Preview Tool

Cisco Bug: CSCvs45806 - Flex AP looking for RADIUS to try Local Authentication when configured for Central Authentication

Last Modified

Sep 02, 2020

Products (1)

  • Cisco Aironet 1850 Series Access Points

Known Affected Releases

8.10(109.55) 8.5(151.0)

Description (partial)

EAP authentication is failing because the Flex AP is looking for a RADIUS to try Local Authentication itself, even when configured for Central Authentication.

This is interrupting the EAP authentication handshake, so client never finishes EAP authentication and fails to connect to the AP (timing out EAP and restarting association from scratch, but goes back to same state and stays in that cycle).

WLC sends EAP Identity Request, but never receives the client response, so we just see next association response in WLC debugs after client times out, or WLC retries EAP request until it times out.

At the AP level debugs and traces, we can see the AP transmits the EAP request down to client, client replies back with EAP response, but when the first EAP response is coming back from client to WLC, AP tries to communicate with a RADIUS Server like if it was the AP acting as dot1x authenticator (instead of simply sending that EAP response up to the WLC within CAPWAP, as it should, because it is the WLC the dot1x Authenticator). AP logs:
hostapd: apr1v0:RADIUS: No authentication server configured

Flex AP doing Local switching with Central Authentication.
SSID doing dot1x/EAP where WLC is the dot1x Authenticator, not the AP.
Issue is triggered after AP drops its current WLC due to CAPWAP going down and then comes back.

This impacts all Wave 2 AP's on both AirOS and IOS-XE

AirOS -
IOS-XE code - 16.12.1s
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.