EAP and 802.1X Protocol Review
Objective
In this lesson you will review the 802.1X and EAP protocol flow, and configure the controller-side pieces that make a wireless authenticator talk to a RADIUS authentication server for EAP-TLS/EAP methods. This matters because in production wireless networks, correct authenticator ↔ RADIUS interaction is essential for certificate-based authentication and for handling large EAP messages (certificates) that may require fragmentation. Real-world scenario: an enterprise wireless deployment uses a centralized ISE/RADIUS server (IP 192.168.189.28) to authenticate corporate laptops via EAP-TLS—if the WLC is misconfigured or the RADIUS server assignment is missing, clients will fail during TLS handshake and be removed from the network.
Topology & Device Table
ASCII topology (management-plane view):
Device addressing and roles:
| Device | Interface | IP Address | Subnet Mask | Role |
|---|---|---|---|---|
| ISE / RADIUS Server | eth0 | 192.168.189.28 | 255.255.255.0 | Authentication Server (RADIUS) |
| WLC9800 | Management (logical) | 192.168.189.10* | 255.255.255.0* | Authenticator / RADIUS client |
| Access Point | N/A (CAPWAP) | N/A | N/A | Wireless Access Point (authenticator data plane) |
| Supplicant Laptop | Wi-Fi interface | DHCP (VLAN 282) | 255.255.255.0 | EAP client / supplicant |
| Distribution Switch | SVI for VLAN 282 | 10.0.282.1* | 255.255.255.0* | L3 gateway for VLAN 282 |
Note: The only authoritative IP from the reference is 192.168.189.28 for the RADIUS server. Other management IPs in this topology are illustrative for lab connectivity; the controller will reference the RADIUS server at 192.168.189.28.
Key Concepts (Theory + Practical Behavior)
-
802.1X Roles: The supplicant is the client (laptop) requesting network access; the authenticator is the WLC/AP pair that enforces port access (in wireless, the AP+WLC together act as the authenticator); the authentication server (RADIUS/ISE) performs credential validation. In production, authenticators protect the network by only permitting traffic after the server sends Access-Accept.
-
EAP over RADIUS flow: EAP messages are encapsulated inside RADIUS AVPs. The WLC forwards EAP-Response/Request messages between the supplicant and the RADIUS server. The RADIUS Identifier and the EAP Packet ID remain consistent through the transaction; the WLC preserves the EAP Packet ID when forwarding to the AP/Client.
-
EAP-TLS fragmentation & MTU: Certificate-based EAP methods often include large messages (server or client certs can be several KB). When an EAP message exceeds the RADIUS or CAPWAP fragment size, fragmentation is required. The authenticator must request subsequent fragments from the RADIUS server and maintain ordering/IDs. In production, mismatched MTU or fragmentation handling causes EAP timeouts and client deletions.
-
Configuration mapping on the WLC: The WLC must know the RADIUS server (IP, key, ports), an AAA server group, the authentication list used by the WLAN, and a policy/profile mapping that ties the SSID to a VLAN (here VLAN 282). If any mapping is missing or incorrect, the WLC cannot forward EAP messages properly.
-
Troubleshooting indicators: WLC logs commonly show reasons like CO_CLIENT_DELETE_REASON_AAA_SERVER_UNAVAILABLE or CO_CLIENT_DELETE_REASON_CLIENT_EAP_TIMEOUT_FAILURE when RADIUS responses fail or EAP negotiation times out. In production, these log strings are primary clues that the controller couldn't complete the EAP exchange.
Step-by-step configuration
Step 1: Configure the RADIUS server entry on the WLC
What we are doing: We register the RADIUS server IP, authentication/accounting ports, and shared secret on the WLC so the controller can forward EAP messages to the authentication server (ISE).
radius server J_ISE
address ipv4 192.168.189.28 auth-port 1812 acct-port 1813
key Lab@123
!
What just happened: The radius server J_ISE stanza creates a server object named J_ISE with the IP 192.168.189.28 and the standard RADIUS ports (1812 auth, 1813 acct). The key Lab@123 configures the shared secret used to authenticate RADIUS exchanges. Without this entry, the WLC cannot initiate RADIUS transactions for EAP authentication.
Real-world note: Use a strong shared secret in production and protect configuration access; the secret authenticates RADIUS messages to prevent spoofing.
Verify:
show running-config | include radius server|address ipv4|key
radius server J_ISE
address ipv4 192.168.189.28 auth-port 1812 acct-port 1813
key Lab@123
Step 2: Create an AAA RADIUS server group and map it to 802.1X authentication
What we are doing: We define a server group so the WLC can treat multiple RADIUS servers as a single logical group, then set the default 802.1X authentication list to use that group.
aaa group server radius Cisco_Live_Radius_Group
server name J_ISE
!
aaa authentication dot1x Cisco_Live_AuthC group Cisco_Live_Radius_Group
!
What just happened: The aaa group server radius command groups the previously defined server J_ISE under the logical group Cisco_Live_Radius_Group. The aaa authentication dot1x Cisco_Live_AuthC group Cisco_Live_Radius_Group command defines an 802.1X authentication method list named Cisco_Live_AuthC that points to the RADIUS server group—this ties the WLC's dot1x authentication flow to the RADIUS servers. When a client initiates EAP, the WLC uses this AAA list to send Access-Request to the grouped servers.
Real-world note: In production, assign multiple RADIUS servers to the group (with priorities) to avoid single points of failure.
Verify:
show running-config | section aaa
aaa group server radius Cisco_Live_Radius_Group
server name J_ISE
!
aaa authentication dot1x Cisco_Live_AuthC group Cisco_Live_Radius_Group
<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIxNTRweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjczMHB4O2hlaWdodDoxNTRweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCA3MzAgMTU0IiB3aWR0aD0iNzMwcHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIxNjIuODQ5NiIgeD0iNSIgeT0iMTYuMTM4NyI+V2lyZWxlc3NfTWFuYWdlbWVudF9OZXQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTA3LjEwMzUiIHg9IjYwLjc0NjEiIHk9IjMwLjEwNzQiPjE5Mi4xNjguMTg5LjAvMjQ8L3RleHQ+PHJlY3QgZmlsbD0iI0UyRTJGMCIgaGVpZ2h0PSI1IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7IiB3aWR0aD0iNTQ5LjcwNDEiIHg9IjE3Mi44NDk2IiB5PSIxNi40Njg4Ii8+PHBhdGggZD0iTTI1MS45MTMxLDIxLjQ2ODggTDI1MS45MTMxLDY0LjI3MzQiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI5NC40NzIyIiB4PSIyMDQuNjc3IiB5PSIzNy43NzY5Ij4xOTIuMTY4LjE4OS4xMDA8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMzIuNzYzNyIgeD0iMjA0LjY3NyIgeT0iNTAuNTgxNSI+d2xhbjA8L3RleHQ+PHBhdGggZD0iTTM5Mi43MzM0LDIxLjQ2ODggTDM5Mi43MzM0LDY0LjI3MzQiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI4Ny40NzM2IiB4PSIzNDguOTk2NiIgeT0iMzcuNzc2OSI+MTkyLjE2OC4xODkuMTE8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTguNTc4NiIgeD0iMzQ4Ljk5NjYiIHk9IjUwLjU4MTUiPkdpMDwvdGV4dD48cGF0aCBkPSJNNTEwLjIyNzEsMjEuNDY4OCBMNTEwLjIyNzEsNjQuMjczNCIgZmlsbD0ibm9uZSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijg3LjQ3MzYiIHg9IjQ2Ni40OTAyIiB5PSIzNy43NzY5Ij4xOTIuMTY4LjE4OS4xMDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS40NiIgeD0iNDY2LjQ5MDIiIHk9IjUwLjU4MTUiPk1hbmFnZW1lbnQwPC90ZXh0PjxwYXRoIGQ9Ik02NDQuMjU4OCwyMS40Njg4IEw2NDQuMjU4OCw2NC4yNzM0IiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODcuNDczNiIgeD0iNjAwLjUyMiIgeT0iMzcuNzc2OSI+MTkyLjE2OC4xODkuMjg8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjUuMjMzNCIgeD0iNjAwLjUyMiIgeT0iNTAuNTgxNSI+RXRoMDwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjEyNC4xMjciIHg9IjE4Ny44NDk2IiB5PSI2NC4yNzM0Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTA0LjEyNyIgeD0iMTk3Ljg0OTYiIHk9Ijg1LjQxMjEiPlN1cHBsaWNhbnRfQ2xpZW50PC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iOTcuNTEzNyIgeD0iMzQxLjk3NjYiIHk9IjY0LjI3MzQiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3Ny41MTM3IiB4PSIzNTEuOTc2NiIgeT0iODUuNDEyMSI+QWNjZXNzX1BvaW50PC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDYuOTI5NyIgeD0iNDg0Ljc2MjIiIHk9IjY0LjI3MzQiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNi45Mjk3IiB4PSI0OTQuNzYyMiIgeT0iODUuNDEyMSI+V0xDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMTMwLjU4OTgiIHg9IjU3Ni45NjM5IiB5PSI2NC4yNzM0Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTEwLjU4OTgiIHg9IjU4Ni45NjM5IiB5PSI4NS40MTIxIj5JU0VfUmFkaXVzX1NlcnZlcjwvdGV4dD48P3BsYW50dW1sLXNyYyBWU18xMmU5MDUwTkdsTF9ueTBEaUhZQUtRMTRZNExINEJibXE4T0Nwc0QzcWI3N0NIVlpsY09JalRGdGtrUFU3aEwyeVdCUzNXREFzZk5iMGdlcEtpZ3dwOHFUVW9BVDRjdnNhN0o4ME4wWko3czQzQldyelp3dTJabVFYSG5SLXFYcTJJTERMTWtNeUx2NU1GT1JoWEE2NEM2bXJILUJVcmVGVHZsYnQtNW9nRUtPUHhqSGVxYUNxaXkzbV95TDh6YWNTTlJYR0pQcWJxaG9hY0lwbTB1UW5sVnphdnRHVj8+PC9nPjwvc3ZnPg==" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>
cisco
wlan Cisco_Live_Dot1x
radio policy dot11 24ghz
radio policy dot11 5ghz
security dot1x authentication-list Cisco_Live_Authe
!
What just happened: The wlan Cisco_Live_Dot1x block defines the SSID the supplicant will join. The radio policy lines indicate operation on both 2.4GHz and 5GHz. The critical line is security dot1x authentication-list Cisco_Live_Authe which tells the WLC to use the named 802.1X authentication list for EAP evaluation. This links wireless clients associating to the SSID to the RADIUS authentication flow configured earlier. Note: make sure the authentication-list name matches the AAA method list configured previously—mismatches cause the WLC to have no authentication path.
Real-world note: Consistent naming matters. Some references show
Cisco_Live_AuthCwhile WLAN may refer toCisco_Live_Authe—ensure they match exactly to avoid silent failures.
Verify:
show running-config | section wlan
wlan Cisco_Live_Dot1x
radio policy dot11 24ghz
radio policy dot11 5ghz
security dot1x authentication-list Cisco_Live_Authe
<div class="topology-diagram">
<img src="data:image/svg+xml;base64,PD9wbGFudHVtbCAxLjIwMjYuMT8+PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBjb250ZW50U3R5bGVUeXBlPSJ0ZXh0L2NzcyIgZGF0YS1kaWFncmFtLXR5cGU9Ik5XRElBRyIgaGVpZ2h0PSIxNTRweCIgcHJlc2VydmVBc3BlY3RSYXRpbz0ibm9uZSIgc3R5bGU9IndpZHRoOjczMHB4O2hlaWdodDoxNTRweDtiYWNrZ3JvdW5kOiNGRkZGRkY7IiB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCA3MzAgMTU0IiB3aWR0aD0iNzMwcHgiIHpvb21BbmRQYW49Im1hZ25pZnkiPjxkZWZzLz48Zz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIxNjIuODQ5NiIgeD0iNSIgeT0iMTYuMTM4NyI+V2lyZWxlc3NfTWFuYWdlbWVudF9OZXQ8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTA3LjEwMzUiIHg9IjYwLjc0NjEiIHk9IjMwLjEwNzQiPjE5Mi4xNjguMTg5LjAvMjQ8L3RleHQ+PHJlY3QgZmlsbD0iI0UyRTJGMCIgaGVpZ2h0PSI1IiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7IiB3aWR0aD0iNTQ5LjcwNDEiIHg9IjE3Mi44NDk2IiB5PSIxNi40Njg4Ii8+PHBhdGggZD0iTTI1MS45MTMxLDIxLjQ2ODggTDI1MS45MTMxLDY0LjI3MzQiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI5NC40NzIyIiB4PSIyMDQuNjc3IiB5PSIzNy43NzY5Ij4xOTIuMTY4LjE4OS4xMDA8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMzIuNzYzNyIgeD0iMjA0LjY3NyIgeT0iNTAuNTgxNSI+d2xhbjA8L3RleHQ+PHBhdGggZD0iTTM5Mi43MzM0LDIxLjQ2ODggTDM5Mi43MzM0LDY0LjI3MzQiIGZpbGw9Im5vbmUiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MTsiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI4Ny40NzM2IiB4PSIzNDguOTk2NiIgeT0iMzcuNzc2OSI+MTkyLjE2OC4xODkuMTE8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTguNTc4NiIgeD0iMzQ4Ljk5NjYiIHk9IjUwLjU4MTUiPkdpMDwvdGV4dD48cGF0aCBkPSJNNTEwLjIyNzEsMjEuNDY4OCBMNTEwLjIyNzEsNjQuMjczNCIgZmlsbD0ibm9uZSIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDoxOyIvPjx0ZXh0IGZpbGw9IiMwMDAwMDAiIGZvbnQtZmFtaWx5PSJzYW5zLXNlcmlmIiBmb250LXNpemU9IjExIiBsZW5ndGhBZGp1c3Q9InNwYWNpbmciIHRleHRMZW5ndGg9Ijg3LjQ3MzYiIHg9IjQ2Ni40OTAyIiB5PSIzNy43NzY5Ij4xOTIuMTY4LjE4OS4xMDwvdGV4dD48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMSIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3OS40NiIgeD0iNDY2LjQ5MDIiIHk9IjUwLjU4MTUiPk1hbmFnZW1lbnQwPC90ZXh0PjxwYXRoIGQ9Ik02NDQuMjU4OCwyMS40Njg4IEw2NDQuMjU4OCw2NC4yNzM0IiBmaWxsPSJub25lIiBzdHlsZT0ic3Ryb2tlOiMxODE4MTg7c3Ryb2tlLXdpZHRoOjE7Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iODcuNDczNiIgeD0iNjAwLjUyMiIgeT0iMzcuNzc2OSI+MTkyLjE2OC4xODkuMjg8L3RleHQ+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTEiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMjUuMjMzNCIgeD0iNjAwLjUyMiIgeT0iNTAuNTgxNSI+RXRoMDwvdGV4dD48cmVjdCBmaWxsPSIjRjFGMUYxIiBoZWlnaHQ9IjMzLjk2ODgiIHN0eWxlPSJzdHJva2U6IzE4MTgxODtzdHJva2Utd2lkdGg6MC41OyIgd2lkdGg9IjEyNC4xMjciIHg9IjE4Ny44NDk2IiB5PSI2NC4yNzM0Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTA0LjEyNyIgeD0iMTk3Ljg0OTYiIHk9Ijg1LjQxMjEiPlN1cHBsaWNhbnRfQ2xpZW50PC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iOTcuNTEzNyIgeD0iMzQxLjk3NjYiIHk9IjY0LjI3MzQiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSI3Ny41MTM3IiB4PSIzNTEuOTc2NiIgeT0iODUuNDEyMSI+QWNjZXNzX1BvaW50PC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iNDYuOTI5NyIgeD0iNDg0Ljc2MjIiIHk9IjY0LjI3MzQiLz48dGV4dCBmaWxsPSIjMDAwMDAwIiBmb250LWZhbWlseT0ic2Fucy1zZXJpZiIgZm9udC1zaXplPSIxMiIgbGVuZ3RoQWRqdXN0PSJzcGFjaW5nIiB0ZXh0TGVuZ3RoPSIyNi45Mjk3IiB4PSI0OTQuNzYyMiIgeT0iODUuNDEyMSI+V0xDPC90ZXh0PjxyZWN0IGZpbGw9IiNGMUYxRjEiIGhlaWdodD0iMzMuOTY4OCIgc3R5bGU9InN0cm9rZTojMTgxODE4O3N0cm9rZS13aWR0aDowLjU7IiB3aWR0aD0iMTMwLjU4OTgiIHg9IjU3Ni45NjM5IiB5PSI2NC4yNzM0Ii8+PHRleHQgZmlsbD0iIzAwMDAwMCIgZm9udC1mYW1pbHk9InNhbnMtc2VyaWYiIGZvbnQtc2l6ZT0iMTIiIGxlbmd0aEFkanVzdD0ic3BhY2luZyIgdGV4dExlbmd0aD0iMTEwLjU4OTgiIHg9IjU4Ni45NjM5IiB5PSI4NS40MTIxIj5JU0VfUmFkaXVzX1NlcnZlcjwvdGV4dD48P3BsYW50dW1sLXNyYyBWU18xMmU5MDUwTkdsTF9ueTBEaUhZQUtRMTRZNExINEJibXE4T0Nwc0QzcWI3N0NIVlpsY09JalRGdGtrUFU3aEwyeVdCUzNXREFzZk5iMGdlcEtpZ3dwOHFUVW9BVDRjdnNhN0o4ME4wWko3czQzQldyelp3dTJabVFYSG5SLXFYcTJJTERMTWtNeUx2NU1GT1JoWEE2NEM2bXJILUJVcmVGVHZsYnQtNW9nRUtPUHhqSGVxYUNxaXkzbV95TDh6YWNTTlJYR0pQcWJxaG9hY0lwbTB1UW5sVnphdnRHVj8+PC9nPjwvc3ZnPg==" alt="Network Topology Diagram" style="max-width:100%;height:auto;background:#fff;padding:16px;border:1px solid #e5e7eb;border-radius:8px;" />
</div>
cisco
wireless profile policy Cisco_Live_Policy_proifle
description Cisco_Live_Policy_profile
vlan 282
no shutdown
!
wireless tag policy Cisco_Live_Policytag
description CL -PolicyTag
wlan Cisco_Live_Dot1x policy Cisco_Live_Policy_profile
!
What just happened: The wireless profile policy Cisco_Live_Policy_proifle creates a policy profile object (note name spelling). The vlan 282 places client sessions into VLAN 282 after successful authentication. The wireless tag policy ties the SSID Cisco_Live_Dot1x to that profile. Together, these commands ensure that once RADIUS returns Access-Accept, the WLC applies policy and assigns the client into the correct VLAN and forwarding plane. If the VLAN/profile mapping is wrong, clients may authenticate but be placed into an unexpected network segment.
Real-world note: VLAN and policy mappings tie authentication to network segmentation—verify switch trunking and VLAN existence across the network to avoid connectivity issues after authentication.
Verify:
show running-config | section wireless
wireless profile policy Cisco_Live_Policy_proifle
description Cisco_Live_Policy_profile
vlan 282
no shutdown
!
wireless tag policy Cisco_Live_Policytag
description CL -PolicyTag
wlan Cisco_Live_Dot1x policy Cisco_Live_Policy_profile
Step 5: Observe the WLC logs and EAP failure indicators
What we are doing: We check controller logs for common EAP/RADIUS failure strings that indicate server unavailability, EAP timeout, or other issues. These messages guide troubleshooting for fragmentation and MTU problems during EAP-TLS.
show logging | include Client delete initiated|CO_CLIENT_DELETE_REASON_AAA_SERVER_UNAVAILABLE|CO_CLIENT_DELETE_REASON_CLIENT_EAP_TIMEOUT_FAILURE|CO_CLIENT_DELETE_REASON_L2AUTH_CONNECT_TIMEOUT
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_AAA_SERVER_UNAVAILABLE
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_EAP_TIMEOUT_FAILURE
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_L2AUTH_CONNECT_TIMEOUT
What just happened: The log lines shown are examples of what the WLC writes when it aborts a client session due to RADIUS/EAP problems. AAA_SERVER_UNAVAILABLE typically means the WLC couldn't reach or get a timely reply from the RADIUS server. CLIENT_EAP_TIMEOUT_FAILURE suggests the EAP exchange (often TLS handshake) did not complete within the expected time—common when EAP packets are fragmented and not reassembled correctly. These messages are primary signals when troubleshooting fragmentation or MTU mismatches.
Real-world note: When you see repeated
AAA_SERVER_UNAVAILABLEmessages, check network reachability (routing, ACLs), RADIUS secrets, and firewall rules that may block UDP 1812/1813.
Verify (example log output):
show logging | include Client delete initiated
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_AAA_SERVER_UNAVAILABLE
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_CLIENT_EAP_TIMEOUT_FAILURE
Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_L2AUTH_CONNECT_TIMEOUT
Verification Checklist
- Check 1: RADIUS server object exists and points to 192.168.189.28 — verify with
show running-config | include radius serverand confirm the IP and key are correct. - Check 2: AAA group and 802.1X authentication list are configured — verify
show running-config | section aaashowsCisco_Live_Radius_GroupandCisco_Live_AuthC. - Check 3: WLAN
Cisco_Live_Dot1xis configured to use 802.1X and maps to the policy — verifyshow running-config | section wlanandshow running-config | section wireless. - Check 4: No client deletion logs due to RADIUS/EAP timeouts — verify
show logging | include Client delete initiatedand investigate any occurrences.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| Client removed with "CO_CLIENT_DELETE_REASON_AAA_SERVER_UNAVAILABLE" | RADIUS server IP/secret incorrect, RADIUS port blocked, or server unreachable | Verify radius server J_ISE config (IP and key Lab@123), test network reachability to 192.168.189.28, open UDP 1812/1813 |
| Client stalls during TLS handshake or long authentication times, then "CLIENT_EAP_TIMEOUT_FAILURE" | Large certs cause fragmentation; RADIUS server or WLC not handling fragments or MTU mismatch | Ensure RADIUS server supports EAP fragmentation; verify WLC logs for fragment requests and RADIUS server settings. Adjust MTU/fragmentation settings on RADIUS side where available |
| WLAN configured but clients fail to authenticate (no RADIUS traffic) | WLAN security dot1x authentication-list name does not match AAA list | Confirm the WLAN auth-list matches the aaa authentication dot1x name exactly; correct naming mismatches |
| Clients authenticate but placed in wrong VLAN or no network access | Policy profile mapping to VLAN incorrect or VLAN not present on trunk | Verify wireless profile policy maps vlan 282 and ensure switch/trunk carries VLAN 282 |
Key Takeaways
- The WLC acts as the authenticator and must be configured with an accurate RADIUS server object (192.168.189.28), a server group, and an 802.1X authentication list to forward EAP messages correctly.
- EAP-TLS commonly uses large certificates; fragmentation and MTU handling between WLC and RADIUS are critical—timeouts and client deletions often indicate fragmentation or unreachable RADIUS.
- Consistent naming and exact configuration mappings (WLAN → authentication list → RADIUS group → RADIUS server) are essential. Small mismatched names silently break authentication flows.
- In production, monitor WLC logs for the specific deletion reasons shown in this lesson; they are your primary clues for RADIUS reachability and EAP fragmentation issues.
Tip: Think of the WLC as a translator that must preserve EAP identifiers and packet ordering. If the translator loses fragments or cannot reach the server, the TLS handshake fails and the user is removed—so verify both configuration and network reachability when troubleshooting.