 block-time 2
ip inspect name firewall tcp router-traffic
ip inspect name firewall ntp
ip inspect name firewall ftp
ip inspect name firewall udp router-traffic
ip inspect name firewall pop3
ip inspect name firewall pop3s
ip inspect name firewall imap
ip inspect name firewall imap3
ip inspect name firewall imaps
ip inspect name firewall smtp
ip inspect name firewall ssh
ip inspect name firewall icmp router-traffic timeout 10
ip inspect name firewall dns
ip inspect name firewall h323
ip inspect name firewall hsrp
ip inspect name firewall telnet
ip inspect name firewall tftp
no ip bootp server
no ip domain lookup
ip domain name local.home
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip accounting-threshold 100
ip accounting-list 192.168.16.0 0.0.0.31
ip accounting-list 192.168.16.32 0.0.0.15
ip accounting-list 192.168.16.48 0.0.0.15
ip accounting-transits 25
login block-for 120 attempts 5 within 60
login delay 5
login on-failure log
memory free low-watermark processor 65536
memory free low-watermark IO 16384
username testtest password 7 <omitted>
archive
log config
logging enable
logging size 255
notify syslog contenttype plaintext
hidekeys
path tftp://<omitted>/archive-config
write-memory
ip tcp synwait-time 10
ip ssh time-out 20
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
bridge irb
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
shutdown
interface FastEthernet1
switchport mode trunk
shutdown
interface FastEthernet2
shutdown
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description Cox Internet Connection
ip address dhcp
ip access-group ingress-filter in
ip access-group egress-filter out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip flow egress
ip inspect firewall out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
load-interval 30
duplex auto
speed auto
no cdp enable
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
encryption key 1 size 128bit 7 <omitted> transmit-key
encryption mode wep mandatory
broadcast-key vlan 1 change <omitted> membership-termination
broadcast-key vlan 3 change <omitted> membership-termination
broadcast-key vlan 2 change <omitted> membership-termination
ssid test2
ssid test1
ssid test3
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
rts threshold 2312
no cdp enable
interface Dot11Radio0.1
description <omitted>
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
description <omitted>
encapsulation dot1Q 2
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
description <omitted>
encapsulation dot1Q 3
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
interface Vlan1
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface Vlan2
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 2
bridge-group 2 spanning-disabled
interface Vlan3
description <omitted>
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
bridge-group 3
bridge-group 3 spanning-disabled
interface BVI1
description <omitted>
ip address 192.168.16.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
interface BVI2
description <omitted>
ip address 192.168.16.33 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
interface BVI3
description <omitted>
ip address 192.168.16.49 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
ip http timeout-policy idle 5 life 43200 requests 5
ip flow-top-talkers
top 10
sort-by bytes
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
ip access-list extended egress-filter
deny   ip any host <omitted>
deny   ip any host <omitted>
deny   ip host <omitted> any
deny   ip host <omitted> any
remark ----- Bogons Filter -----
deny   ip 0.0.0.0 0.255.255.255 any
deny   ip 10.0.0.0 0.10.9.255 any
deny   ip 10.0.0.0 0.10.13.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.0.0.0 0.0.0.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 192.168.0.0 0.0.15.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 198.18.0.0 0.1.255.255 any
deny   ip 198.51.100.0 0.0.0.255 any
deny   ip 203.0.113.0 0.0.0.255 any
deny   ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
permit ip <omitted> 0.0.0.3 any
deny   ip any any log
ip access-list extended ingress-filter
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc
deny   icmp any any log
deny   udp any any eq echo
deny   udp any eq echo any
deny   tcp any any fragments
deny   udp any any fragments
deny   ip any any fragments
deny   ip any any option any-options
deny   ip any any ttl lt 4
deny   ip any host <omitted>
deny   ip any host <omitted>
deny   udp any any range 33400 34400
remark ----- Bogons Filter -----
deny   ip 0.0.0.0 0.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 169.254.0.0 0.0.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.0.0.0 0.0.0.255 any
deny   ip 192.0.2.0 0.0.0.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 198.18.0.0 0.1.255.255 any
deny   ip 198.51.100.0 0.0.0.255 any
deny   ip 203.0.113.0 0.0.0.255 any
deny   ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny   ip 10.10.10.0 0.0.0.255 any
deny   ip 10.10.11.0 0.0.0.255 any
deny   ip 10.10.12.0 0.0.0.255 any
deny   ip any any log
access-list 1 permit 192.168.16.0 0.0.0.63
access-list 20 permit 127.127.1.1
access-list 20 permit 204.235.61.9
access-list 20 permit 173.201.38.85
access-list 20 permit 216.229.4.69
access-list 20 permit 152.2.21.1
access-list 20 permit 130.126.24.24
access-list 21 permit 192.168.16.0 0.0.0.63
radius-server local
no authentication mac
eapfast authority id <omitted>
eapfast authority info <omitted>
eapfast server-key primary 7 <omitted>
nas 192.168.16.49 key 7 <omitted>
group rad-test3
vlan 3
ssid test3
user test nthash 7 <omitted> group rad-test3
user testtest nthash 7 <omitted> group rad-test3
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
radius-server vsa send accounting
control-plane host
control-plane transit
control-plane cef-exception
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
line con 0
password 7 <omitted>
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 <omitted>
logging synchronous
transport output telnet
line vty 0 4
password 7 <omitted>
logging synchronous
transport preferred ssh
transport input ssh
transport output ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
process cpu threshold type total rising 80 interval 10 falling 40 interval 10
ntp authentication-key 1 md5 <omitted> 7
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet4
ntp access-group peer 20
ntp access-group serve-only 21
ntp master 1
ntp server 152.2.21.1 maxpoll 4
ntp server 204.235.61.9 maxpoll 4
ntp server 130.126.24.24 maxpoll 4
ntp server 216.229.4.69 maxpoll 4
ntp server 173.201.38.85 maxpoll 4
end

so this what i am getting now for debug? any thoughs?
010724: Jan 5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
010725: Jan 5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
010726: Jan 5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
010727: Jan 5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
010728: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
010729: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
010730: Jan 5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
010731: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
010732: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
010733: Jan 5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
010734: Jan 5 16:26:08.976 AZT: EAPOL pak dump tx
010735: Jan 5 16:26:08.976 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0004
010736: Jan 5 16:26:08.976 AZT: EAP code: 0x4 id: 0x1 length: 0x0004
0AD05650:                   01000004 04010004          ........
0AD05660:
010737: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: sending data to requestor status 1
010738: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010739: Jan 5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
010740: Jan 5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
010741: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: sending data to requestor status 0
010742: Jan 5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
010743: Jan 5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010744: Jan 5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
010745: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010746: Jan 5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010747: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
010748: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010749: Jan 5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010750: Jan 5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010751: Jan 5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010752: Jan 5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010753: Jan 5 16:26:09.624 AZT: EAPOL pak dump tx
010754: Jan 5 16:26:09.624 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010755: Jan 5 16:26:09.624 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0AD05B50:                   01000031 01010031          ...1...1
0AD05B60: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
010756: Jan 5 16:26:09.644 AZT: dot11_auth_send_msg: sending data to requestor status 1
010757: Jan 5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010758: Jan 5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010759: Jan 5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010760: Jan 5 16:26:09.656 AZT: EAPOL pak dump rx
010761: Jan 5 16:26:09.656 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0009
010762: Jan 5 16:26:09.656 AZT: EAP code: 0x2 id: 0x1 length: 0x0009 type: 0x1
0B060D50:                   01000009 02010009          ........
0B060D60: 01746573 74                          .test
010763: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
010764: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
010765: Jan 5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
010766: Jan 5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
010767: Jan 5 16:26:09.664 AZT: RADIUS: AAA Unsupported Attr: ssid              [282] 8
010768: Jan 5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
010769: Jan 5 16:26:09.664 AZT: RADIUS: AAA Unsupported Attr: interface         [175] 3
010770: Jan 5 16:26:09.664 AZT: RADIUS:   36                                               [6]
010771: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
010772: Jan 5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
010773: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
010774: Jan 5 16:26:09.664 AZT: RADIUS(00000198): sending
010775: Jan 5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
010776: Jan 5 16:26:09.664 AZT: RADIUS: authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
010777: Jan 5 16:26:09.664 AZT: RADIUS: User-Name           [1]   6   "test"
010778: Jan 5 16:26:09.664 AZT: RADIUS: Framed-MTU          [12] 6   1400
010779: Jan 5 16:26:09.664 AZT: RADIUS: Called-Station-Id   [30] 16 "0019.3075.e660"
010780: Jan 5 16:26:09.664 AZT: RADIUS: Calling-Station-Id [31] 16 "d8b3.7759.0488"
010781: Jan 5 16:26:09.668 AZT: RADIUS: Service-Type        [6]   6   Login                     [1]
010782: Jan 5 16:26:09.668 AZT: RADIUS: Message-Authenticato[80] 18
010783: Jan 5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6 [[?G???Kq?`nN?7??]
010784: Jan 5 16:26:09.668 AZT: RADIUS: EAP-Message         [79] 11
010785: Jan 5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
010786: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port-Type       [61] 6   802.11 wireless           [19]
010787: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port            [5]   6   661
010788: Jan 5 16:26:09.668 AZT: RADIUS: NAS-Port-Id         [87] 5   "661"
010789: Jan 5 16:26:09.668 AZT: RADIUS: NAS-IP-Address      [4]   6   192.168.16.49
010790: Jan 5 16:26:09.668 AZT: RADIUS: Nas-Identifier      [32] 11 "router871"
010791: Jan 5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010792: Jan 5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010793: Jan 5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
router871#
010794: Jan 5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
router871#
010795: Jan 5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010796: Jan 5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010797: Jan 5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010798: Jan 5 16:26:39.794 AZT: EAPOL pak dump rx
010799: Jan 5 16:26:39.794 AZT: EAPOL Version: 0x1 type: 0x1 length: 0x0000
0AD053D0:                   01010000                   ....
010800: Jan 5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
010801: Jan 5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
router871#
010802: Jan 5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
router871#
010803: Jan 5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
010804: Jan 5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
010805: Jan 5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
010806: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
010807: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
010808: Jan 5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
010809: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
010810: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
010811: Jan 5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
010812: Jan 5 16:26:47.336 AZT: EAPOL pak dump tx
010813: Jan 5 16:26:47.336 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0004
010814: Jan 5 16:26:47.336 AZT: EAP code: 0x4 id: 0x1 length: 0x0004
0B060710:                   01000004 04010004          ........
0B060720:
010815: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: sending data to requestor status 1
010816: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010817: Jan 5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
010818: Jan 5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
010819: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: sending data to requestor status 0
010820: Jan 5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
router871#
010821: Jan 5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010822: Jan 5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
010823: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010824: Jan 5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010825: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
010826: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010827: Jan 5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010828: Jan 5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010829: Jan 5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010830: Jan 5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010831: Jan 5 16:26:47.976 AZT: EAPOL pak dump tx
010832: Jan 5 16:26:47.976 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010833: Jan 5 16:26:47.976 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0AD05B50:                   01000031 01010031          ...1...1
0AD05B60: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
010834: Jan 5 16:26:47.996 AZT: dot11_auth_send_msg: sending data to requestor status 1
010835: Jan 5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010836: Jan 5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010837: Jan 5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
010838: Jan 5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
router871#
010839: Jan 5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
router871#
010840: Jan 5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010841: Jan 5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010842: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
010843: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010844: Jan 5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010845: Jan 5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010846: Jan 5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010847: Jan 5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010848: Jan 5 16:26:58.638 AZT: EAPOL pak dump tx
010849: Jan 5 16:26:58.638 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010850: Jan 5 16:26:58.638 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0B060710:                   01000031 01010031          ...1...1
0B060720: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0B060730: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
010851: Jan 5 16:26:58.658 AZT: dot11_auth_send_msg: sending data to requestor status 1
010852: Jan 5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010853: Jan 5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010854: Jan 5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
010855: Jan 5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
010856: Jan 5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
010857: Jan 5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
010858: Jan 5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
010859: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
010860: Jan 5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
010861: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
010862: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
010863: Jan 5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
010864: Jan 5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
010865: Jan 5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
010866: Jan 5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
010867: Jan 5 16:27:12.261 AZT: EAPOL pak dump tx
010868: Jan 5 16:27:12.261 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0031
010869: Jan 5 16:27:12.261 AZT: EAP code: 0x1 id: 0x1 length: 0x0031 type: 0x1
0B060FD0:                   01000031 01010031          ...1...1
0B060FE0: 01006E65 74776F72 6B69643D 746F7973 ..networkid=toys
0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465 onpg,nasid=route
0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
010870: Jan 5 16:27:12.285 AZT: dot11_auth_send_msg: sending data to requestor status 1
010871: Jan 5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
010872: Jan 5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
010873: Jan 5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
010874: Jan 5 16:27:12.293 AZT: EAPOL pak dump rx
010875: Jan 5 16:27:12.293 AZT: EAPOL Version: 0x1 type: 0x0 length: 0x0009
010876: Jan 5 16:27:12.293 AZT: EAP code: 0x2 id: 0x1 length: 0x0009 type: 0x1
0AD05290:                   01000009 02010009          ........
0AD052A0: 01746573 74                          .test
010877: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
010878: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
010879: Jan 5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
010880: Jan 5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
010881: Jan 5 16:27:12.305 AZT: RADIUS: AAA Unsupported Attr: ssid              [282] 8
010882: Jan 5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
010883: Jan 5 16:27:12.305 AZT: RADIUS: AAA Unsupported Attr: interface         [175] 3
010884: Jan 5 16:27:12.305 AZT: RADIUS:   36                                               [6]
010885: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
010886: Jan 5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
010887: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
010888: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): sending
010889: Jan 5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
010890: Jan 5 16:27:12.305 AZT: RADIUS: authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
010891: Jan 5 16:27:12.305 AZT: RADIUS: User-Name           [1]   6   "test"
010892: Jan 5 16:27:12.305 AZT: RADIUS: Framed-MTU          [12] 6   1400
010893: Jan 5 16:27:12.305 AZT: RADIUS: Called-Station-Id   [30] 16 "0019.3075.e660"
010894: Jan 5 16:27:12.305 AZT: RADIUS: Calling-Station-Id [31] 16 "d8b3.7759.0488"
010895: Jan 5 16:27:12.305 AZT: RADIUS: Service-Type        [6]   6   Login                     [1]
010896: Jan 5 16:27:12.305 AZT: RADIUS: Message-Authenticato[80] 18
010897: Jan 5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64 [??b?8??0:C????Cd]
010898: Jan 5 16:27:12.305 AZT: RADIUS: EAP-Message         [79] 11
010899: Jan 5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
010900: Jan 5 16:27:12.305 AZT: RADIUS: NAS-Port-Type       [61] 6   802.11 wireless           [19]
010901: Jan 5 16:27:12.305 AZT: RADIUS: NAS-Port            [5]   6   664
010902: Jan 5 16:27:12.309 AZT: RADIUS: NAS-Port-Id         [87] 5   "664"
010903: Jan 5 16:27:12.309 AZT: RADIUS: NAS-IP-Address      [4]   6   192.168.16.49
010904: Jan 5 16:27:12.309 AZT: RADIUS: Nas-Identifier      [32] 11 "router871"
010905: Jan 5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4

1240AG as WDS & Local Radius Server

Similar Messages

Maybe you are looking for