DOT11-3-TKIP_MIC_FAILURE_REPEATED - PEAP with 1131AG and IntelPro Wireless

Similar Messages

• My time capsule connotes only with ethernet and not wireless why?

  my time capsule connotes only with ethernet and not wireless why?

  Firstly, try a factory reset. This can often iron out problems like this.
  Also, what generation is your TC? What version of AirPort Utility are you using?

• PEAP with OTP and XP/ XP SP1

  I have been trying to install a 350 PCMCIA card on a laptop running XP SP 1. However, I cannot get it to work reliably.
  I set up the XP networking profile for PEAP and GTC
  I set up the ACU for Host based EAP and Dynamic WEP.
  The process is slow to bring up the authentication screen, but it works, including authentication and encyption. However, if the PC is put in suspend mode, then again it can take up to a minute for the authentication screen to pop up. Then the first authentication always fails, but the second attempt is successful. Any ideas?
  Also, does anybody know how to verifiy whether WEP is operating at 40 bit or 128 bit?
  Has anybody got this working on a laptop running just XP with no SP installed?
  Thanks for your help.

  what version of ACU NDIS driver and firmware ???
  EAP always uses a 128 bit key but it is a dynamic session key not a static one
  For multicast traffic you need to configure on the AP at least one static key and this can be 40 or 128 but really recommend you use 128
  For PEAP on XP you must have the MS802.11 hot fix installed this can be done either via a service pack or as an indivual update but either way you must have it installed

• Problem with printer and laptop wireless connectio...

  Hi    In the last 2 months we have found that the only way we can get the wireless printer and the laptop to connect to the wireless hub is by switching off the hub and restarting it.  The printer will then print and the laptop connect to the internet but once either is switched off again the only way we can get the hub to 'talk' to them is by switching off the hub.  I have been in touch with BT advisors this morning but not really got anywhere.  The chap was going to change the BT frequency but we have a Hub 3 so I don't think this is relevant.  Apparently we have got a good broadband speed.  I am not technical in any way but logic dictates it must be a hub problem.  Has anyone had similar problems - or any ideas.   The main tower PC has not had problems so far but we have noticed that short videos have been so slow that at times they freeze. Again this is very recent.   Many thanks.

  Hi Bob - not sure where Neener went nor if his issue was sorted out, but I'm stuck in the same place.  The manual for the printer tells me to select a WLAN network and put the printer in SES/WPS/AAOS mode - which I did.  Then it, in theory, went looking wirelessly for my Airporter Extreme.  It thought for 3 minutes and then came back with "No Access Point".  The AE is working fine, but the printer can't find it. 
  And another weird issue is that when I installed the drivers from the CD that came with the printer, it doesn't show up anywhere on my computer - nor does it show up as an option to add the printer.  It's just  non-existent.
  Here are the details....
  Printer: Brother HL-3070cl
  MacbookPro: 10.6.7
  Router: Airport Extreme
  Wireless mode: Create a wireless network
  Wireless security: WPA2 Personal (is that ok even if this is for a business?)
  Connect using: ethernet
  Configure IPv4: Using DHCP
  Any help you can offer me would be SO appreciated.  I'm pulling my hair out and have been trying to figure this out for nearly 2 hours now!!
  THanks,
  K

• Connection drops with arch64 and atheros wireless

  Hi, I've just installed arch64 on my desktop. I have a dlink dwa-556 wireless adapter, with atheros chipset. The card is seen correctly and has been configured. I started a kdemod install with pacman, went on for about an hour, and then it hung, the wireless connection dropped... I tried to start it up again, but only a reboot could help... now I started pacman again and after some minutes bang! connection dropped again...
  this is what iwconfig says
  wlan0 IEEE 802.11bgn ESSID:CUT
  Mode:Managed Frequency:2.432 GHz Access Point: Not Associated
  Tx-Power27dBm
  [cut]
  Link Quality:0 Signal level:0 Noise level:0
  [rest is all 0]
  iwlist says my router has a quality of 30-40/100 and a signal level of around -76dBm
  any help?
  edit: typo on title
  Last edited by sunriis (2009-02-19 18:45:04)

  I think I may be experiencing something similar. I'm also running Arch64 and have the exact same adapter (DWA-556) and every once in a while my wireless connection drops. It only happens once every few days or so, but whenever it happens on my system it seems to cause anything Xorg-related (mouse, keyboard, video) to respond slowly. If I move the mouse around it doesn't move smoothly - it kind of jerks and jumps around.
  Whenever the connection drops like this, I see the something like the following in /var/log/messages.log:
  Feb 16 17:07:26 blacktower dhcpcd[19326]: ath0: carrier lost
  The first couple of times this happened to me, I had to reboot to get the connection going again. I did find another way to get the connection working, though. What I did was unload the modules related to the wireless adapter, reload them, and then reconnect to the network. I wrote a quick shell script to do this for me, which looks like this:
  #!/bin/sh
  sudo rmmod ath_pci ath_rate_sample ath_hal
  sudo modprobe ath_pci
  sudo modprobe ath_hal
  sudo netcfg -d home
  sudo netcfg home
  I'm using the madwifi driver right now and as you can see, I use netcfg to connect to my wireless network here. I've tried the ath5k driver but I seem to have the same issue with that. I haven't really found a solution to this yet, but the workaround of removing the modules, reloading them, and then reconnecting has worked well enough so far. If I dig up anything else helpful on this, I'll be glad to post it here.

• Loyal customer very frustrated with Verizon and Verizon wireless

  Moved to Off Topic board

  Early Edge works by having you turn in the phone on the line that is early edge upgraded.  You then start paying for the full cost of that phone over 24 months, sooner once you get to 75% paid off on that phone, where you can trade it in and start again on another phone, but you will have lost the money already paid up to 75%.  When you trade in the phone for Early Edge and then trade in the new phone for edging up, the phones must be in perfect working order with no damage of any kind.
  The money "saved" comes from being on Edge where, if the phone is on a plan with 6GB or more data, you save $25 per month on each Edge phone, $15 if on a plan with less than 6GB.  However, you turn around and put that $25 back onto the phone payment each month, so you DO save $25/$15 but you basically break about even on a 6GB and greater plan after the phone cost.
  BUT, in the end, if you get a better, more reliable signal from ATT, and you have an awful signal with VZW, you might consider a switch, but you'd have a large sum of ETFs at this point to cancel all 5 lines.  There are also special stipulations as to who and when one can Edge up or start Early Edge, such as 6 months straight on-time payments.
  Verizon Edge FAQs | Verizon Wireless
  Early Edge is basically just starting the Edge plan early, so the above page should answer a lot of the questions regarding eligibility. Be warned however, that there are a lot of people with issues who decided to take advantage of this program, namely the trade-in process of sending old phones back and then finding charges on their bill for phones that were "not" received at the warehouse.
  It is my opinion that you should not go this route, because if you have less than stellar service now, you are setting yourself up for possible frustration and another 2 years of disappointment.

• Conflict with WRT160N and Windows Wireless Network Connection

  I have a WRT160N router connected to a Verizon FIOS cable modem with five computers (all Windows based) wirelessly connected to the N router.  Four of the computers auto detect the N router connection when the computer starts up using Windows Wireless Network Connection and operate well.  One of the computers, which is the only one running Easylink for router configuration, will not connect through the Wireless Network Connection.  I have to use Easylink to manually connect.  The WNC gives a msg that Windows cannot configure this wireless connection and to configure the wireless connection using Wireless Zero Configuration service.  When I configure WZC correctly the WNC sees all available networks and allows me to select the Advanced Wireless checkbox to allow Windows to connect to the wireless network.  However, when I reboot the computer none of the configuration parameters are saved and I am back to manually connecting using Easylink and going through the entire process again.   Any suggestions?    Thx  

  Uninstall the EasyLink and connect manually. I think EasyLink 3.0 or later is coming soon ..
  For information on upgrading the firmware on the linksys routers :
  http://linksysfirmwares.googlepages.com/upgradingfirmware
  For information on wireless security :
  http://linksysfirmwares.googlepages.com/wirelesssecurity
  C | EH
  linksyshelp.blogspot.com

• PEAP with Intel Centrino

  Hi
  I have a Toughbook from Pansonic. We use want to use peap with acs and ap 1200. with cisco cards everything works. on the nb we use windows 2k NOT XP with the 802.1x patch from ms. and the latest intel pro set 7.1.1 there you can configure PEAP click on the right ca and enter the MSCHAP2 username and password. but it doesnt work. when i just enter static wep 111111 as a profil in the intel pro and configure peap on the OS (2k) with the patch it works. I have also configured LEAP with the Intel pro and that works fine. but not peap. i have also entered the roaming identity as the AD username. if i dont enter anything there i can see on the radius debug on the ap that the username is the mac of the intel centrino card.
  does anybody have same issues? whats the solution, dont use intel pro set? =:-)
  regards Bernhard

  Hello,
  I use PEAP with WIN2K (SP4)and Centrino INTEL 2100 B card.
  You must install the PEAP supplicant from Cisco ACU
  version 6.2. Then can you use Intel ProSet, but you must select "PEAP".
  The authentication works fine , but I get never a DHCP address. If I use a Cisco PCMCIA card 350 it works fine.The different in both situation is, in case of use INTEL card, the broadcast flag is set to 1 in the Discover message.
  regards Ulrich

• PEAP with MAC authentication

  I am getting ready to deploy some access points and I am using MS PEAP with ACS and Active Directory. I was thinking about using MAC authentication as well but I noticed something. In order to get MAC authentication to work you have to put the MAC address in ACS as a user using the mac address as both the username and password. When I connect to my access point it prompts me to enter a username and password, you normally would enter your Active Directory account here but I noticed that if you just enter your MAC Address as the username and password you can get onto the network. Isnt this a security hole? An attacker could basically "sniff" the air for MAC addressess since these are not encrypted. He could then easily spoof his mac address and also use the MAC address as the username and password to gain access. Is there a way to avoid this?

  Hi,
  You could consider using Network Access Restrictions which is a form of MAC filtering and will prevent you from having to add the MAC addresses of users to your ACS database.
  This basically binds a clients MAC address to an access point, so if a user tries to log in from a different MAC address using their normal account it will be denied by ACS so you are effectively binding users to MAC addresses from allowed Access Points.
  The MAC address could probably still be sniffed however this would not be enough to allow a login to the network.
  It's configured on a per user basis
  If you edit a user, scroll down to the
  "Define CLI/DNIS-based access restrictions" and tick the box
  Select the AP to which you will permit the client MAC from in the "AAA Client" drop down
  enter "*" for the port
  and enter the MAC address in the Address field
  I can't quite remeber the format of the mac address but i think it need to be in HHHH.HHHHH.HHHH
  There's a white paper on it here:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
  HTH
  Paddy

• Constant disconnect with centurytel and wrt54gs

  I set up dsl for my parents with centurytel, and linksys wireless router.
  they can get online fine but seems like while they are surfing it constantly drops the internet connection. if you go to 192.168.1.1 it shows disconected and you have to either wait for it to reconnect or just hit the connect button.
  I have it set up with auto dhcp  and the router is set to 192.168.2.1 I have centurytel at my house and work with no problems what so ever,  any ideas to remidy this?
  I have gotten router update already, checked to make sure all the dsl filters are on all the phone lines. rechecked all the settings, reset both modem and router and started from scratch ect ect. is there something Im missing. 
  Thanks, John

  Connect a computer straight to the modem and check for a static connection...If that does not diconnect you, download the firmware for your router from here , re-connect your modem==>router==>computer...
  Follow these steps to upgrade the firmware on the device: -
  Open an Internet Explorer browser page.In the address bar type - 192.168.1.1
  Leave username blank & in password use admin in lower case...
  Click on the 'Administration' tab- Then click on the 'Firmware Upgrade' sub tab- Here click on 'Browse' and browse the .bin firmware file and click on "Upgrade"...
  Wait for few seconds until it shows that "Upgrade is successful"  After the firmware upgrade, click on "Reboot" and you will be returned back to the same page OR it will say "Page cannot be displayed".
  Press and hold the reset button for 30 seconds...
  Then, unplug the power keep holding down the reset button for another 30 Seconds...
  Plug the power back in, and keep holding down the reset button for 30 Seconds...
  Release the reset button...Click here and follow the link to re-configure your router...Connection should be fine...

• PEAP with Novell NDS and LDAP?

  I was reading this Cisco Q&A doc (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item0900aecd801764fa.shtml) that contained the following question and answer:
  Q. Can I use PEAP with LDAP or Novell NDS databases?
  A. Yes. PEAP provides interoperability with both LDAP and Novell NDS.
  I was under the impression that LDAP and Netware only supported EAP-GTC, EAP-Fast (phase 2 only), or EAP-TLS???
  Can anyone comment?

  Getting 802.1x to work with novell using PEAP w/ GTC is a slam dunk with some exceptions. I'm using Cisco ACS with Backend connection to NDS. If you have XP clients you can easily use the Cisco PEAP supplicant to allow connecting with EAP-GTC. I ran into problems with the mixture of cards and Client OS. I turned to Funk Odyssey Client to solve all my problems on the clients.

• Frequent disconnect using peap wpa2 with aes and tkip

  I got frequent disconnect for the users on wireless using peap wpa2 with aes and tkip.
  My network is setup with :
  -Wireless controller 4404
  -ACS 4.0
  -28 access point 1131g
  -Peap authentication with active directory windows 2003
  -windows xp - mschap2 with aes- tkip
  when i check only aes on the wireless controller 4404 the network user are able work in a stable condition

  This might similar to the bug where Wireless phones dont associate if WPA2 is configured with both AES/TKIP. In this case try to upgrade the controller.

• PEAP config with ACU and 350 Nic

  I am trying to config PEAP with a 350 Nic on a Win2K SP4 machine. I can get LEAP to work, but I never see the option to choose PEAP under the Network Security Tab.
  I am using ACU verizon 6.3.011, latest version from Cisco. I removed it completely, the shutdown, then reinstalled choosing PEAP from the custom setup menu. However, I never see PEAP as a choice.
  I am running ACS ver 3.2 and have PEAP setup with a self generated Cert.
  How do I choose PEAP from ACU? of is it supposed to be chosen from withing Win, if so, where, I looked everywhere.
  Seth

  I have this config running in production right now. PEAP was difficult to setup and get working. Mainly due to the certificates. I had to load a Microsoft CA server and generate certs for both my ACS servers. Then you have to import them into the pc's using the MMC.exe. Make sure you add the certs to the "computer account" .
  Steps are:
  1) goto RUN and enter mmc.exe
  2) ctrl+m (add snap-in)
  3) Add certificates snap-in under computer account and local computer
  4) Expand the list on the left, highlight "Trusted root certification authorities" , left-click, all tasks, import.
  5) Follow the wizard, browse your cert file and import under "Trusted Root certification Authorities"
  6) Import all the certs this way, you should have two if you have two ACS servers for redundancy, as I do.
  7) Then once in the PEAP setup in the windows auth tab, you'll need to select these certs to activate them. They should now be in that list after the import.
  There are also some sticky settings on the ACS servers. This took me about 8months to get working correctly with trial-n-error, testing, production runs and TAC cases. Feel free to email me if you want to take this offline.
  I feel your pain.
  jk

• An issue with authentication and authorization on ISE 1.2

  Hi, I'm new to ISE.
  I have an issue with authentication and authorization.
  I have ISE 1.2 plus patch 6 installed on VMware.
  I have built-in Windows XP supplicant and 2960 cisco switch with IOS c2960-lanbasek9-mz.150-2.SE5.bin
  On supplicant I use EAP(PEAP) with EAP-MSCHAP v2.
  I created  authentication and authorization rules with Active Directory  as External Identity Source. Also I applied  authorization profile with DACL.I login on Windows XP machine under different Active Directory accounts. Everything works fine (authentication, authorization ), but only for several hours. After several hours passed , authentication and authorization stop working . I can see that ISE trying authenticate and authorize users, but ISE always use only one account for  authentication and authorization . Even if I login under different accounts ISE continue to use only one last account.
  I traied to reboot switch and PC,but it didn’t help. Only rebooting of ISE helps. After ISE rebooting, authentication and authorization start to work properly for several hours.
  I don’t understand is it a glitch or I misconfigured ISE or switch, supplicant?
  What  should I do to resolve this issue?
  Switch configuration:
   testISE#sh runn
  Building configuration...
  Current configuration : 7103 bytes
  ! Last configuration change at 12:20:15Tue Apr 15 2014
  ! NVRAM config last updated at 10:35:02  Tue Apr 15 2014
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname testISE
  boot-start-marker
  boot-end-marker
  no logging console
  logging monitor informational
  enable secret 5 ************
  enable password ********
  username radius-test password 0 ********
  username admin privilege 15 secret 5 ******************
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
   client 172.16.0.90 server-key ********
  aaa session-id common
  clock timezone 4 0
  system mtu routing 1500
  authentication mac-move permit
  ip dhcp snooping vlan 1,22
  ip dhcp snooping
  ip domain-name elauloks
  ip device tracking probe use-svi
  ip device tracking
  epm logging
  crypto pki trustpoint TP-self-signed-1888913408
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1888913408
   revocation-check none
   rsakeypair TP-self-signed-1888913408
  crypto pki certificate chain TP-self-signed-1888913408
  dot1x system-auth-control
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  ip ssh version 2
  interface FastEthernet0/5
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/6
   switchport mode access
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 1
   authentication event server alive action reinitialize
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  interface FastEthernet0/7
  interface Vlan1
   ip address 172.16.0.204 255.255.240.0
   no ip route-cache
  ip default-gateway 172.16.0.1
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
   deny   icmp any host 172.16.0.1
   permit ip any any
  ip radius source-interface Vlan1
  logging origin-id ip
  logging source-interface Vlan1
  logging host 172.16.0.90 transport udp port 20514
  snmp-server community public RO
  snmp-server community ciscoro RO
  snmp-server trap-source Vlan1
  snmp-server source-interface informs Vlan1
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move
  snmp-server host 172.16.0.90 ciscoro
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  radius server ISE-Alex
   address ipv4 172.16.0.90 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key ******
  ntp server 172.16.0.1
  ntp server 172.16.0.5
  end

  Yes. Tried that (several times) didn't work.  5 people in my office, all with vers. 6.0.1 couldn't access their gmail accounts.  Kept getting error message that username and password invalid.  Finally solved the issue by using Microsoft Exchange and "m.google.com" as server and domain and that the trick.  Think there is an issue with imap.gmail.com and IOS 6.0.1.  I'm sure the 5 of us suddently experiencing this issue aren't the only ones.  Apple will figure it out.  Thanks.

• Problem with EAP and RADIUS

  Hi *,
    I have the following problem with RADIUS and EAP authentication.
  Radius server sends an "Access-Accept" packet to my AP, but the station does not authenticate.
  I've tried with different encryption configuration and with different authentication methods under "dot11 essid", but nothing changes...
  What could it be?
  Debug piece and configuration follows:
  *Jan 25 14:23:34.795: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.795: RADIUS(00000012): sending*Jan 25 14:23:34.799: RADIUS:   4E 47 56 7A 78 65 4A 4F 55 31 47 40 77 6C 61 6E  [NGVzxeJOU1G@wlan]*Jan 25 14:23:34.799: RADIUS:   2E 6D 6E 63 30 30 31 2E 6D 63 63 30 30 31 2E 33  [.mnc001.mcc001.3]*Jan 25 14:23:34.799: RADIUS:   67 70 70 6E 65 74 77 6F 72 6B 2E 6F 72 67        [gppnetwork.org]*Jan 25 14:23:34.799: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.799: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.799: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.799: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:34.811: RADIUS/DECODE: EAP-Message fragments, 20, total 20 bytes*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:34.831: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:34.831: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:34.831: RADIUS:   32                                               [2]*Jan 25 14:23:34.831: RADIUS(00000012): Config NAS IP: 192.168.173.2*Jan 25 14:23:34.831: RADIUS/ENCODE(00000012): acct_session_id: 17*Jan 25 14:23:34.835: RADIUS(00000012): sending*Jan 25 14:23:34.835: RADIUS:   10 01 00 01 07 05 00 00 D9 37 C3 D9 79 3E 33 EA  [?????????7??y>3?]*Jan 25 14:23:34.835: RADIUS:   F3 7D 73 43 BF BA D0 6A                          [?}sC???j]*Jan 25 14:23:34.835: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:34.835: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:34.835: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:34.835: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.035: RADIUS: Received from id 1645/64 192.168.177.158:1812, Access-Challenge, len 304*Jan 25 14:23:35.039: RADIUS:   46 10 78 5F 5F B0 CB 6C 0B 05 00 00 DA C3 BF 28  [F?x__??l???????(]*Jan 25 14:23:35.039: RADIUS:   E0 18 2B 95 97 C2 0A D7 40 53 FE 62              [??+?????@S?b]*Jan 25 14:23:35.039: RADIUS(00000012): Received from id 1645/64*Jan 25 14:23:35.039: RADIUS/DECODE: EAP-Message fragments, 60+220, total 280 bytes*Jan 25 14:23:35.355: RADIUS/ENCODE(00000012):Orig. component type = DOT11*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: ssid              [265] 8   *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41                                [WifiEA]*Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface         [157] 3   *Jan 25 14:23:35.359: RADIUS:   92 DA 5E 26 CF 40 01 22 7A 8E F5 C1              [??^&?@?"z???]*Jan 25 14:23:35.359: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]*Jan 25 14:23:35.359: RADIUS:  NAS-Port            [5]   6   265                       *Jan 25 14:23:35.359: RADIUS:  NAS-Port-Id         [87]  5   "265"*Jan 25 14:23:35.359: RADIUS:  NAS-IP-Address      [4]   6   192.168.173.2             *Jan 25 14:23:35.367: RADIUS: Received from id 1645/65 192.168.177.158:1812, Access-Accept, len 30*Jan 25 14:23:35.367: RADIUS:  authenticator 8C 2C 1B 97 82 BB 6C 7F - AA D3 4A AB CA 22 8B B7*Jan 25 14:23:35.367: RADIUS:  EAP-Message         [79]  10  *Jan 25 14:23:35.367: RADIUS:   03 01 00 04 00 00 00 00                          [????????]*Jan 25 14:23:35.371: RADIUS(00000012): Received from id 1645/65*Jan 25 14:23:35.371: RADIUS/DECODE: EAP-Message fragments, 8, total 8 bytes*Jan 25 14:23:35.671: %DOT11-7-AUTH_FAILED: Station d023.dbb8.d6a9 Authentication failed
  Config:
  aaa new-model!aaa group server radius rad_eap server-private 192.168.177.158 auth-port 1812 acct-port 1813 key 7 044803071D2448!aaa authentication login eap_methods group rad_eapaaa authorization exec default if-authenticated aaa authorization network default if-authenticated !         aaa session-id commonip name-server 192.168.177.45!                dot11 ssid WifiEAP1   vlan 10   authentication open eap eap_methods    authentication shared eap eap_methods   authentication key-management wpa optional   guest-mode!         bridge irb!         interface Dot11Radio0 no ip address no ip route-cache !        encryption vlan 10 mode ciphers aes-ccm tkip wep128 !        broadcast-key vlan 10 change 300 !        ssid WifiEAP1 !        antenna gain 0 station-role root!         interface Dot11Radio0.10 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!         interface GigabitEthernet0 ip address 192.168.173.3 255.255.255.0 no ip route-cache!         interface GigabitEthernet0.1 encapsulation dot1Q 10 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!         interface BVI1 ip address 192.168.173.2 255.255.255.0 no ip route-cache!ip radius source-interface BVI1 bridge 1 route ip
  thanks so much!

  Stefano: not sure if related but there is an unsupported attribute in the debugs:
  Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr:
  *Jan 25 14:23:35.355: RADIUS:   57 69 66 69 45 41
  *Jan 25 14:23:35.355: RADIUS:  AAA Unsupported Attr: interface
  Try to eliminate any configured attributes on radius except those in IETF radius. Then try again.
  You may also chech by removing the shared eap as suggested above. Let us know if this works.
  Sent from Cisco Technical Support iPad App