Resolution
For the Remote Access Dial-In User Service (RADIUS) user to login to the controller, the login user entry in the RADIUS server has to be associated with an attribute, Service-Type.If this attribute is not sent back to the controller from the ACS, the authentication finishes successfully (access-accept) and you do not see any authorization error on the controller, even with debug aaa all enable. But, you are prompted again for authentication. The only thing missing in the RADIUS return packet is the service type 6 attribute.
Refer to the Before Using RADIUS Attributes section of RADIUS Attributes for more information on how to configure the service-type attribute.
Problem Type
Cannot console or telnet or GUI into a device
Products
Wireless LAN Controllers
Security Options
LEAP / RADIUS
Authentication
Device Access Method
GUI Interface
Telnet
Terminal Server / Console