Showing results for 
Search instead for 
Did you mean: 

Cisco ACS 5.2 not authenticating wireless clients with Cisco AP1142


I have a Cisco ACS Engine running v5.2 and I am trying to get it to authentication wireless clients via a Cisco AP1142.

However i am getting the following message in the acs reporting tool :

Failure Reason: 11036 The Message-Authenticator RADIUS attribute is invalid.

The description states: The Message-Authenticator RADIUS attribute is invalid. This maybe because of mismatched Sharded Secrets.

I have check the sharded secret and they are both set correctly. Is there something extra that needs setting up on the ACS server or on the Access Point, as the Access Point works well with ACS v4.2



Hello Marco,

I have been checking and the error 11036 The Message-Authenticator RADIUS attribute is invalid is usually related to a key mismatch.

Can you enable "debug aaa authentication" and "debug radius" and perform the test command on the AP authenticating against the ACS 5.x? The command should be:

test aaa group radius legacy

Please share the outputs. If the debugs report "failed to decrypt" then it is indeed a key mismatch.

If this was helpful please rate.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: