Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9136
Views
0
Helpful
3
Replies

RADIUS Authentication Failed

DaveCoughlan
Level 1
Level 1

‎09-27-2011 09:09 PM - edited ‎07-03-2021 08:50 PM

Hi,

Im having trouble getting a Cisco 881W to authenticate with my RADIUS  server. Other APs work fine but I cant get it to authenticate on the  routers. When I try to connect, I get the following message:

DOT11-7-AUTH_FAILED: Station 0000.1111.2222 Authentication failed

Debug Radius gives me the following:

Sep 28 13:27:38: RADIUS/ENCODE(00000023):Orig. component type = DOT11
Sep 28 13:27:38: RADIUS:  AAA Unsupported Attr: ssid              [265] 13
Sep 28 13:27:38: RADIUS:   4D 69 6E 64 41 75 73 74 72 61 6C                 [Min
dAustral]
Sep 28 13:27:38: RADIUS:  AAA Unsupported Attr: interface         [157] 3
Sep 28 13:27:38: RADIUS:   32                                               [2]
Sep 28 13:27:38: RADIUS(00000023): Config NAS IP: 192.168.28.40
Sep 28 13:27:38: RADIUS/ENCODE(00000023): acct_session_id: 35
Sep 28 13:27:38: RADIUS(00000023): Config NAS IP: 192.168.28.40
Sep 28 13:27:38: RADIUS(00000023): sending
Sep 28 13:27:38: RADIUS/DECODE: No response from radius-server; parse response;
FAIL
Sep 28 13:27:38: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);
parse response; FAIL

The shared secret is correct and I can ping the radius server, not sure why its saying 'No response'.

Can anyone shed some light on this for me?

Edit/Delete Message

Labels:
0 Helpful
3 Replies 3

Nigel Bowden
Level 2
Level 2

‎09-28-2011 07:47 AM

Maybe your RADIUS server is listening on the wrong port..? (1812/1645 ?)

0 Helpful

jliscano
Level 1
Level 1

‎09-28-2011 12:34 PM

Have you tried sourcing the interface for radius?

ip radius source-interface

0 Helpful

DaveCoughlan
Level 1
Level 1
In response to jliscano

‎09-28-2011 05:08 PM

Thanks for the responses..

Nigel,

The server is listening on ports 1812/1813 and 1645/1646. Router is using 1812 & 1813.

jliscano,

BVI1 is set as the sourcing interface already. Posting the shortened config below:

Building configuration...

hostname SAHO-AP

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.x.167 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

server 192.168.x.167 auth-port 1812 acct-port 1813

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

clock timezone EST 10

clock summer-time D-EST recurring 1 Sun Apr 2:00 1 Sun Oct 3:00 1

ip domain name xxxx

ip name-server 192.168.x

ip name-server 192.168.x

ip name-server 192.168.x

!

!

dot11 syslog

!

dot11 ssid (omitted)

   vlan 1

   authentication open eap eap_methods

   authentication key-management wpa version 2

   accounting acct_methods

   guest-mode

!

dot11 ids mfp distributor

dot11 ids mfp detector

dot11 ids mfp generator

!

crypto pki trustpoint TP-self-signed-x

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-x

revocation-check none

rsakeypair TP-self-signed-x

!

!

crypto pki certificate chain TP-self-signed-x

certificate self-signed 01

  x

  quit

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 30

!

!

ssid (Omitted)

!

antenna gain 0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecti

ng AP with the host router

no ip address

no ip route-cache

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.x.40 -------------

no ip route-cache

!

ip http server

ip http authentication local

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

snmp-server community xx RW

snmp-server host 192.168.x.36 xx  snmp

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.100.167 auth-port 1645 acct-port 1646 key xx

radius-server vsa send accounting

bridge 1 route ip

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card