I hope you can help as I am sure I am missing something basic.

Using IAS to authenticate admin and Lobby ambassador to a wlc running 4.2.

Created a group wlc Admin in windows ad.

Added a user to the group to test. The user works pw etc as I have tested this.

Event log from IAS is here

User test was denied access.

Fully-Qualified-User-Name = WIRELESSDATANET\test

NAS-IP-Address = 192.168.1.200

NAS-Identifier = WLAN-LAB

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = WLAN-LAB

Client-IP-Address = 192.168.1.200

NAS-Port-Type = <not present>

NAS-Port = <not present>

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = PAP

EAP-Type = <undetermined>

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

The request is getting to the IAS server but not being authenticated.

The logs on the wlc are below

AAA Authentication Failure for UserName:test User Type: WLAN USER

Problem is it is IAS is not even authenticating a client I know has a correct password. The test client is only in the WLC Admin group

I am not sure if its the attributes though the wlc is in as a client with cisco attribute