A customer uses autonomous wireless AP's for some smaller site's.

Usely this is no problem, yesterday i installed a new site with Cisco AP2602's running:

Cisco IOS Software, C3600 Software (AP3G2-K9W7-M), Version 15.2(2)JA, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Thu 23-Aug-12 02:59 by prod_rel_team

ROM: Bootstrap program is C3600 boot loader

BOOTLDR: C3600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)

When configuring the AP i noticed a few CLI warnings about the radius-server host being deprecated soon so i converted it to the new standard.

After installing the WDS AP (which isnt in WDS only mode and also accepts clients) i noticed TACACS was working and also radius for the wireless clients was working.

So everything was working fine......except when i was checking authentications i noticed the WDS AP was not being authenticated to the ACS.

The logging in the ACS showed "EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate".

Since we do not use EAP-TLS for authentication of the AP's to the ACS(but LEAP) i started searching for a way to force the authentication from the AP's to LEAP instead of EAP-TLS.

I have been searching in release notes and other forums for a way to configure this but i cant find it.

Now i have "fixed" it by disabling EAP-TLS and PEAP on the ACS since the customer does not use this.

But it is possible that the customer would like to use EAP-TLS in the future therefore i would like to configure it on the AP CLI.

Several other sites running IOS v12.3(AP1232,1142 and 3502) are running the same configuration and use LEAP by default i guess since they work OK

I have changed the ACS to prefer LEAP this also works instead of disabling EAP-TLS and PEAP.

Message was edited by: Marc Groenen