no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname
!
logging buffered 1048576 debugging
enable secret
!
ip subnet-zero
no ip source-route
ip domain list
ip domain list
ip domain name
ip name-server
ip name-server
ip name-server
!
!
dot11 syslog
!
dot11 ssid
   authentication open eap eap_methods
   authentication network-eap eap_methods
   accounting acct_methods
   infrastructure-ssid
!
dot11 network-map
!
!
dot1x timeout reauth-period server
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no shut
 no ip route-cache
 !
 encryption mode wep mandatory
 !
 ssid
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
 channel 2412
 station-role root
 rts threshold 2312
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
!
ip default-gateway
no ip http server
!
logging trap notifications
logging source-interface BVI1
logging
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 2 permit
snmp-server community
snmp-server ifindex persist
snmp-server trap-source BVI1
snmp-server host 1 snmp
snmp-server host 1 snmp
snmp-server host 1 snmp
!
!
banner motd  ^

*******************************************************************************

*******************************************************************************
^
!
!
line con 0
 exec-timeout 30 0
 transport preferred telnet
 login
 password
 stopbits 1
line vty 0 4
 exec-timeout 30 0
 transport preferred telnet
 login
 password
line vty 5 15
 exec-timeout 30 0
 transport preferred telnet
 login
 password
!
sntp server
!
aaa new-model
!
!
aaa group server radius rad_eap
 server  auth-port 1645 acct-port 1646
 server  auth-port 1645 acct-port 1646
 server  auth-port 1645 acct-port 1646
!
aaa group server radius rad_m
!
aaa group server radius rad_a
!
aaa group server radius rad_ad
!
aaa group server tacacs+ tac_ad
!
aaa group server radius rad_p
!
aaa group server radius dummy
!
ip http authentication aaa
no ip http secure-server
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
tacacs-server host
tacacs-server host
tacacs-server host
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key
radius-server attribute 32 include-in-access-req format %h
radius-server host  auth-port 1645 acct-port 1646
radius-server host  auth-port 1645 acct-port 1646
radius-server host  auth-port 1645 acct-port 1646
radius-server timeout 20
radius-server deadtime 3
radius-server key
radius-server vsa send accounting
bridge 1 route ip
!
aaa authentication attempts login 4
aaa authentication password-prompt Password(local):
aaa authentication username-prompt User(local):
aaa authentication login default group tacacs+ enable
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
!
!
!
end

Hi,

Hope you have not modified the running configuration. For some reason i cannot find the radius server ip address any where. I hope you have removed it.

Do you have trouble with all wireless clients where they are not doing EAP or is it some clients only?

Can you enable "debug radius authentication" output please?

Regards

Najaf

Yes, all my radius ips were removed before posting. It is all wireless devices that connect to this new ap.

Hi,

Can you enable "debug radius authentication" output please when a client try to connect?

Regards

Najaf

Hi Najaf, 

I met the same issue.  Could you please advise as below "sh log" inforamtion? Thanks.

RADIUS-4-RADIUS_DEAD: RADIUS server XX.XX.XX.XX:1645,1646 is not responding.
RADIUS-4-RADIUS_ALIVE: RADIUS server XX.XX.XX.XX:1645,1646 is being marked alive.
DOT11-7-AUTH_FAILED: Station XXXX.XXXX.XXXX Authentication failed

Hi Najaf,

Could you please advise as below:

Below is the debug information:

RADIUS/ENCODE: Best Local IP-Address XX.XX.XX.XX for Radius-Server XX.XX.XX.XX

RADIUS(00000C77): Send Access-Request to XX.XX.XX.XX:1645 id 1645/126, len 149

User-Name           [1]   13  "XXXX"
RADIUS:  Framed-MTU          [12]  6   1400                      
RADIUS:  Called-Station-Id   [30]  16  "XXXX"
RADIUS:  Calling-Station-Id  [31]  16  "XXXX"
RADIUS:  Service-Type        [6]   6   Login                     [1]
RADIUS:  Message-Authenticato[80]  18 

NAS-Port-Type       [61]  6   802.11 wireless           [19]
RADIUS:  NAS-Port            [5]   6   3429                      
RADIUS:  NAS-Port-Id         [87]  6   "3429"
RADIUS:  NAS-IP-Address      [4]   6   XX.XX.XX.XX             
RADIUS:  Nas-Identifier      [32]  12  "XXXX-AP-01"

RADIUS: no sg in radius-timers: ctx 0x15EBA14 sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/118
RADIUS: no sg in radius-timers: ctx 0x1505D6C sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/120

RADIUS: no sg in radius-timers: ctx 0x15F30E4 sg 0x0000
RADIUS-4-RADIUS_DEAD: RADIUS server XX.XX.XX.XX :1645,1646 is not responding.
RADIUS-4-RADIUS_ALIVE: RADIUS server XX.XX.XX.XX :1645,1646 is being marked alive.
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/126
RADIUS: no sg in radius-timers: ctx 0x116DEE8 sg 0x0000
RADIUS: Retransmit to (XX.XX.XX.XX :1645,1646) for id 1645/121

Please refer the link :https://learningnetwork.cisco.com/thread/34542