Hi Marius,

I try to authenticate the cisco access point as an 802.1x supplicant. All my configurations are mentioned in the link above.

Although the login/password are the same I can not authenticate the access point because of a password mismatch.

Was the AP already joined to the WLC before you began the process?  Also, are you 100% sure there is no space at the beginning or the end of the password on either the ISE or the AP?

Would still be good to see the configuration you have implemented.

Yes, AP already joined the WLC and it works properly. I ensure that passwords match because I just copied and pasted them.

You can view my configuration using these attachments. I think there is a password problem in WLC because I tried not to use the Cisco ISE local database and used AD. I got the same wrong password error.

I used the same credentials with the same switch for the windows user and it works properly.

I also tried to authenticate AP using PEAP but there is another error:

Could you please share the bug details? How can we work around this issue?

When I use EAP-FAST it says:
22063 Wrong password

When I use PEAP it says:
12851 Received unexpected EAP NAK message. Client rejected the conversation.

Recently I installed the latest patch but the problem still exists. Do you know any other resolution?

What version of ISE are you using and what patch level?

What device is performing the EAP-FAST (I.e. what AP model and WLC software version if applicable)?

If updating the components doesn’t help then perhaps it’s time to get TAC involved.

Also, don’t forget that since the AP is attached to a switch, it’s the switch that is acting as the Authenticator. That means you must ensure that the RADIUS shared secret of the switch must match that configured in ISE. Does the switch perform any other EAP authentication successfully?

Cisco ISE 3.1 and patch 3 (the latest one)
Cisco Virtual Wireless Controller Software Version 8.8.111.0
APs are in flexconnect mode IOS version 8.8.111.0

Yes, the switch performs other EAP authentication successfully. I have that kind of issue only with APs

Hi

If these are Flexconnect mode APs, what is the connecting switch interface switchport config for them? Is it a trunk or is it in line with the Cisco doc below?

hth
Andy

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html

This is my switch port configuration:

interface GigabitEthernet 1/0/1
switchport access vlan 100
switchport mode access
authentication event server dead action authorize vlan 100
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 3
spanning-tree portfast

I also tried the configuration below that was mentioned in the guide but the same problem still exists:

interface GigabitEthernet1/0/1
switchport trunk allowed vlan all
switchport trunk native vlan 100
switchport mode trunk
authentication host-mode multi-host
authentication order dot1x
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast edge trunk