https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498458#M89350 <P>I haven't setup autonomous APs before but I think I might see the problem. You are defining an&nbsp;<STRONG>authentication list&nbsp;</STRONG>called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:</P> <PRE> dot11 ssid test authentication open eap <STRONG>eap_methods</STRONG> <STRONG>authentication network-eap eap_methods</STRONG> authentication key-management wpa version 2 guest-mode</PRE> <P>Hope this helps!</P> <P>&nbsp;</P> <P><EM>Thank you for rating helpful posts!</EM></P> Fri, 25 Jul 2014 06:27:37 GMT nspasov 2014-07-25T06:27:37Z https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498457#M89349 <P>Good afternoon,</P><P>&nbsp;</P><P>I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :</P><P>&nbsp;</P><P>AAA/AUTHEN/PPP : Pick method list 'Permanent Local'</P><P>DOT11-7-AUTH_FAILED : Station ... Authentication failed</P><P>&nbsp;</P><P>It shouldn't use local authentication, but the aaa server I configured.</P><P>&nbsp;</P><P>I looked on the internet but didn't find a working solution.</P><P>Does anyone know why it is not working ?</P><P>&nbsp;</P><P>Here is my running configuration :</P><P>&nbsp;</P><P>Current configuration : 4276 bytes<BR />!<BR />! Last configuration change at 00:45:40 UTC Mon Mar 1 1993<BR />! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014<BR />! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014<BR />version 15.2<BR />no service pad<BR />service timestamps debug datetime msec<BR />service timestamps log datetime msec<BR />service password-encryption<BR />!<BR />hostname ap<BR />!<BR />!<BR />logging rate-limit console 9<BR />enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0<BR />!<BR />aaa new-model<BR />!<BR />!<BR />aaa group server radius rad_eap<BR />&nbsp;server 192.168.2.2 auth-port 1812 acct-port 1813<BR />!<BR />aaa group server radius rad_mac<BR />!<BR />aaa group server radius rad_acct<BR />!<BR />aaa group server radius rad_admin<BR />!<BR />aaa group server tacacs+ tac_admin<BR />!<BR />aaa group server radius rad_pmip<BR />!<BR />aaa group server radius dummy<BR />!<BR />aaa authentication login eap_methods group rad_eap<BR />aaa authentication login mac_methods local<BR />aaa authorization exec default local<BR />aaa accounting network acct_methods start-stop group rad_acct<BR />!<BR />!<BR />!<BR />!<BR />!<BR />aaa session-id common<BR />no ip routing<BR />no ip cef<BR />!<BR />!<BR />!<BR />dot11 syslog<BR />!<BR />dot11 ssid test<BR />&nbsp;&nbsp; authentication open eap eap_list<BR />&nbsp;&nbsp; authentication key-management wpa version 2<BR />&nbsp;&nbsp; guest-mode<BR />!<BR />!<BR />eap profile peap<BR />&nbsp;method peap<BR />!<BR />crypto pki token default removal timeout 0<BR />!<BR />...<BR />!<BR />!<BR />bridge irb<BR />!<BR />!<BR />!<BR />interface Dot11Radio0<BR />&nbsp;no ip address<BR />&nbsp;no ip route-cache<BR />&nbsp;!<BR />&nbsp;encryption mode ciphers aes-ccm<BR />&nbsp;!<BR />&nbsp;ssid test<BR />&nbsp;!<BR />&nbsp;antenna gain 0<BR />&nbsp;stbc<BR />&nbsp;beamform ofdm<BR />&nbsp;station-role root<BR />&nbsp;bridge-group 1<BR />&nbsp;bridge-group 1 subscriber-loop-control<BR />&nbsp;bridge-group 1 spanning-disabled<BR />&nbsp;bridge-group 1 block-unknown-source<BR />&nbsp;no bridge-group 1 source-learning<BR />&nbsp;no bridge-group 1 unicast-flooding<BR />!<BR />interface Dot11Radio1<BR />&nbsp;no ip address<BR />&nbsp;no ip route-cache<BR />&nbsp;shutdown<BR />&nbsp;antenna gain 0<BR />&nbsp;no dfs band block<BR />&nbsp;channel dfs<BR />&nbsp;station-role root<BR />&nbsp;bridge-group 1<BR />&nbsp;bridge-group 1 subscriber-loop-control<BR />&nbsp;bridge-group 1 spanning-disabled<BR />&nbsp;bridge-group 1 block-unknown-source<BR />&nbsp;no bridge-group 1 source-learning<BR />&nbsp;no bridge-group 1 unicast-flooding<BR />!<BR />interface GigabitEthernet0<BR />&nbsp;no ip address<BR />&nbsp;no ip route-cache<BR />&nbsp;duplex auto<BR />&nbsp;speed auto<BR />&nbsp;dot1x pae authenticator<BR />&nbsp;bridge-group 1<BR />&nbsp;bridge-group 1 spanning-disabled<BR />&nbsp;no bridge-group 1 source-learning<BR />!<BR />interface BVI1<BR />&nbsp;ip address 192.168.3.10 255.255.255.0<BR />&nbsp;no ip route-cache<BR />!<BR />ip default-gateway IP<BR />ip forward-protocol nd<BR />ip http server<BR />ip http secure-server<BR />ip http help-path <A href="http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag" target="_blank">http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag</A><BR />ip radius source-interface BVI1<BR />!<BR />radius-server attribute 32 include-in-access-req format %h<BR />radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D<BR />radius-server vsa send accounting<BR />!<BR />bridge 1 route ip<BR />!<BR />!<BR />!<BR />line con 0<BR />line vty 0 4<BR />&nbsp;transport input all<BR />!<BR />end</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you</P> Mon, 11 Mar 2019 04:53:33 GMT https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498457#M89349 drombau14 2019-03-11T04:53:33Z https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498458#M89350 <P>I haven't setup autonomous APs before but I think I might see the problem. You are defining an&nbsp;<STRONG>authentication list&nbsp;</STRONG>called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:</P> <PRE> dot11 ssid test authentication open eap <STRONG>eap_methods</STRONG> <STRONG>authentication network-eap eap_methods</STRONG> authentication key-management wpa version 2 guest-mode</PRE> <P>Hope this helps!</P> <P>&nbsp;</P> <P><EM>Thank you for rating helpful posts!</EM></P> Fri, 25 Jul 2014 06:27:37 GMT https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498458#M89350 nspasov 2014-07-25T06:27:37Z https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498459#M89351 <P>Thank you so much, I had read this many times but I had not seen this error.</P><P>It now works perfectly <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 25 Jul 2014 08:37:57 GMT https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498459#M89351 drombau14 2014-07-25T08:37:57Z https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498460#M89352 <P>It happens to all of us <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Glad I was able to help!</P> Fri, 25 Jul 2014 08:39:44 GMT https://community.cisco.com/t5/network-access-control/problem-authenticating-wireless-users-with-peap/m-p/2498460#M89352 nspasov 2014-07-25T08:39:44Z