Showing results for 
Search instead for 
Did you mean: 

Cisco router cannot pass 802.1x traffic

Level 1
Level 1

is there any special settings i have to do on a cisco router if i want to get 802.1x working on a cisco router on a stick everything works on the network except that when i do test aaa radius on the cisco wlc i get radius server unresponsive the wlc can ping the server and it persists with or without windows firewall there is no acl's on the cisco router and dhcp relay is configured and working with ip help-addresses pointing at the dhcp server i just cant seem to get it to work i had it working when my pfsese firewall was doing router on a stick but now i am using my cisco 2901 for speed reasons

9 Replies 9

Haydn Andrews
VIP Alumni
VIP Alumni

you talking for radius auth for the WLC. You need a RADIUS server (ISE, Microsoft NPS etc). The router wont work as the authenticator.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

I know but the access point controller gets no response from the windows server nps it is set up correctly with the same setup that i had working before but the wlc cant comunicate with the server but there is no firewall in between or acl's and the wlc can ping the windows server

Rich R

What WLC?
What version of software?
Can ping the server from which interface? (maybe not the same interface the radius is originated from)
You can do debugs on WLC and packet captures on router to see what's happening.

WLC is 2504 

version of software is  wlc the software of the router  Version 15.7(3)M5 and the network policy server is windows server 2019

the wlc can ping both its default gateway the default gateway server and the server itself 

can u be nice and get me the commands  i need to run?

friend I think you add management IP in AAA, and router do NAT and change this IP and hence the AAA refuse the radius packet. 
you need to add NAS-ID to your radius packet toward AAA server, and use this NAS-ID in AAA.
NAS-ID not change during NAT.

Rich R

"show interface summary" to get the name of the client interface
ping <server ip> "client interface name"
debug aaa all
As the server runs Windows you can use Wireshark for packet capture on server side:


do i run these on the cisco router or on the wlc?

Rich R

Those are all WLC commands.
You can also do packet capture on the router:

I will get her done later

Review Cisco Networking for a $25 gift card