ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

Similar Messages

• Flash working fine in local system... Not working in the live site - Need Help :(

  Hi All...
  I have a flash project, its working fine in local system and checked this file with uploading in someother websites, its working fine there too, but the same file is not working in live
  here is the link of the site, its showing blank page, the flash contents are not loading...
  http://www.aysotraining.com/U8_Coach_test.html
  and here the same file which i have uploaded it in other server its working fine...
  http://deals2deal.com/krgtech/u8coach_test.swf
  can anyone help me to fix this problem please....???
  Thanks in advance,
  Vasanth

  Hi Thanks for your reply. Actually u8coach.swf this an existing file, it is working. i have updated some details in this file and uploaded it again with the name u8coach_test.swf its not working. this same file working another server http://deals2deal.com/krgtech/u8coach_test.swf. this is what my issue. This file is working another server after my updation, but its not working it's own server after my updation. Can you find the problem what it is??
  Thanks in advance,
  Vasanth

• IOS Device-Sensor and ISE profiling not working

  Hello,
  I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.
  Switchconfig:
  device-sensor filter-list dhcp list dhcp-list
   option name host-name
  device-sensor filter-spec dhcp include list dhcp-list
  device-sensor accounting
  device-sensor notify all-changes
  Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:
  Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
  Proto Type:Name                       Len Value
  DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                            38
  RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).
  I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.
  Is this supposed to work?

  That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.
  Couple of more things:
  1. What profiling probes do you have enabled?
  2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?
  3. Do you have the following commands entered on your switch:
  access-session template monitor
  no macro auto monitor
  device-sensor accounting
  device-sensor notify all-changes

• H-REAP Local Authentication eap-fast not working

  Hi, I'm using a central Radius Server and have leap and eap-fast working fine, but when the wan link fail(local authentication) the new user that try to conect via leap get authenticated but eap-fast fail.
  any ideas?. Im using wlc 5.01

  If your radius is centrally located and your WAN links goes down, any authentication thats need to go back centrally will fail, unless you have local authentication. Don't know why LEAP would still work if authentication to the radius server has stopped.
  Howerver, if you are using local EAP configured on the WLC, then you still will fail authentication because your wlc is centrally located.

• Automount working erratically, *.local not working

  Hi,
  I have a server. It's correctly set-up. A few days ago I changed the router serving it and now automounts will not work. It's not a permission thing. Period.
  I have noticed, however, that local hostname of the server is not resolving at all and that the /var/log/system.log complains about not being able to mount /Network/Servers/server.local/...
  Does anybody know what I need to have open or whatever to "enable" local hostnames or how I can set up home directories bypassing this limitation?

  Probably part of your code changes arenot picked up. Put print statements to see what is the value set on the poplist when you return on the server.

• HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

  Hi All,
  I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
  I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
  Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
  to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
  The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
  switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
  for "local Switching" on the WLAN page.
  It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
  i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
  and also WPA-PEAP-MSChapv2. Both fails miserably.
  Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
  APs.Cant i do it with just a single WLAN?
  Thank you.
  Warmest regards,
  Azzafir Ariff Patel.

  For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
  http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

• Cisco ISE 1.2.1.198 Guest Portal Vlan Override at Mobile Device (android,IOS) not working

  Hi Guy, 
  In my ISE deployment, once the guest succcesful authenticated will be assign guest VLAN for internet access.
  we are using guest portal to do the vlan override once user authenticated.
  Window 7 Internet explorer (Active X), Chrome (Java Aplet) is working fine.
  but Android,Apple IOS devices unable to release the DHCP and get new DHCP.
  because from ISE and WLC we can see the Vlan have change, how mobile devices initiate dhcp release for Guest Portal
  Kindly advice.
  Regards
  Freemen

  I don't have such documentation nor I could find any on Cisco's site. With that being said, it doesn't mean that it doesn't exist. I just know that Active X is windows specific framework and Java is not supported on either iOS nor Android:
  http://www.java.com/en/download/faq/java_mobile.xml
  The good news is that Cisco appears to be steering away from Java so it is possible that in the future this will be supported. 
  Hope this helps!
  Thank you for rating helpful posts!

• HREAP APs lose local VLAN mappings

  Hello,
  We are using a 5508 controller (version 7.0.98.0) in a central location and 1242 access points in HREAP mode in remote locations. 
  I have noticed that, for no specific reason, HREAP APs sometimes lose their local VLAN mappings and revert to centrally switched interface VLAN tags?? Since central VLAN tags and local VLANs are not the same, local traffic can not be routed and clients lose connection.
  I have seen that a software bug has been reported CSCsw68997 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw68997) but it seems to have been fixed in software version that don't exit for 5508 WLCs.
  Would you have any idea if there is a fix to this issue?
  Thanks for your help, much appreciated,
  Laure

  It is important to note that CSCsw68997 is an enhancement, not exactly a bug.
  The bottom line is that if HREAP APs move between controllers, and those controllers are not identical with WLAN Order (including the AP group WLAN order) then your mappings might change.
  Now if you want the code this enhancement is added to, I believe both of those are readily available from TAC. If you need Cisco.com versions of the code, then you'll need to wait a few more weeks....

• Using RSA RADIUS Server and WLC 7.4 to dynamically asssign users to VLAN

  Hello,
  What we are trying to do:
  John logs on to wifi using RSA fob for password. RSA sends back auth request with attibutes to WLC 7.4 that magically knows how to interpret the attributes and puts John on vlan 10. Mary logs on with her fob and gets put on VLAN 20.
  We dont have ISE. We dont have ACS. We have RSA Authentication Manager 7.0
  We have looked high and low for documentation for this kind of setup and we find stuff that is close to a match but not quite.
  Here is what we are seeing
  1. dynamic vlan assignment is not working -- radius server is set with the attributes
  2. RSA authentication works
  3. John and Mary are always put into the VLAN where the MGMT interface is
  4. I can see that attributes are making it back to the WLC by sniffing
  We are stuck at this point. Any help would be much appreciated,
  P.

  Here is a little more background:
  We have created a dynamic interface in VLAN 157
  Wireless LAN has been assigned to MGMT interface which is on VLAN 35
  This is a VWLC ver 7.4.100
  AP is attached to VWLC (only FlexConnect mode is supported)
  RADIUS Server has been configured
  Users are getting assigned to VLAN 35
  Also I have attached some screenshots and two packet captures so you can see what the RSA is sending back with your own eyes
  I dont see any atttributes in the capture when RSA sends to the VWLC
  I see attributes in the capture when RSA send to my local RADIUS Client (My PC)
  And to answer your question we have sending a VLAN ID (157)

• EAP-FAST on Local Radius Server : Can't Get It Working

  Hi all
  I'm using an 877w router (flash:c870-advsecurityk9-mz.124-24.T4.bin) as local radius server and have followed various config guides on CCO. LEAP works fine but I just can't get EAP-FAST to work.
  I'm testing with win7 client using anyconnect secure mobility client, and also a mac book pro but without luck.
  the router sees unknown auth type, and when I run some debugs it talks of unknown eap type 3
  sh radius local-server s
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Unknown NAS            : 0           Invalid packet from NAS: 17      
  NAS : 172.27.44.1
  Successes              : 1           Unknown usernames      : 0        
  Client blocks          : 0           Invalid passwords      : 0        
  Corrupted packet       : 0           Unknown RADIUS message : 0        
  No username attribute  : 0           Missing auth attribute : 0        
  Shared key mismatch    : 0           Invalid state attribute: 0        
  Unknown EAP message    : 0           Unknown EAP auth type  : 17       
  Auto provision success : 0           Auto provision failure : 0        
  PAC refresh            : 0           Invalid PAC received   : 0       
  Can anyone suggest what I might be doing wrong?
  Regs, Tim

  Thanks Nicolas, relevant snippets from config:
  aaa new-model
  aaa group server radius rad_eap
  server 172.27.44.1 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid home
  vlan 3
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa
  ip dhcp pool home
     import all
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.1
     dns-server 194.74.65.68 194.74.65.69
  ip inspect name ethernetin tcp
  ip inspect name ethernetin udp
  ip inspect name ethernetin pop3
  ip inspect name ethernetin ssh
  ip inspect name ethernetin dns
  ip inspect name ethernetin ftp
  ip inspect name ethernetin tftp
  ip inspect name ethernetin smtp
  ip inspect name ethernetin icmp
  ip inspect name ethernetin telnet
  interface Dot11Radio0
  no ip address
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 2 mode ciphers aes-ccm tkip
  encryption vlan 3 mode ciphers aes-ccm tkip
  broadcast-key vlan 1 change 30
  broadcast-key vlan 2 change 30
  broadcast-key vlan 3 change 30
  ssid home
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.3
  encapsulation dot1Q 3
  no cdp enable
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan3
  no ip address
  bridge-group 3
  interface BVI3
  ip address 192.168.1.1 255.255.255.0
  ip inspect ethernetin in
  ip nat inside
  ip virtual-reassembly
  radius-server local
  no authentication mac
  nas 172.27.44.1 key 0 123456
  user test1 nthash 0 B151E8FF684B4F376C018E632A247D84
  user test2 nthash 0 F2EEAE1D895645B819C9FD217D0CA1F9
  user test3 nthash 0 0CB6948805F797BF2A82807973B89537
  radius-server host 172.27.44.1 auth-port 1812 acct-port 1813 key 123456
  radius-server vsa send accounting

• ISE posture redirect not working

  ISE v1.1.0.665, 3395 h/w.
  Single Admin/Monitor/Policy node.
  WS-C3560-48TS      12.2(55)SE5           C3560-IPBASEK9-M
  For Client Provisioning I created an authorisation policy as follows:
  download acl "ACL-POSTURE-REMEDIATION"
  apply url redirect "ACL-POSTURE-REDIRECT".
  "Debug radius" shows all this is downloaded to the switch but:
  - Redirect does not work.
  - dACL is not applied if the URL redirect is also configured.
  Wireshark on the client shows no direct.
  Attached file shows "debug radius" for various combinations of authorisation policy i.e. dACL only, Redirect only, dACL + Redirect.
  I've also attached screen shots of these policies and wireshark.

  Grant,
  It looks like you are changing the vlan after your client gets an ip address, it seems like the client gets an ip address of
  192.168.16.164 and you are changing the vlan over to 516. I wanted to know if that is there isnt an ip to vlan mismatch before you move forward. If 516 is quarantine vlan you may want to start all clients on that vlan and use dynamic vlan assignment through change of authorization once a client becomes compliant. The reason is is that you can use the web portal, or the nac agent to change the ip address once the vlan is changed.
  Thanks,
  Tarik Admani

• ISE CWA with COA not work on 3750X.

  Hello.
  I use ISE version 1.2.0.899 this patch number 4. I configure Central Web Auth for wired client.  In first time client open web brouser, and ISE redirect him to guest portal. User input correct credentionals, and after that switch ignor CoA packet. In ISE logs  "5417 Dynamic Authorization failed". If I use domain computer, authentification succecful whis use dot1x.  All on Port g1/0/1. I use 3750X this version IOS 15.0(2)SE2, 15.0(2)SE4, 15.0(2)SE5, 15.2(1). On all of this version ios I have this mistake.
  Config:
  3750X-ISE# sh running-configBuilding configuration...Current configuration : 9575 bytes!! No configuration change since last restart! NVRAM config last updated at 01:29:01 GMT Wed Mar 30 2011!version 15.0no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname 3750X-ISE!boot-start-markerboot-end-marker!!!username admin privilege 15 secret 5 ----username radius-test secret 5 -----aaa new-model!!aaa group server radius end!aaa group server radius ise server name ise3 server name ise4!aaa authentication login default localaaa authentication login CON noneaaa authentication enable default noneaaa authentication dot1x default group radiusaaa authorization network default group radiusaaa authorization network ise group radiusaaa accounting dot1x default start-stop group radius!!!!!aaa server radius dynamic-author client 192.168.102.53 server-key P@ssw0rd client 192.168.102.54 server-key P@ssw0rd client 192.168.102.51 server-key P@ssw0rd client 192.168.102.52 server-key P@ssw0rd server-key P@ssw0rd!aaa session-id commonclock timezone GMT 0 0switch 1 provision ws-c3750x-24psystem mtu routing 1500ip routing!!ip dhcp snooping vlan 701-710ip dhcp snoopingip domain-name com.ruip device trackingvtp mode transparent!!device-sensor filter-list dhcp list DHCP-LIST option name host-name option name default-tcp-ttl option name requested-address option name parameter-request-list option name class-identifier option name client-identifier option name client-fqdn!device-sensor filter-list cdp list CDP-LIST tlv name device-name tlv name address-type tlv name version-type tlv name platform-type tlv name power-type tlv name external-port-id-typedevice-sensor filter-spec dhcp include list DHCP-LISTdevice-sensor filter-spec cdp include list CDP-LISTdevice-sensor accountingdevice-sensor notify all-changes!license boot level ipservices!!!dot1x system-auth-control!spanning-tree mode rapid-pvstspanning-tree extend system-id!!!!!!!!!vlan internal allocation policy ascending!!vlan 102!vlan 701 name ISE-network1!!lldp run!!!!!!!!!!no macro auto monitor!interface FastEthernet0 no ip address no ip route-cache shutdown!interface GigabitEthernet1/0/1 switchport access vlan 701 switchport mode access switchport nonegotiate authentication event fail action next-method authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator spanning-tree portfast!interface Vlan102 ip address 192.168.102.60 255.255.255.0!interface Vlan701 ip address 192.168.107.1 255.255.255.240 ip helper-address 192.168.102.50 ip helper-address 192.168.102.53!ip http serverip http secure-server!ip route 0.0.0.0 0.0.0.0 192.168.102.1!ip access-list extended ACL-WEBAUTH-REDIRECT deny   udp any any eq domain deny   tcp any host 192.168.102.51 deny   tcp any host 192.168.102.52 deny   tcp any host 192.168.102.53 deny   tcp any host 192.168.102.54 permit tcp any any eq www permit tcp any any eq 443!!!snmp-server community test ROsnmp-server community test2 RWsnmp-server trap-source Vlan102snmp-server source-interface informs Vlan102snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notification change movesnmp-server host 192.168.102.53 version 2c test2!radius-server attribute 6 on-for-login-authradius-server attribute 8 include-in-access-reqradius-server attribute 25 access-request includeradius-server dead-criteria time 5 tries 3radius-server host 192.168.102.53 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 auth-port 1812 acct-port 1813radius-server host 192.168.102.54 key P@ssw0rdradius-server host 192.168.102.53 pac key P@ssw0rdradius-server key P@ssw0rd!!!line con 0 login authentication CONline vty 0 4 exec-timeout 60 0line vty 5 15 exec-timeout 60 0!ntp master 5ntp server 198.123.30.132 prefermac address-table notification changemac address-table notification mac-moveend
  Please, help me.

  Use these Cisco IOS commands to monitor and troubleshoot CoA functionality on the switch:
  •debug radius
  •debug aaa coa
  •debug aaa pod
  •debug aaa subsys
  •debug cmdhd [detail | error | events]
  •show aaa attributes protocol radius

• Authenticated on ISE 1.2 (as admin) against an external radius server

  Hello
  Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
  Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
  thank you in advance.
  Best regards

  External authentication is supported only with internal authorization:
  External Authentication + Internal Authorization
  When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
  You do not need to specify any particular external administrator groups for the administrator.
  You must configure the same username in both the external identity store and the local Cisco ISE database.
  To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
  Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
  The Administrators window appears, listing all existing locally defined administrators.
  Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
  Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
  Step 3 Click Save .

• IAS dot1x dynamic VLAN assignment not working

  I have a windows 2003 server with AD and IAS configured. IAS uses AD for authentication. I have AAA login configured and working. I have AAA dot1x configured on the 3550 switch. IAS has a Wired Ethernet policy configured for PEAM and is send back attributes tunnel-type = VLAN, tunnel-medium-type = 802, and tunnel-pvt-group-id = 210. My XP supplicant has dot1x enabled and is authenticating through the switch and IAS.
  Using Ethereal I can see the both the Radius request and accept packets. I can see that radius is sending the above attributes through ethereal as well. Using the Debug Radius command I can see that the attributes are getting to the switch. When I use the show VLAN command the switch port is still in VLAN 1. I want it to be in VLAN 210.
  I have upgraded the IOS in the 3550 switch. This fixed a previous problem of the switch not sending the NAS port type of Ethernet. It as sending a port type of Asynch.
  I also have service pack 2 on the Windows 2003 server.
  Has anyone else had this problem? If so how do I fix it.
  Here is my debug code:
  06:56:45: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6]
  06:56:45: RADIUS: Tunnel-Private-Group[81] 5 "210"
  06:56:45: RADIUS: Tunnel-Type [64] 6 00:VLAN [13]
  Here is my switch code:
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius local
  aaa session-id common
  interface FastEthernet0/1
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  radius-server host 10.1.1.254 auth-port 1645 acct-port 1646 key test
  radius-server deadtime 60

  You're missing this:
  aaa authorization network default group radius
  I assume "everything works" other than VLAN-Assignment itself.
  This should get you squared away,

• Cisco 871w, radius server local, and leap or eap-fast will not authenticate

  Hello, i trying to setup eap-fast or leap on my 871w.  i belive i have it confiured correctly but i can not get any device to authenticate to router.  Below is the confiureation that i being used.  any help would be welcome!
  ! Last configuration change at 15:51:30 AZT Wed Jan 4 2012 by testtest
  ! NVRAM config last updated at 15:59:37 AZT Wed Jan 4 2012 by testtest
  version 12.4
  configuration mode exclusive auto
  service nagle
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service linenumber
  service pt-vty-logging
  service sequence-numbers
  hostname router871
  boot-start-marker
  boot-end-marker
  logging count
  logging message-counter syslog
  logging buffered 4096
  logging rate-limit 512 except critical
  logging console critical
  enable secret 5 <omitted>
  aaa new-model
  aaa group server radius rad-test3
  server 192.168.16.49 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login eap-methods group rad-test3
  aaa authorization exec default local
  aaa session-id common
  clock timezone AZT -7
  clock save interval 8
  dot11 syslog
  dot11 ssid test2
  vlan 2
  authentication open
  authentication key-management wpa
  guest-mode
  wpa-psk ascii 7 <omitted>
  dot11 ssid test1
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <omitted>
  dot11 ssid test3
  vlan 3
  authentication open eap eap-methods
  authentication network-eap eap-methods
  no ip source-route
  no ip gratuitous-arps
  ip options drop
  ip dhcp bootp ignore
  ip dhcp excluded-address 192.162.16.49 192.162.16.51
  ip dhcp excluded-address 192.168.16.33
  ip dhcp excluded-address 192.168.16.1 192.168.16.4
  ip dhcp pool vlan1pool
     import all
     network 192.168.16.0 255.255.255.224
     default-router 192.168.16.1
     domain-name test1.local.home
     lease 4
  ip dhcp pool vlan2pool
     import all
     network 192.168.16.32 255.255.255.240
     default-router 192.168.16.33
     domain-name test2.local.home
     lease 0 6
  ip dhcp pool vlan3pool
     import all
     network 192.168.16.48 255.255.255.240
     default-router 192.168.16.49
     domain-name test3.local.home
     lease 2
  ip cef
  ip inspect alert-off
  ip inspect max-incomplete low 25
  ip inspect max-incomplete high 50
  ip inspect one-minute low 25
  ip inspect one-minute high 50
  ip inspect udp idle-time 15
  ip inspect tcp idle-time 1800
  ip inspect tcp finwait-time 30
  ip inspect tcp synwait-time 60
  ip inspect tcp block-non-session
  ip inspect tcp max-incomplete host 25 block-time 2
  ip inspect name firewall tcp router-traffic
  ip inspect name firewall ntp
  ip inspect name firewall ftp
  ip inspect name firewall udp router-traffic
  ip inspect name firewall pop3
  ip inspect name firewall pop3s
  ip inspect name firewall imap
  ip inspect name firewall imap3
  ip inspect name firewall imaps
  ip inspect name firewall smtp
  ip inspect name firewall ssh
  ip inspect name firewall icmp router-traffic timeout 10
  ip inspect name firewall dns
  ip inspect name firewall h323
  ip inspect name firewall hsrp
  ip inspect name firewall telnet
  ip inspect name firewall tftp
  no ip bootp server
  no ip domain lookup
  ip domain name local.home
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip accounting-threshold 100
  ip accounting-list 192.168.16.0 0.0.0.31
  ip accounting-list 192.168.16.32 0.0.0.15
  ip accounting-list 192.168.16.48 0.0.0.15
  ip accounting-transits 25
  login block-for 120 attempts 5 within 60
  login delay 5
  login on-failure log
  memory free low-watermark processor 65536
  memory free low-watermark IO 16384
  username testtest password 7 <omitted>
  archive
  log config
    logging enable
    logging size 255
    notify syslog contenttype plaintext
    hidekeys
  path tftp://<omitted>/archive-config
  write-memory
  ip tcp synwait-time 10
  ip ssh time-out 20
  ip ssh authentication-retries 2
  ip ssh logging events
  ip ssh version 2
  bridge irb
  interface Loopback0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  interface Null0
  no ip unreachables
  interface FastEthernet0
  switchport mode trunk
  shutdown
  interface FastEthernet1
  switchport mode trunk
  shutdown
  interface FastEthernet2
  shutdown
  spanning-tree portfast
  interface FastEthernet3
  spanning-tree portfast
  interface FastEthernet4
  description Cox Internet Connection
  ip address dhcp
  ip access-group ingress-filter in
  ip access-group egress-filter out
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip accounting access-violations
  ip flow ingress
  ip flow egress
  ip inspect firewall out
  ip nat outside
  ip virtual-reassembly
  ip tcp adjust-mss 1460
  load-interval 30
  duplex auto
  speed auto
  no cdp enable
  interface Dot11Radio0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  encryption vlan 1 mode ciphers aes-ccm
  encryption vlan 2 mode ciphers aes-ccm
  encryption key 1 size 128bit 7 <omitted> transmit-key
  encryption mode wep mandatory
  broadcast-key vlan 1 change <omitted> membership-termination
  broadcast-key vlan 3 change <omitted> membership-termination
  broadcast-key vlan 2 change <omitted> membership-termination
  ssid test2
  ssid test1
  ssid test3
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  rts threshold 2312
  no cdp enable
  interface Dot11Radio0.1
  description <omitted>
  encapsulation dot1Q 1 native
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.2
  description <omitted>
  encapsulation dot1Q 2
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio0.3
  description <omitted>
  encapsulation dot1Q 3
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 spanning-disabled
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  interface Vlan1
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Vlan2
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 2
  bridge-group 2 spanning-disabled
  interface Vlan3
  description <omitted>
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  bridge-group 3
  bridge-group 3 spanning-disabled
  interface BVI1
  description <omitted>
  ip address 192.168.16.1 255.255.255.224
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  interface BVI2
  description <omitted>
  ip address 192.168.16.33 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  interface BVI3
  description <omitted>
  ip address 192.168.16.49 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip http secure-ciphersuite 3des-ede-cbc-sha rc4-128-sha
  ip http timeout-policy idle 5 life 43200 requests 5
  ip flow-top-talkers
  top 10
  sort-by bytes
  ip nat inside source list 1 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.16.50 80 interface FastEthernet4 80
  ip nat inside source static tcp 192.168.16.50 53 interface FastEthernet4 53
  ip nat inside source static tcp 192.168.16.50 3074 interface FastEthernet4 3074
  ip nat inside source static udp 192.168.16.50 3074 interface FastEthernet4 3074
  ip nat inside source static udp 192.168.16.50 88 interface FastEthernet4 88
  ip nat inside source static udp 192.168.16.50 53 interface FastEthernet4 53
  ip access-list extended egress-filter
  deny   ip any host <omitted>
  deny   ip any host <omitted>
  deny   ip host <omitted> any
  deny   ip host <omitted> any
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.10.9.255 any
  deny   ip 10.0.0.0 0.10.13.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.15.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  permit ip <omitted> 0.0.0.3 any
  deny   ip any any log
  ip access-list extended ingress-filter
  remark ----- To get IP form COX -----
  permit udp any eq bootps any eq bootpc
  deny   icmp any any log
  deny   udp any any eq echo
  deny   udp any eq echo any
  deny   tcp any any fragments
  deny   udp any any fragments
  deny   ip any any fragments
  deny   ip any any option any-options
  deny   ip any any ttl lt 4
  deny   ip any host <omitted>
  deny   ip any host <omitted>
  deny   udp any any range 33400 34400
  remark ----- Bogons Filter -----
  deny   ip 0.0.0.0 0.255.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.254.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 192.0.0.0 0.0.0.255 any
  deny   ip 192.0.2.0 0.0.0.255 any
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 198.18.0.0 0.1.255.255 any
  deny   ip 198.51.100.0 0.0.0.255 any
  deny   ip 203.0.113.0 0.0.0.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  remark ----- Internal networks -----
  deny   ip 10.10.10.0 0.0.0.255 any
  deny   ip 10.10.11.0 0.0.0.255 any
  deny   ip 10.10.12.0 0.0.0.255 any
  deny   ip any any log
  access-list 1 permit 192.168.16.0 0.0.0.63
  access-list 20 permit 127.127.1.1
  access-list 20 permit 204.235.61.9
  access-list 20 permit 173.201.38.85
  access-list 20 permit 216.229.4.69
  access-list 20 permit 152.2.21.1
  access-list 20 permit 130.126.24.24
  access-list 21 permit 192.168.16.0 0.0.0.63
  radius-server local
  no authentication mac
  eapfast authority id <omitted>
  eapfast authority info <omitted>
  eapfast server-key primary 7 <omitted>
  nas 192.168.16.49 key 7 <omitted>
  group rad-test3
    vlan 3
    ssid test3
  user test nthash 7 <omitted> group rad-test3
  user testtest nthash 7 <omitted> group rad-test3
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.16.49 auth-port 1812 acct-port 1813 key 7 <omitted>
  radius-server vsa send accounting
  control-plane host
  control-plane transit
  control-plane cef-exception
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 2 protocol ieee
  bridge 2 route ip
  bridge 3 protocol ieee
  bridge 3 route ip
  line con 0
  password 7 <omitted>
  logging synchronous
  no modem enable
  transport output telnet
  line aux 0
  password 7 <omitted>
  logging synchronous
  transport output telnet
  line vty 0 4
  password 7 <omitted>
  logging synchronous
  transport preferred ssh
  transport input ssh
  transport output ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  process cpu threshold type total rising 80 interval 10 falling 40 interval 10
  ntp authentication-key 1 md5 <omitted> 7
  ntp authenticate
  ntp trusted-key 1
  ntp source FastEthernet4
  ntp access-group peer 20
  ntp access-group serve-only 21
  ntp master 1
  ntp server 152.2.21.1 maxpoll 4
  ntp server 204.235.61.9 maxpoll 4
  ntp server 130.126.24.24 maxpoll 4
  ntp server 216.229.4.69 maxpoll 4
  ntp server 173.201.38.85 maxpoll 4
  end

  so this what i am getting now for debug? any thoughs?
  010724: Jan  5 16:26:04.527 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/2
  010725: Jan  5 16:26:08.976 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/2
  010726: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  010727: Jan  5 16:26:08.976 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
  010728: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  010729: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  010730: Jan  5 16:26:08.976 AZT: Client d8b3.7759.0488 failed: EAP reason 1
  010731: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
  010732: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
  010733: Jan  5 16:26:08.976 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
  010734: Jan  5 16:26:08.976 AZT: EAPOL pak dump tx
  010735: Jan  5 16:26:08.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
  010736: Jan  5 16:26:08.976 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
  0AD05650:                   01000004 04010004          ........
  0AD05660:
  010737: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010738: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010739: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  010740: Jan  5 16:26:08.980 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
  010741: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg:  sending data to requestor status 0
  010742: Jan  5 16:26:08.980 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
  010743: Jan  5 16:26:08.980 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010744: Jan  5 16:26:08.984 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
  010745: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010746: Jan  5 16:26:09.624 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010747: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010748: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010749: Jan  5 16:26:09.624 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010750: Jan  5 16:26:09.624 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010751: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010752: Jan  5 16:26:09.624 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010753: Jan  5 16:26:09.624 AZT: EAPOL pak dump tx
  010754: Jan  5 16:26:09.624 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010755: Jan  5 16:26:09.624 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0AD05B50:                   01000031 01010031          ...1...1
  0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
  010756: Jan  5 16:26:09.644 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010757: Jan  5 16:26:09.648 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010758: Jan  5 16:26:09.648 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010759: Jan  5 16:26:09.656 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010760: Jan  5 16:26:09.656 AZT: EAPOL pak dump rx
  010761: Jan  5 16:26:09.656 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
  010762: Jan  5 16:26:09.656 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
  0B060D50:                   01000009 02010009          ........
  0B060D60: 01746573 74                          .test
  010763: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
  010764: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
  010765: Jan  5 16:26:09.660 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  010766: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198):Orig. component type = DOT11
  010767: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
  010768: Jan  5 16:26:09.664 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
  010769: Jan  5 16:26:09.664 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
  010770: Jan  5 16:26:09.664 AZT: RADIUS:   36                                               [6]
  010771: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
  010772: Jan  5 16:26:09.664 AZT: RADIUS/ENCODE(00000198): acct_session_id: 408
  010773: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Config NAS IP: 192.168.16.49
  010774: Jan  5 16:26:09.664 AZT: RADIUS(00000198): sending
  010775: Jan  5 16:26:09.664 AZT: RADIUS(00000198): Send Access-Request to 162.168.16.49:1645 id 1645/3, len 133
  010776: Jan  5 16:26:09.664 AZT: RADIUS:  authenticator BF 69 DD DF 89 1F C6 FB - EF EC 12 EB C5 3F 3A CD
  010777: Jan  5 16:26:09.664 AZT: RADIUS:  User-Name           [1]   6   "test"
  010778: Jan  5 16:26:09.664 AZT: RADIUS:  Framed-MTU          [12]  6   1400
  010779: Jan  5 16:26:09.664 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
  010780: Jan  5 16:26:09.664 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
  010781: Jan  5 16:26:09.668 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
  010782: Jan  5 16:26:09.668 AZT: RADIUS:  Message-Authenticato[80]  18
  010783: Jan  5 16:26:09.668 AZT: RADIUS:   5B FA 47 07 0E E3 4B 71 7F 60 6E 4E 91 37 84 A6  [[?G???Kq?`nN?7??]
  010784: Jan  5 16:26:09.668 AZT: RADIUS:  EAP-Message         [79]  11
  010785: Jan  5 16:26:09.668 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
  010786: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  010787: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port            [5]   6   661
  010788: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-Port-Id         [87]  5   "661"
  010789: Jan  5 16:26:09.668 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
  010790: Jan  5 16:26:09.668 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
  010791: Jan  5 16:26:14.501 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010792: Jan  5 16:26:19.018 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010793: Jan  5 16:26:23.739 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/3
  router871#
  010794: Jan  5 16:26:28.700 AZT: RADIUS: Fail-over to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010795: Jan  5 16:26:33.629 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010796: Jan  5 16:26:38.494 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010797: Jan  5 16:26:39.794 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010798: Jan  5 16:26:39.794 AZT: EAPOL pak dump rx
  010799: Jan  5 16:26:39.794 AZT: EAPOL Version: 0x1  type: 0x1  length: 0x0000
  0AD053D0:                   01010000                   ....
  010800: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,EAP_START) for d8b3.7759.0488
  010801: Jan  5 16:26:39.798 AZT: dot11_auth_dot1x_ignore_event: Ignore event: do nothing
  router871#
  010802: Jan  5 16:26:43.007 AZT: RADIUS: Retransmit to (162.168.16.49:1812,1813) for id 1645/3
  router871#
  010803: Jan  5 16:26:47.336 AZT: RADIUS: No response from (162.168.16.49:1812,1813) for id 1645/3
  010804: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: No response from radius-server; parse response; FAIL
  010805: Jan  5 16:26:47.336 AZT: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
  010806: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  010807: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  010808: Jan  5 16:26:47.336 AZT: Client d8b3.7759.0488 failed: EAP reason 1
  010809: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_parse_aaa_resp: Failed client d8b3.7759.0488 with aaa_req_status_detail 1
  010810: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for d8b3.7759.0488
  010811: Jan  5 16:26:47.336 AZT: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client d8b3.7759.0488
  010812: Jan  5 16:26:47.336 AZT: EAPOL pak dump tx
  010813: Jan  5 16:26:47.336 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0004
  010814: Jan  5 16:26:47.336 AZT: EAP code: 0x4  id: 0x1  length: 0x0004
  0B060710:                   01000004 04010004          ........
  0B060720:
  010815: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010816: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010817: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  010818: Jan  5 16:26:47.340 AZT: dot11_auth_dot1x_send_client_fail: Authentication failed for d8b3.7759.0488
  010819: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg:  sending data to requestor status 0
  010820: Jan  5 16:26:47.340 AZT: dot11_auth_send_msg: client FAILED to authenticate d8b3.7759.0488, node_type 64 for application 0x1
  router871#
  010821: Jan  5 16:26:47.340 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010822: Jan  5 16:26:47.344 AZT: %DOT11-7-AUTH_FAILED: Station d8b3.7759.0488 Authentication failed
  010823: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010824: Jan  5 16:26:47.972 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010825: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010826: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010827: Jan  5 16:26:47.972 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010828: Jan  5 16:26:47.976 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010829: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010830: Jan  5 16:26:47.976 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010831: Jan  5 16:26:47.976 AZT: EAPOL pak dump tx
  010832: Jan  5 16:26:47.976 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010833: Jan  5 16:26:47.976 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0AD05B50:                   01000031 01010031          ...1...1
  0AD05B60: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0AD05B70: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0AD05B80: 72383731 2C706F72 7469643D 30        r871,portid=0
  010834: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010835: Jan  5 16:26:47.996 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010836: Jan  5 16:26:47.996 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010837: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
  010838: Jan  5 16:26:47.996 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
  router871#
  010839: Jan  5 16:26:47.996 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  router871#
  010840: Jan  5 16:26:58.634 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010841: Jan  5 16:26:58.634 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010842: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010843: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010844: Jan  5 16:26:58.638 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010845: Jan  5 16:26:58.638 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010846: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010847: Jan  5 16:26:58.638 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010848: Jan  5 16:26:58.638 AZT: EAPOL pak dump tx
  010849: Jan  5 16:26:58.638 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010850: Jan  5 16:26:58.638 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0B060710:                   01000031 01010031          ...1...1
  0B060720: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0B060730: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0B060740: 72383731 2C706F72 7469643D 30        r871,portid=0
  010851: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010852: Jan  5 16:26:58.658 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010853: Jan  5 16:26:58.658 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010854: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Received abort request for client d8b3.7759.0488
  010855: Jan  5 16:27:01.603 AZT: dot11_auth_client_abort: Aborting client d8b3.7759.0488 for application 0x1
  010856: Jan  5 16:27:01.603 AZT: dot11_auth_delete_client_entry: d8b3.7759.0488 is deleted for application 0x1
  010857: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list ingress-filter denied tcp 32.42.41.254(57443) -> 72.201.117.84(59652), 1 packet
  010858: Jan  5 16:27:02.179 AZT: %SEC-6-IPACCESSLOGP: list egress-filter denied tcp 22.3.184.118(0) -> 74.125.53.188(0), 4 packets
  010859: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: Create new client d8b3.7759.0488 for application 0x1
  010860: Jan  5 16:27:12.261 AZT: dot11_auth_initialize_client: d8b3.7759.0488 is added to the client list for application 0x1
  010861: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: req->auth_type 0
  010862: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  010863: Jan  5 16:27:12.261 AZT: dot11_auth_add_client_entry: eap list name: eap-methods
  010864: Jan  5 16:27:12.261 AZT: dot11_run_auth_methods: Start auth method EAP or LEAP
  010865: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  010866: Jan  5 16:27:12.261 AZT: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to d8b3.7759.0488
  010867: Jan  5 16:27:12.261 AZT: EAPOL pak dump tx
  010868: Jan  5 16:27:12.261 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0031
  010869: Jan  5 16:27:12.261 AZT: EAP code: 0x1  id: 0x1  length: 0x0031 type: 0x1
  0B060FD0:                   01000031 01010031          ...1...1
  0B060FE0: 01006E65 74776F72 6B69643D 746F7973  ..networkid=toys
  0B060FF0: 6F6E7067 2C6E6173 69643D72 6F757465  onpg,nasid=route
  0B061000: 72383731 2C706F72 7469643D 30        r871,portid=0
  010870: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg:  sending data to requestor status 1
  010871: Jan  5 16:27:12.285 AZT: dot11_auth_send_msg: Sending EAPOL to requestor
  010872: Jan  5 16:27:12.285 AZT: dot11_auth_dot1x_send_id_req_to_client: Client d8b3.7759.0488 timer started for 30 seconds
  010873: Jan  5 16:27:12.293 AZT: dot11_auth_parse_client_pak: Received EAPOL packet from d8b3.7759.0488
  010874: Jan  5 16:27:12.293 AZT: EAPOL pak dump rx
  010875: Jan  5 16:27:12.293 AZT: EAPOL Version: 0x1  type: 0x0  length: 0x0009
  010876: Jan  5 16:27:12.293 AZT: EAP code: 0x2  id: 0x1  length: 0x0009 type: 0x1
  0AD05290:                   01000009 02010009          ........
  0AD052A0: 01746573 74                          .test
  010877: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for d8b3.7759.0488
  010878: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Sending client d8b3.7759.0488 data to server
  010879: Jan  5 16:27:12.301 AZT: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  010880: Jan  5 16:27:12.301 AZT: RADIUS/ENCODE(0000019B):Orig. component type = DOT11
  010881: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: ssid              [282] 8
  010882: Jan  5 16:27:12.305 AZT: RADIUS:   74 6F 79 73 6F 6E                                [toyson]
  010883: Jan  5 16:27:12.305 AZT: RADIUS:  AAA Unsupported Attr: interface         [175] 3
  010884: Jan  5 16:27:12.305 AZT: RADIUS:   36                                               [6]
  010885: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
  010886: Jan  5 16:27:12.305 AZT: RADIUS/ENCODE(0000019B): acct_session_id: 411
  010887: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Config NAS IP: 192.168.16.49
  010888: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): sending
  010889: Jan  5 16:27:12.305 AZT: RADIUS(0000019B): Send Access-Request to 162.168.16.49:1645 id 1645/4, len 133
  010890: Jan  5 16:27:12.305 AZT: RADIUS:  authenticator 6F 6C 63 31 88 DE 30 A2 - C2 06 12 EB 50 A3 53 36
  010891: Jan  5 16:27:12.305 AZT: RADIUS:  User-Name           [1]   6   "test"
  010892: Jan  5 16:27:12.305 AZT: RADIUS:  Framed-MTU          [12]  6   1400
  010893: Jan  5 16:27:12.305 AZT: RADIUS:  Called-Station-Id   [30]  16  "0019.3075.e660"
  010894: Jan  5 16:27:12.305 AZT: RADIUS:  Calling-Station-Id  [31]  16  "d8b3.7759.0488"
  010895: Jan  5 16:27:12.305 AZT: RADIUS:  Service-Type        [6]   6   Login                     [1]
  010896: Jan  5 16:27:12.305 AZT: RADIUS:  Message-Authenticato[80]  18
  010897: Jan  5 16:27:12.305 AZT: RADIUS:   9D D5 62 1A 38 13 94 30 3A 43 D7 A4 AE A4 43 64  [??b?8??0:C????Cd]
  010898: Jan  5 16:27:12.305 AZT: RADIUS:  EAP-Message         [79]  11
  010899: Jan  5 16:27:12.305 AZT: RADIUS:   02 01 00 09 01 74 65 73 74                       [?????test]
  010900: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  010901: Jan  5 16:27:12.305 AZT: RADIUS:  NAS-Port            [5]   6   664
  010902: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-Port-Id         [87]  5   "664"
  010903: Jan  5 16:27:12.309 AZT: RADIUS:  NAS-IP-Address      [4]   6   192.168.16.49
  010904: Jan  5 16:27:12.309 AZT: RADIUS:  Nas-Identifier      [32]  11  "router871"
  010905: Jan  5 16:27:16.642 AZT: RADIUS: Retransmit to (162.168.16.49:1645,1646) for id 1645/4