Hello,
try something like below. VLAN 11 is secure with 802.1x EAP security, VLAN 22 is insecure, VLAN 33 is only for management of the AP. On the switch is set up as native but it isn't propagate by the radio. Hope this help.
MiTi
aaa new-model
!
!
aaa group server radius acs_praha
server 10.10.10.10 auth-port 1645 acct-port 1646
!
aaa authentication login default group acs_praha local
aaa authentication login method_client group acs_praha
aaa authentication login method_local local
aaa authorization exec default group acs_praha if-authenticated
aaa authorization exec method_local local
aaa session-id common
!
dot11 ssid wifi1
vlan 11
authentication open eap method_client
authentication network-eap method_client
authentication key-management wpa
!
dot11 ssid wifi2
vlan 22
authentication open
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 11 mode ciphers tkip
!
ssid wifi1
!
ssid wifi2
!
bridge-group 1
!
interface Dot11Radio0.11
encapsulation dot1Q 11
bridge-group 11
!
interface Dot11Radio0.22
encapsulation dot1Q 22
bridge-group 22
!
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.11
encapsulation dot1Q 11
bridge-group 11
!
interface FastEthernet0.22
encapsulation dot1Q 22
bridge-group 22
!
interface FastEthernet0.33
encapsulation dot1Q 33 native
bridge-group 1
!
interface BVI1
ip address 10.0.0.10 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.0.1
radius-server host 10.0.0.11 auth-port 1645 acct-port 1646 key mysecret
!
bridge 1 route ip
!