Difficulty Configuring a RADIUS server with a Cisco 2500 Series Wireless Controller

edgar_spam1 — Mon, 11 Mar 2019 06:23:41 GMT

Hi All

We are attempting to configure a RADIUS server with a Cisco 2500 Series Wireless Controller (AIR-CT2504-K9). Below you can see the configuration of the RADIUS sever on the controller, with the correct IP:

Below is the configuration we have for the current WLAN when we try to attempt to connect it to the RADIUS server:

We know that this WLAN configuration works when not configured wit RADIUS (no AAA servers configured, only Layer 2). When trying to connect using a Windows Laptop or phone, the connection attempt times out. When attempting to connect a Macbook the we receive a 'Failed to connect to authentication Server' error message. Below are the logs for an attempted authentication from a particular MAC address, in this case an iPhone 5s.

(Cisco Controller) >*apfMsConnTask_6: Jan 13 11:26:57.063: [iPhone MAC Address] Processing assoc-req station:[iPhone MAC Address] AP:[AP MAC Address]-00 thread:15117ba0
*apfMsConnTask_6: Jan 13 11:26:57.063: [iPhone MAC Address] Adding mobile on LWAPP AP [AP MAC Address](0)
*apfMsConnTask_6: Jan 13 11:26:57.063: [iPhone MAC Address] Association received from mobile on BSSID [AP MAC Address] AP AP0462.733a.44f4
*apfMsConnTask_6: Jan 13 11:26:57.063: [iPhone MAC Address] Global 200 Clients are allowed to AP radio

*apfMsConnTask_6: Jan 13 11:26:57.063: [iPhone MAC Address] Max Client Trap Threshold: 0 cur: 1

*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] override for default ap group, marking intgrp NULL
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0

*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Re-applying interface policy for client

*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2399)
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2420)
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] In processSsidIE:5682 setting Central switched to TRUE
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] In processSsidIE:5685 apVapId = 1 and Split Acl Id = 65535
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Setting the NAS Id to WLAN specific Id '[System Name]'
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Applying site-specific Local Bridging override for station [iPhone MAC Address] - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Applying Local Bridging Interface Policy for station [iPhone MAC Address] - vlan 0, interface id 0, interface 'management'
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] processSsidIE statusCode is 0 and status is 0
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] processSsidIE ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] STA - rates (8): 130 132 139 150 36 48 72 108 0 0 0 0 0 0 0 0
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] suppRates statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_6: Jan 13 11:26:57.064: RSNIE in Assoc. Req.: (20)

*apfMsConnTask_6: Jan 13 11:26:57.064: [0000] 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f

*apfMsConnTask_6: Jan 13 11:26:57.064: [0016] ac 01 0c 00

*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Processing RSN IE type 48, length 20 for mobile [iPhone MAC Address]
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Received 802.11i 802.1X key management suite, enabling dot1x Authentication
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] RSN Capabilities: 12
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] apfValidateDot11iCapabilities:1286 Received RSNIE with Capabilities with STA MFPC: 0, STA MFPR:0, & AP MFPC:0MFPR:0
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Marking Mobile as non-11w Capable
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Received RSN IE with 0 PMKIDs from mobile [iPhone MAC Address]
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] Setting active key cache index 8 ---> 8
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] unsetting PmkIdValidatedByAp
*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] apfValidateDot11wGroupMgmtCipher:1716, Received NULL 11w Group Mgmt Cipher Suite for STA, hence returning

*apfMsConnTask_6: Jan 13 11:26:57.064: [iPhone MAC Address] 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)

*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)

*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] Encryption policy is set to 0x80000001
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] Not Using WMM Compliance code qosCap 00
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] Sending 11w Flag 0 for Client [iPhone MAC Address]
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP [AP MAC Address] vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] apfMsAssoStateInc
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] apfPemAddUser2 (apf_policy.c:352) Changing state for mobile [iPhone MAC Address] on AP [AP MAC Address] from Idle to Associated

*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] apfPemAddUser2:session timeout forstation [iPhone MAC Address] - Session Tout 0, apfMsTimeOut '0' and sessionTimerRunning flag is 0
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0

*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] Sending assoc-resp with status 0 station:[iPhone MAC Address] AP:[AP MAC Address]-00 on apVapId 1
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] Sending Assoc Response to station on BSSID [AP MAC Address] (status 0) ApVapId 1 Slot 0
*apfMsConnTask_6: Jan 13 11:26:57.065: [iPhone MAC Address] apfProcessAssocReq (apf_80211.c:9463) Changing state for mobile [iPhone MAC Address] on AP [AP MAC Address] from Associated to Associated

*spamApTask0: Jan 13 11:26:57.068: [iPhone MAC Address] Sent 1x initiate message to multi thread task for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.068: [iPhone MAC Address] reauth_sm state transition 0 ---> 1 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:47
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.068: [iPhone MAC Address] EAP-PARAM Debug - eap-params for Wlan-Id :1 is disabled - applying Global eap timers and retries
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.068: [iPhone MAC Address] Disable re-auth, use PMK lifetime.
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.068: [iPhone MAC Address] Station [iPhone MAC Address] setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.068: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Connecting state
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.069: [iPhone MAC Address] Sending EAP-Request/Identity to mobile [iPhone MAC Address] (EAP Id 1)
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.099: [iPhone MAC Address] Received EAPOL EAPPKT from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.099: [iPhone MAC Address] Received Identity Response (count=1) from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.100: [iPhone MAC Address] Resetting reauth count 1 to 0 for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.100: [iPhone MAC Address] EAP State update from Connecting to Authenticating for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.100: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Authenticating state
*Dot1x_NW_MsgTask_0: Jan 13 11:26:57.100: [iPhone MAC Address] Entering Backend Auth Response state for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] reauth_sm state transition 1 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] Received EAPOL START from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Aborting state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Connecting state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] Sending EAP-Request/Identity to mobile [iPhone MAC Address] (EAP Id 3)
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.095: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.101: [iPhone MAC Address] Received EAPOL EAPPKT from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.101: [iPhone MAC Address] Received Identity Response (count=1) from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.101: [iPhone MAC Address] Resetting reauth count 1 to 0 for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.101: [iPhone MAC Address] EAP State update from Connecting to Authenticating for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.101: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Authenticating state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.101: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.101: [iPhone MAC Address] Entering Backend Auth Response state for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:02.102: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.120: [iPhone MAC Address] Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.120: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.120: [iPhone MAC Address] Received EAPOL START from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.120: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Aborting state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.120: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.121: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Connecting state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.121: [iPhone MAC Address] Sending EAP-Request/Identity to mobile [iPhone MAC Address] (EAP Id 5)
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.121: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.121: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.125: [iPhone MAC Address] Received EAPOL EAPPKT from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.125: [iPhone MAC Address] Received Identity Response (count=1) from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.125: [iPhone MAC Address] Resetting reauth count 1 to 0 for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.125: [iPhone MAC Address] EAP State update from Connecting to Authenticating for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.126: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Authenticating state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.126: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.126: [iPhone MAC Address] Entering Backend Auth Response state for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:07.126: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] Reset the reauth counter since EAPOL START has been received!!!
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:53
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] Received EAPOL START from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Aborting state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Connecting state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] Sending EAP-Request/Identity to mobile [iPhone MAC Address] (EAP Id 7)
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.160: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.161: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] Received EAPOL EAPPKT from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] Received Identity Response (count=1) from mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] Resetting reauth count 1 to 0 for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] EAP State update from Connecting to Authenticating for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] dot1x - moving mobile [iPhone MAC Address] into Authenticating state
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] Entering Backend Auth Response state for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:12.166: [iPhone MAC Address] reauth_sm state transition 0 ---> 0 for mobile [iPhone MAC Address] at 1x_reauth_sm.c:71
*Dot1x_NW_MsgTask_0: Jan 13 11:27:37.381: [iPhone MAC Address] Processing AAA Error 'Timeout' (-5) for mobile [iPhone MAC Address]
*Dot1x_NW_MsgTask_0: Jan 13 11:27:37.381: [iPhone MAC Address] Sent Deauthenticate to mobile on BSSID [AP MAC Address] slot 0(caller 1x_auth_pae.c:1581)
*Dot1x_NW_MsgTask_0: Jan 13 11:27:37.381: [iPhone MAC Address] Setting active key cache index 8 ---> 8
*Dot1x_NW_MsgTask_0: Jan 13 11:27:37.381: [iPhone MAC Address] Deleting the PMK cache when de-authenticating the client.
*Dot1x_NW_MsgTask_0: Jan 13 11:27:37.381: [iPhone MAC Address] Global PMK Cache deletion failed.
*Dot1x_NW_MsgTask_0: Jan 13 11:27:37.382: [iPhone MAC Address] Scheduling deletion of Mobile Station: (callerId: 65) in 10 seconds
*osapiBsnTimer: Jan 13 11:27:47.333: [iPhone MAC Address] apfMsExpireCallback (apf_ms.c:632) Expiring Mobile!
*apfReceiveTask: Jan 13 11:27:47.333: [iPhone MAC Address] apfMsExpireMobileStation (apf_ms.c:6976) Changing state for mobile [iPhone MAC Address] on AP [AP MAC Address] from Associated to Disassociated

*apfReceiveTask: Jan 13 11:27:47.333: [iPhone MAC Address] Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Jan 13 11:27:57.333: [iPhone MAC Address] apfMsExpireCallback (apf_ms.c:632) Expiring Mobile!
*apfReceiveTask: Jan 13 11:27:57.333: [iPhone MAC Address] apfMsAssoStateDec
*apfReceiveTask: Jan 13 11:27:57.333: [iPhone MAC Address] apfMsExpireMobileStation (apf_ms.c:7108) Changing state for mobile [iPhone MAC Address] on AP [AP MAC Address] from Disassociated to Idle

*apfReceiveTask: Jan 13 11:27:57.333: [iPhone MAC Address] pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfReceiveTask: Jan 13 11:27:57.333: [iPhone MAC Address] 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [[AP MAC Address]]
*apfReceiveTask: Jan 13 11:27:57.333: [iPhone MAC Address] Deleting mobile on AP [AP MAC Address](0)

The logs on the RADIUS server indicate that no authentication attempts have been made when attemping using an iPhone or Macbook, while attemping connection using a windows laptop shows failed authentication logs using incorrect login details.

The RADIUS server is running on Windows Server 2008 RS with setup from this guide:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

Any Assistance is greatly appreciated

I'm guessing you figured this

Alex Sierra — Thu, 01 Dec 2016 19:41:36 GMT

I'm guessing you figured this out? Do you have it configured as a client on the radius server and the policy to handle the request?

topic Difficulty Configuring a RADIUS server with a Cisco 2500 Series Wireless Controller in Network Access Control

Difficulty Configuring a RADIUS server with a Cisco 2500 Series Wireless Controller

I'm guessing you figured this