Hello Jeff, I tried to recreate your setup and i am facing the same error "*Wrong password*". The 3500s MAP seemed to be using *EAP-FAST (EAP-MSCHAPv2)* as the eap-method and that seems to be supported in ACS. So i'm not sure what the issue is. If only ACS displayed the password being sent by the user along with the username in the RADIUS failure detail (wishful thinking).
Other than just this error, i had a few other doubts as well as i did this lab. They are as folllows : 1) When the mesh APs are connected to the WLC through the wired network, they seem to be only doing a MAC-Address check on the ACS to authenticate the APs. This is as expected. However , even though i had changed the security mode to "EAP" , checked the "*External MAC filter authorizatioN*" and "*Force external authentication*", the WLC was only sending the access-requests to the ACS only when there was no user defined locally on the WLC. Is'nt the "force" feature supposed to ignore the local mac-address defined on the WLC and go directly for the ACS? 2) In both cases where the mesh APs are connected to the WLC via the wired (or) the mesh link, i see that changing the values from the dropdown menus under *Security->AAA->MAC Filtering* ( i.e RADIUS compatibility mode , MAC Delimiter) fields, doesn't seem to have any visible effect on the access-requests going to the ACS. I changed the mac delimiter fields to various fields but the WLC looks to be always using the same convention in the access-requests. Am i misunderstanding the purpose of this field? Looking forward to hearing your thoughts on the matter. BTW, i'm running ACS v5.3 and WLC v7.0.116.0 Cheers, Vybhav
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
