Explanation RADIUS server failed to respond to request for STA

Similar Messages

• WLC log RADIUS server failed to respond to request

  I'm keep on getting same couple MACs being failed.  I was hoping somebody has more inside about this?  Radius server is pingable from WLC. People are authenticating.  Please let me know what log should I provide.  Thank you in advance.
  Thu Feb 20 16:22:06 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 78) for client 3c:a9:f4:42:11:a0 / user 'unknown'
  3
  Thu Feb 20 16:22:06 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 77) for client 24:77:03:20:78:d0 / user 'unknown'
  4
  Thu Feb 20 16:22:06 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 76) for client 24:77:03:d0:bd:b4 / user 'unknown'
  5
  Thu Feb 20 16:22:00 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 75) for client 24:77:03:26:86:7c / user 'unknown'
  6
  Thu Feb 20 16:21:59 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 74) for client 24:77:03:20:78:d0 / user 'unknown'
  7
  Thu Feb 20 16:21:59 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 73) for client 3c:a9:f4:42:11:a0 / user 'unknown'
  8
  Thu Feb 20 16:21:59 2014
  RADIUS server 10.4.120.251:1812 failed to respond to request  (ID 72) for client a0:82:1f:d8:24:02 / user 'unknown'

  You should look at the ACS logs as that will give you a better idea of the failure.
  Sent from Cisco Technical Support iPhone App

• Safari cannot open the page as the server fails to respond

  safari cannot open the page as the server fails to respond? i am getting this message and safari is not working

  My 2nd gen works fine with WPA2 and AES encryption.
  You may need to go back and start over.  Reset the router back to factory defaults, log on as the admin, set up security, DHCP, and make sure the IP address pool has enough IP addresses to lease to ALL of the computers/devices that will connect to that the router.

• (Target failed to respond in time for a logout request) - - - Two Node's Iscsi initiator is not able to connect simultaneoulsy

  Environment
  OS = Windows 2003R2
  Iscsi initiator = 2.0.8
  Microsoft Iscsi Target = 3.3
  Error in event viewer = Target failed to respond in time for a logout request.
  Source iScsiPrt, Event ID 44
  Problem
  I have two systems with Win2003 R2 installed with Iscsi initiator 2.0.8. One Iscsi initiator is connected with the target but when I connect the second system, the system is not able to connect and giving me login error mentioned above. I disconnect the
  connected system(The system which is connected with windows target) and connect the system which is failing to connect with the windows target, this time the failing system able to connect with windows target.
  My workaround
  The system which is connected with the windows target, I restarted it. While restarting the system, I connect the other system which then connected successfully. Now this time when both systems are up and running both system's iscsi initiator is connected
  with Windows target.
  Any comment will be appreciated. Thanks. Zahid Haseeb.

  Hi Zahid,
  Have you tried the suggestion above?
  Please feel free to let us know if the issue persists.
  Best Regards,
  Amy Wang

• Visio - bug - The server failed to process the request

  Hi
  When uploading a visio diagram into one of our sharepoint document libraries we then get a 'The Server failed to process the Request' error when we then try and view the document in the Web Browser. Does anyone know how to fix this?
  Thanks

  I understand that this is an old thread. The following might be useful to other readers engaging this issue in the future.
  I experienced the same error message when provisioning a new instance of the Visio Graphics Service application for a new farm.  I first tested the approach presented by sjb500 and found that this approach did resolve the problem.  I then
  explored using a more limited permission approach.  Over the course of several attempts, I eventually found that I only need map the application pool identity to the SPDataAccess role to resolve the problem:

• ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.

  Im trying to connect to my azure subscription via powershell on my machine but keep getting the following error when i run a command:
  ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated  with this subscription.
  The steps i have taken so far are:
  1. get settings file
  Get-AzurePublishSettingsFile
  2. Import settings file
  Import-AzurePublishSettingsFile -PublishSettingsFile "C:\Users\me\Downloads\credentials.publishsettings"
  3. I then run Get-Azuresubscription with the following output:
  SubscriptionId : 699385c3-b83a-44af-a651-bxxxxxxxxx
  SubscriptionName : Windows Azure MSDN - Visual Studio Premium
  Environment : AzureCloud
  SupportedModes : AzureServiceManagement
  DefaultAccount : 3B68902B5170D5EC91BFCBE4CC27E2A8838F61C4
  Accounts : {3B68902B5170D5EC91BFCBE4CC27E2A8838F61C4, 26B118D7F3C598FB8FE9CDC49AB5DE5E450C967C,
  03E1E1F0B8C7717F11FB58A14138C35524AB3F8D, 9A2E1FD267ECCC0E9B8C151BD931FC4824E89184...}
  IsDefault : True
  IsCurrent : True
  CurrentStorageAccountName :
  TenantId :
  I run Get-AzureAccount and get the following:
  Id Type Subscriptions Tenants
  3B68902B5170D5EC91BFCBE4CC27E2 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  A8838F61C4
  26B118D7F3C598FB8FE9CDC49AB5DE Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  5E450C967C
  03E1E1F0B8C7717F11FB58A14138C3 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  5524AB3F8D
  9A2E1FD267ECCC0E9B8C151BD931FC Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  4824E89184
  85AD02CB8EB8AB20CF2C44FD9D19F2 Certificate 699385c3-b83a-44af-a651-xxxxxxxxx
  9B6BB2FCD2
  Finally, when i try to run Get-AzureSQLDatabaseServer, to list my databases, i get this error:
  WARNING: Client Session Id: '5911f288-7b02-4c94-bb9d-37b9ea5fc187-2015-01-13 11:47:54Z'
  WARNING: Client Request Id: '3e5f7ea9-092a-46fd-a6a6-6916b9161b77-2015-01-13 15:25:41Z'
  Get-AzureSqlDatabaseServer : ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated
  with this subscription.
  At line:2 char:1
  + Get-AzureSqlDatabaseServer
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [Get-AzureSqlDatabaseServer], CloudException
  + FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.SqlDatabase.Server.Cmdlet.GetAzureSqlDatabaseServer
  I would appreciate any help in figuring out what i am doing wrong here.
  Thanks,

  OK. That won't work in Azure Automation though, as mentioned above. OrgID (recommended) or cert-based auth will need to be used. PublishSettings file won't work.
  Correct, but the original question was:
  <Quote>
  Im trying to connect to my azure subscription
  via powershell on my machine 
  </Quote>
  I wanted to test automation script's core functionality without having to wait for the very very long time taken for an automation runbook
  to spin up, actually run and provide output (can often take 2+ minutes for a trivial script). Although i cant run Workbooks on my pc, i can run the core modules (view virtual machines, databases etc) to ensure my logic is sound.

• The Server failed to retrieve the requested data

  I used to be able to open this site with firefox. I haven't been able to open it for 2 days. It does open in internet explorer.

  This appears to be an error message which has it roots in MS DTC, Microsoft Distributed Transaction Coordinator.
  This indicates that you somewhere manage to get a distributed transaction. This could be because of two things:
  1) There are triggers on the tables that accesses linked server.
  2) Your client code dabbles with some transaction class, like TransactionScope or similar.
  Erland Sommarskog, SQL Server MVP, [email protected]

• Proxy Server "freeze" when are not request for a long time

  hi... i have the followin problem that i can't find a solution yet..
  my context are:
  - sun java web proxy server v4.0.5
  - sun java one directory server where i have my users that can use proxy
  - between this servers i use a self signed certificate
  the problem are (history):
  - i start the server and star a browser, they ask for user and pwd; i give them i all ok
  - i can acces www without problems
  - i finish my work i go to home, but the proxy is keep running (but nothing are using
  them)
  - when i come again to work, i start the borwser and the proxy ask for user and pwd;
  i give them, but they keep to give the browser default page without results.
  i can only make the proxy serve works again is restarting them.
  i my acces log i have the following when i can try to connect and don't work:
  100.0.4.145 - [24/Aug/2007:08:11:55 -0300] "GET http://www.google.com/HTTP/1.1" 407 - - - - - - - - - -
  i my directory log i dont have request at this time
  how could be? :(
  thanks in advance

  hi... i cannot resolve this yet, but i can see http headers when this problem happens...
  for example:
  URL:*{color:#000000} http://www.google.com/{color}*
  Request: GET http://www.google.com/ HTTP/1.1
  Host: www.google.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041215 Firefox/1.0 Red Hat/1.0-12.EL4
  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Proxy-Connection: keep-alive
  Cookie: PREF=ID=7ed5b832324f7935:TM=1159373905:LM=1187742924:GM=1:S=xYVfSPR3P8b-qCLa; GTZ=0; rememberme=false
  Response: HTTP/1.x 407 Proxy Authentication Required
  Server: Sun-Java-System-Web-Proxy-Server/4.0
  Date: Tue, 18 Sep 2007 11:13:41 GMT
  Content-Length: 146
  Content-Type: text/html
  Proxy-Authenticate: Basic realm=""
  Connection: close
  so...i look in specification about http 1.1 (rfc2068) (if i not wrong), when the server receive a request that needs authentication of the client he response whit a "request" of these autentication, so the client send them...
  i think that these response about the server needs that the client need autenticate is in the response with http code 407, but in rfc says that the parameter Proxy-Authenticate are like Proxy-Authenticate: Basic realm="string_here" where "string_here" is a id defined by server.
  So.. the string in "realm" &iquest;should not be diferent from empty (null) ? :(
  Thanks in advance :)

• The Internet Transaction Server failed to generate the response for current

  Hi all,
  With reference to the thread Re: Interpreter failed error message while raising Shopping Cart. posted by Askhay kumar, we are facing the same issue but not yet resolved.
  Checked points:
  1) We republished all the templates
  2) TCP/IP RFCs are all working fine
  But the ABAP dumps says:
  UNCAUGHT_EXCEPTION
  Error analysis                                                             
  An exception occurred. This exception is dealt with in more detail below   
  . The exception, which is assinged to the class 'CX_BBP_PD_ABORT', was not 
  caught,                                                                   
  which led to a runtime error.                                              
  The reason for this exception is:                                          
  Incorrect status in pricing                                                
  The termination occurred in the ABAP program "SAPLBBP_PDH" in "BBP_PD_ABORT".   
  The main program was "SAPLBBP_SC ".                                                                               
  The termination occurred in line 67 of the source code of the (Include)         
  program "LBBP_PDHU08"                                                          
  of the source code of program "LBBP_PDHU08" (when calling the editor 670).      
  Can anybody provide some suggestions ASAP please?
  Thanks
  Mani

  Please check this
  CX_BBP_PD_ABORT error selection itens in SC

• Radius server 00.00.00.00 deactivated in global list

  Hi
  we unable to authenticate the users connecting to WLC over EAP-FAST from the ACS 5.1.
  AD is integrated with the acs....
  The error msg coming in wlc is :Radius server deactivated in global list
  Radius server failed to respond to request(ID:xx) for client xx:xx;xx:xx:xx:xx:xx
  I find that problem with time skew error happen between the AD and ACS. But after i configured ntp server in acs the problem
  still exist.
  I removed the controller from the acs and added back, same thing done in controller(reconfigured aaa settings).
  But the problem not resolved
  Thanks
  Subhash

  After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
  config radius aggressive-failover disable
  As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
  If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
  In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

• WLC not integrating with Radius Server

  Hello world,
  I have the following situation:
  One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
  Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
  The infrastracture didn`t suffer modifications.
  What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
  There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
  The AP`s are 1242.
  I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
  I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
  The message logs recived on WLC Trap Logs:
  RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
  The message from the debug dot1x aaa enable:
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
  The messages on Windows 2003 Standard:
  User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.
  Can anyone help why i cannot log the users via 802.1x ?

  Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

• Wlc 5508 radius authentication fail

  I am trying to setup a wireless lan for the first time using 5508, all is working to a point, until i try to setup client authentication using the following
  so settings are:
  Layer Wlan settings:
  Layer 2 security:WPA+WPA2
  AES
  Auth Key mgmt:802.1x
  We have the authentication server enabled:
  Ip an port are correct
  AAA overide not enabled
  Order for authentication, radius only
  Advanced: dafault settings
  Radius authentication servers:
  Call Station ID Type: IP address
  MAC Delimiter: Colon
  Network User
  Management
  Server Index
  Server Address
  Port
  IPSec
  Admin Status
  Server Index
  Server Address
  Shared Secret Format
                   ASCII                 Hex              
  Shared Secret
  Confirm Shared Secret
  Key Wrap
    (Designed for FIPS customers and requires a key wrap compliant RADIUS server)
  Port Number
  Server Status
                   Enabled                  Disabled              
  Support for RFC 3576
                   Enabled                  Disabled              
  Server Timeout
    seconds
  Network User
  Enable
  Management
  Enable
  IPSec
  Enable
  *radiusTransportThread: Dec 21 12:07:46.488: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 115) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *radiusTransportThread: Dec 21 12:07:46.012: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 114) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  *Dot1x_NW_MsgTask_1: Dec 21 12:07:29.811: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:b9:d5:e1
  *radiusTransportThread: Dec 21 12:07:16.412: %AAA-4-RADIUS_RESPONSE_FAILED: radius_db.c:412 RADIUS server X.X.X.X:1812 failed to respond to request(ID 113) for STA 00:19:d2:b9:d5:e1 / user 'unknownUser'
  *Dot1x_NW_MsgTask_1: Dec 21 12:06:59.741: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3028 Max EAP identity request retries (3) exceeded for client 00:19:d2:b9:d5:e1
  Radius server occasionally sees attempts from user "XXZZYY"

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• RADIUS Server High Availability?

  Hi,
  I have two RADIUS servers in my network (one to be the failover serv) and one of them has been having problems, the server is not getting down but the radius service is getting crashed. Don't know why the failover server doesn't respond the authentication for the users if the books said that this is something automatic.
  Is there one command to allow the switch to recognize if the service is down in one of the radius servers and automatically use the other one to authenticate the users?.
  tks

  Hi,
  In switches you need to configure two radius server with secret key along with,so as per the sequence in the IOS the request will directed to radius servers.
  Below will the command to configure tacas/radius server in switches
  tacacs-server host 10.1.x.x
  tacacs-server host 10.2.x.x
  Hope that help out your query !!
  Regards
  Ganesh.H

• WLC 5508 Radius Server

  what is the authentication list precedence for radius authentication?
  global list       network user checkbox
  per wlan        aaa server add
  global list       network user uncheck
  i  have 3 radius server, 2 of which are use for gloabl authentication(all  ap are hreap) and a 3rd one use only for 1 site, when the 2 first radius  server fails the wlc use the 3rd one, but the 3rd only has database for  1 site users,
  do  i need to uncheck the network user checkbox on the 3rd radius and  create a hreap group then associate the 3rd one?  i dont want the 3rd  radius to be able for the gloabl list to take this as normal globla  radius. any commnets?

  Osvaldo,
  Your observation is correct and this should be documented on the WLC help tab if you search for keyword network user under radius auth.
  Quote:
  Network User—Network user authentication check box. If this option is enabled, this entry is considered as the network user RADIUS authenticating server entry. If you did not set the RADIUS server entry on the WLAN configuration (WLANs > Edit > Security > AAA Servers), you must enable this option for networkusers.
  Management—Management authentication check box. If this option is enabled, this entry is considered as the management RADIUS authenticating server entry. If you enable this option, authentication requests go to the RADIUS server
  AAA server defined on WLAN takes precedence over global.

• 1100 with Local Radius Server problems Atheros Client

  I have Local authentication turned on for the 1100 and am using the Atheros Client Utility configuring LEAP with username/password and it is failing, here is the debug from the 1100.Any help much appreciated.
  Xcon-ap1100#conf t
  Enter configuration commands, one per line. End with CNTL/Z.
  Xcon-ap1100(config)#radius
  Xcon-ap1100(config)#radius-server local
  Xcon-ap1100(config-radsrv)#no nas 10.201.1.5
  Xcon-ap1100(config-radsrv)#nas 10.201.1.5 key thiskey
  Xcon-ap1100(config-radsrv)#end
  Xcon-ap1100#debug radius
  Radius protocol debugging is on
  Radius protocol brief debugging is off
  Radius protocol verbose debugging is off
  Radius packet hex dump debugging is off
  Radius packet protocol debugging is on
  Radius packet retransmission debugging is off
  Radius server fail-over debugging is off
  Xcon-ap1100#term mon
  Xcon-ap1100#
  *Apr 3 16:26:26.961: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:26.961: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:26.962: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:26.962: RADIUS: 32 [2]
  *Apr 3 16:26:26.962: RADIUS(000000FC): Storing nasport 246 in rad_db
  *Apr 3 16:26:26.962: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS/ENCODE(000000FC): acct_session_id: 251
  *Apr 3 16:26:26.963: RADIUS(000000FC): Config NAS IP: 10.201.1.5
  *Apr 3 16:26:26.963: RADIUS(000000FC): sending
  *Apr 3 16:26:26.963: RADIUS(000000FC): Send Access-Request to 10.201.1.5:1645 id 21645/158, len 130
  *Apr 3 16:26:26.963: RADIUS: authenticator 74 20 7D 86 32 7B 1A 65 - 88 DE A7 58 51 91 FA 5D
  *Apr 3 16:26:26.963: RADIUS: User-Name [1] 6 "test"
  *Apr 3 16:26:26.964: RADIUS: Framed-MTU [12] 6 1400
  *Apr 3 16:26:26.964: RADIUS: Called-Station-Id [30] 16 "000f.f751.7970"
  *Apr 3 16:26:26.964: RADIUS: Calling-Station-Id [31] 16 "0090.963d.7bf6"
  *Apr 3 16:26:26.964: RADIUS: Service-Type [6] 6 Login [1]
  *Apr 3 16:26:26.965: RADIUS: Message-Authenticato[80] 18 *
  *Apr 3 16:26:26.965: RADIUS: EAP-Message [79] 11
  *Apr 3 16:26:26.965: RADIUS: 02 02 00 09 01 74 65 73 74 [?????test]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
  *Apr 3 16:26:26.965: RADIUS: NAS-Port [5] 6 246
  *Apr 3 16:26:26.965: RADIUS: NAS-IP-Address [4] 6 10.201.1.5
  *Apr 3 16:26:26.965: RADIUS: Nas-Identifier [32] 13 "Xcon-ap1100"
  *Apr 3 16:26:31.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:36.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:41.966: RADIUS: Retransmit to (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS: No response from (10.201.1.5:1645,1646) for id 21645/158
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response no app start; FAIL
  *Apr 3 16:26:46.965: RADIUS/DECODE: parse response; FAIL
  *Apr 3 16:26:46.966: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:26:50.070: RADIUS: AAA Unsupported [248] 10
  *Apr 3 16:26:50.070: RADIUS: 43 61 72 64 69 66 66 4E [CardiffN]
  *Apr 3 16:26:50.071: RADIUS: AAA Unsupported [150] 3
  *Apr 3 16:26:50.071: RADIUS: 32 [2]
  *Apr 3 16:26:50.071: RADIUS(000000FD): Storing nasport 247 in rad_db
  *Apr 3 16:26:50.072: RADIUS(000000FD): Config NAS IP: 10.201.1.5
  *Apr 3 16:29:29.041: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed
  *Apr 3 16:29:52.253: %DOT11-7-AUTH_FAILED: Station 0090.963d.7bf6 Authentication failed

  I have a very similar situation here. Took me a while to figure out why existing user certificates are OK but no new users can enroll. I checked all certificates for expiry. No go. It was not the expiry ("Valid to") time, but rather the "Valid From" time that is messed up.
  This is what happens: The rollover gets created and replaces the original one (which remains in memory, no flash) But the new one is valid from the expiry of the old one - in my case TOMORROW and after a power-outage the day before yesterday (the most definitive way to get a reboot!) I only have the new NOT YET VALID certificate.
  OK, I can wait until tomorrow and see if it works. But the design is far from intelligent. The industry standard is that when you renew a certificate, the validity of the new one is immediate - even if it means it runs for a few days longer than the designated lifetime.
  So much for the overlap period of 30 days (as you can see from your own post) if the old certificate goes away after a reboot and the new one is not yet valid! (The CA certificate expiration timer gets reset to some Unix time-zero ( 01:00:00 CEST Jan 1 1970) which I take to mean "not valid yet".)
  I only have a few days of trouble - and just one to go after finally working it out, but it could have been up to 30 days if I for any reason had rebooted after the roll-over certificate got created.
  Cheers
  Bernhard