Applies to: Cisco AireOS WLC (7.x / 8.x) · Cisco Catalyst 9800 (IOS-XE 17.x) RADIUS: XEOX PNAC (FreeRADIUS 3.x) with MAC-based authentication database
For information on Cisco Catalyst in general, please see Cisco Catalyst.
Overview
The Cisco WLC acts as the 802.1X Authenticator (NAS). When a wireless client connects, the WLC forwards authentication to XEOX PNAC, which validates the device against the MAC database — the same database used for wired 802.1X on Cisco Catalyst switches.
[Wireless Client]
│ 802.1X / EAP over Air
▼
[Cisco WLC] ──── RADIUS (UDP 1812/1813) ────► [XEOX PNAC (FreeRADIUS)]
(Authenticator / NAS) │
MAC Database
(same as wired NAC)XEOX PNAC — Add WLC as RADIUS Client
The WLC is added as a RADIUS NAS client automatically by the XEOX PNAC tool via the GUI — no manual editing of clients.conf is required.
For reference, the tool registers the WLC with the following parameters:
Parameter | Value |
NAS IP | WLC management IP |
Shared Secret | Generated by the tool |
NAS Type | cisco |
Important
The WLC sends:
NAS-Port-Type = Wireless-802.11If your existing XEOX PNAC policy filters on:
NAS-Port-Type = Ethernet(which is common in wired-only setups), remove or extend that condition so wireless clients are not rejected.
XEOX PNAC — VLAN Assignment (Optional)
To assign wireless clients to a VLAN via RADIUS, return the following attributes in your XEOX PNAC device profile or SQL/LDAP response.
XEOX PNAC stores these as numeric values — this is fully equivalent to the named constants.
Example device profile / FreeRADIUS users file:
AA:BB:CC:DD:EE:FF Cleartext-Password := "AA:BB:CC:DD:EE:FF"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 25Attribute | Numeric | Named Constant | Meaning |
Tunnel-Type | 13 | VLAN | Tunnel carries VLAN traffic |
Tunnel-Medium-Type | 6 | IEEE-802 | 802 media (Ethernet / Wi-Fi) |
Tunnel-Private-Group-Id | 25 | — | VLAN ID to assign |
These are identical to the named form:
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802XEOX PNAC and the WLC interpret them the same way. The WLC will place the authenticated client into the specified VLAN regardless of whether names or numbers are used.
Option A — Cisco AireOS WLC
1. Add RADIUS Authentication Server
GUI
Security → AAA → RADIUS → Authentication → NewField | Value |
Server IP Address | 192.168.128.245 (XEOX PNAC primary) |
Shared Secret | PRESHAREDKEY |
Port | 1812 |
Server Status | Enabled |
Network User | Enabled |
RFC 3576 (CoA) | Enabled |
Repeat for a second XEOX PNAC server if applicable:
192.168.128.246CLI
WLC(config)# config radius auth add 1 192.168.128.245 1812 ascii PRESHAREDKEY
WLC(config)# config radius auth enable 1
WLC(config)# config radius auth network 1 enable
WLC(config)# config radius auth rfc3576 enable 1
WLC(config)# config radius auth add 2 192.168.128.246 1812 ascii PRESHAREDKEY
WLC(config)# config radius auth enable 2
WLC(config)# config radius auth network 2 enable
WLC(config)# config radius auth rfc3576 enable 22. Add RADIUS Accounting Server
GUI
Security → AAA → RADIUS → Accounting → NewCLI
WLC(config)# config radius acct add 1 192.168.128.245 1813 ascii PRESHAREDKEY
WLC(config)# config radius acct enable 1
WLC(config)# config radius acct network 1 enable3. Create the WLAN
GUI
WLANs → Create NewField | Value |
Profile Name | Corporate-8021X |
SSID | Corporate-WiFi |
Status | Enabled |
Security tab
Setting | Value |
Layer 2 Security | WPA + WPA2 |
WPA2 Policy | Enabled |
WPA2 Encryption | AES |
Auth Key Mgmt | 802.1X |
Layer 3 Security | None |
AAA Servers tab
Setting | Value |
Authentication Server 1 | XEOX PNAC (primary) |
Authentication Server 2 | XEOX PNAC (secondary) |
Accounting Server 1 | XEOX PNAC accounting |
CLI
WLC(config)# config wlan create 1 Corporate-8021X Corporate-WiFi
WLC(config)# config wlan security wpa enable 1
WLC(config)# config wlan security wpa wpa2 enable 1
WLC(config)# config wlan security wpa wpa2 ciphers aes enable 1
WLC(config)# config wlan security wpa akm 802.1x enable 1
WLC(config)# config wlan radius_server auth add 1 1
WLC(config)# config wlan radius_server auth add 1 2
WLC(config)# config wlan radius_server acct add 1 1
WLC(config)# config wlan enable 14. VLAN Assignment (Dynamic — RADIUS Override)
If FreeRADIUS returns VLAN attributes, the WLC will honour them automatically.
Ensure:
- The WLAN is mapped to any valid interface.
- The RADIUS-supplied VLAN overrides it per client at association time.
The VLAN must:
- Exist as a Dynamic Interface on the WLC, or
- Be trunked between the AP and the WLC.
5. Guest / Fallback VLAN Behaviour
Condition | Behaviour |
RADIUS rejects client (unknown MAC) | Client denied — no VLAN assigned |
RADIUS unreachable | Configure a fallback VLAN using AAA override or local policy |
Client has no 802.1X supplicant | Use MAC Filtering as fallback |
Option B — Cisco Catalyst 9800 (IOS-XE)
1. Enable AAA
aaa new-model
aaa authentication dot1x WIRELESS-DOT1X group WIRELESS-RADIUS
aaa authorization network WIRELESS-AUTHZ group WIRELESS-RADIUS
aaa accounting dot1x WIRELESS-ACCT start-stop group WIRELESS-RADIUS2. Configure RADIUS Servers
radius server XEOX-PNAC-PRIMARY
address ipv4 192.168.128.245 auth-port 1812 acct-port 1813
key PRESHAREDKEY
timeout 5
retransmit 3
radius server XEOX-PNAC-SECONDARY
address ipv4 192.168.128.246 auth-port 1812 acct-port 1813
key PRESHAREDKEY
timeout 5
retransmit 3aaa group server radius WIRELESS-RADIUS
server name XEOX-PNAC-PRIMARY
server name XEOX-PNAC-SECONDARY
ip radius source-interface Vlan103. WLAN Profile (SSID)
wlan Corporate-WiFi 1 Corporate-WiFi
security wpa wpa2
no security wpa wpa2 ciphers tkip
security wpa wpa2 ciphers aes
no security wpa akm psk
security wpa akm dot1x
security dot1x authentication-list WIRELESS-DOT1X
no shutdown4. Policy Profile
wireless profile policy CORP-POLICY
aaa-override
accounting-list WIRELESS-ACCT
vlan 1
no shutdownaaa-override is required for RADIUS-supplied VLAN, ACL, and QoS attributes to be applied per client.
5. Policy Tag
wireless tag policy CORP-POLICY-TAG
wlan Corporate-WiFi policy CORP-POLICY6. Apply Policy Tag to APs
ap <AP-MAC-address>
policy-tag CORP-POLICY-TAG
site-tag default-site-tag
rf-tag default-rf-tagMAC Authentication Bypass (MAB) — Fallback for Non-Supplicant Devices
When a device does not have an 802.1X supplicant, the WLC can send the device's MAC address as the RADIUS username and password (identical to wired MAB on Catalyst switches).
AireOS
WLC(config)# config wlan mac-filtering enable 1Catalyst 9800
wlan Corporate-WiFi 1 Corporate-WiFi
mac-filtering WIRELESS-DOT1XXEOX PNAC receives the MAC address as User-Name and User-Password and validates it against the existing MAC database — no changes are required on the RADIUS side.
Verification
AireOS
show radius summary
show wlan 1
show client summary
show client detail <client-mac>
debug dot1x events enable
debug aaa events enableCatalyst 9800
show wireless client summary
show wireless client detail mac-address <client-mac>
show aaa servers
show radius server-group WIRELESS-RADIUS
show radius statistics
debug radius authenticationXEOX PNAC / FreeRADIUS (Live Debug)
Stop the service and run FreeRADIUS in the foreground to observe authentication exchanges.
systemctl stop freeradius
freeradius -XKey Differences vs Wired (Catalyst 3750 / 9200 / 9300)
Wired (Catalyst) | Wireless (WLC) |
NAS device | Switch port |
NAS-Port-Type | Ethernet |
Called-Station-Id | Port identifier |
Auth method | MAB (MAC credentials) |
Port control | Per switchport |
Fallback VLAN | auth event no-response vlan |
Guest VLAN | auth event fail vlan |
Configuration validated with:
- XEOX PNAC (FreeRADIUS 3.0)
- Cisco AireOS 8.10
- Cisco IOS-XE 17.9