Cisco WLC RADIUS Setup Guide — Configure IronWiFi with Cisco Wireless Controllers

Q: How do I configure RADIUS on a Cisco Catalyst 9800 via CLI?

On the Catalyst 9800, use the 'radius server' command to define the server, then create a server group with 'aaa group server radius', and apply it to a WLAN policy profile. The CLI commands include: radius server IRONWIFI-PRIMARY, address ipv4 auth-port 1812 acct-port 1813, and key .

Why Use RADIUS with Cisco WLCs?
Prerequisites
Configure IronWiFi RADIUS Server
Cisco AireOS WLC Configuration
Catalyst 9800 Configuration (IOS-XE)
Testing & Verification
Troubleshooting

Cisco wireless controllers are the backbone of enterprise WiFi deployments worldwide. Whether you are running a legacy AireOS WLC or the modern Catalyst 9800 series on IOS-XE, integrating with a Cloud RADIUS server enables centralized authentication, dynamic policy assignment, and certificate-based security across all your access points.

This guide covers the complete process of integrating Cisco wireless controllers with IronWiFi's Cloud RADIUS server for WPA-Enterprise authentication. We cover both the AireOS and Catalyst 9800 (IOS-XE) platforms with GUI and CLI instructions.

Why Use RADIUS with Cisco Wireless Controllers?

Cisco WLCs are designed for environments that require enterprise-grade authentication and policy enforcement. While PSK networks work for simple deployments, RADIUS-based 802.1X authentication unlocks the full potential of the Cisco wireless platform:

Per-user identity and accountability: Every wireless session is tied to a specific user or device credential, enabling compliance-grade audit trails
Dynamic VLAN assignment: RADIUS attributes place users on the correct network segment without manual configuration per device
AAA override: RADIUS reply attributes can override WLAN-level settings including QoS, ACLs, session timeouts, and bandwidth contracts
Certificate-based security: EAP-TLS eliminates credential theft by authenticating with client certificates
Seamless directory integration: Cloud RADIUS connects to Microsoft Entra ID, Google Workspace, Okta, and LDAP for centralized user management

Cisco WLC Platforms Covered

This guide covers the two main Cisco wireless controller platforms:

AireOS WLC: Cisco 3504, 5520, 8540, and virtual WLC (vWLC). GUI-driven configuration with a mature feature set
Catalyst 9800 (IOS-XE): Catalyst 9800-40, 9800-80, 9800-L, 9800-CL (cloud). Policy-profile model with CLI and web UI. The modern platform replacing AireOS

Prerequisites

Before starting, ensure you have:

Cisco wireless controller — AireOS WLC (software 8.5+) or Catalyst 9800 (IOS-XE 17.3+)
Cisco access points — Any Cisco AP joined to the controller (Aironet, Catalyst Wi-Fi 6/6E series)
IronWiFi account — sign in or start a tenant to get the RADIUS server IPs and shared secret

Don't have an account yet?

Start Free Talk to Sales

Trusted by 1,000+ organizations in 108 countries

Step 3: Catalyst 9800 Configuration (IOS-XE)

The Catalyst 9800 uses a policy-profile architecture that separates WLAN definitions from security policies. RADIUS servers are defined globally, grouped into server groups, and then referenced in AAA method lists.

Define the RADIUS Server

! Define the primary RADIUS server
radius server IRONWIFI-PRIMARY
 address ipv4 <IRONWIFI_PRIMARY_IP> auth-port 1812 acct-port 1813
 key <SHARED_SECRET>
 timeout 10

! Define the secondary RADIUS server
radius server IRONWIFI-SECONDARY
 address ipv4 <IRONWIFI_SECONDARY_IP> auth-port 1812 acct-port 1813
 key <SHARED_SECRET>
 timeout 10

Create the Server Group and AAA Configuration

! Create RADIUS server group
aaa group server radius IRONWIFI-GROUP
 server name IRONWIFI-PRIMARY
 server name IRONWIFI-SECONDARY

! Configure AAA authentication method list
aaa authentication dot1x IRONWIFI-AUTH group IRONWIFI-GROUP

! Configure AAA accounting method list
aaa accounting identity IRONWIFI-ACCT start-stop group IRONWIFI-GROUP

! Configure AAA authorization
aaa authorization network IRONWIFI-AUTHZ group IRONWIFI-GROUP

Create the WLAN

! Create the WLAN profile
wlan Corporate-WiFi 1 Corporate-WiFi
 security dot1x authentication-list IRONWIFI-AUTH
 security wpa wpa2
 security wpa wpa2 ciphers aes
 no shutdown

Create and Apply the Policy Profile

! Create the policy profile
wireless profile policy IRONWIFI-POLICY
 accounting-list IRONWIFI-ACCT
 vlan 20
 aaa-override
 no shutdown

! Create the policy tag and map WLAN to policy
wireless tag policy IRONWIFI-TAG
 wlan Corporate-WiFi policy IRONWIFI-POLICY

! Apply the tag to AP or AP group
ap <AP-NAME> policy-tag IRONWIFI-TAG

Enable AAA Override

The aaa-override command in the policy profile is critical for dynamic VLAN assignment. Without it, RADIUS reply attributes like Tunnel-Private-Group-ID will be ignored, and all clients will land on the default VLAN configured in the policy profile.

Feature	AireOS WLC	Catalyst 9800
Configuration Model	WLAN-centric (flat)	Policy-profile (hierarchical)
RADIUS Assignment	Per-WLAN	Via AAA method lists
AAA Override	Per-WLAN Advanced tab	Per-policy profile
WPA3 Support	Limited (8.10+)	Full (17.3+)
FlexConnect RADIUS	Local/central switching	Flex profile
Platform Status	End of life (most models)	Current platform

Step 4: Testing & Verification

Testing the Connection

Connect a test device to the enterprise SSID
Enter credentials (PEAP/MSCHAPv2) or ensure the client certificate is installed (EAP-TLS)
Accept the server certificate on first connection (or pre-deploy via MDM)
Verify the connection: Check the assigned IP address matches the expected VLAN subnet

Verification Commands

AireOS WLC:

# Show connected clients
show client summary

# Show client detail (including RADIUS attributes)
show client detail <MAC_ADDRESS>

# Show RADIUS server statistics
show radius summary

# Debug RADIUS (use with caution in production)
debug aaa all enable

Catalyst 9800:

# Show wireless client summary
show wireless client summary

# Show client detail
show wireless client mac-address <MAC_ADDRESS> detail

# Show RADIUS server status
show aaa servers

# Show AAA method lists
show aaa method-lists all

# Debug RADIUS transactions
debug radius all

Troubleshooting

Authentication Timeout

Firewall blocking RADIUS: Verify UDP ports 1812 and 1813 are open from the WLC management IP to the RADIUS server
Wrong NAS IP: The WLC's management interface IP must be registered as a NAS in IronWiFi. Verify with show interface summary (AireOS) or show ip interface brief (IOS-XE)
MTU issues: RADIUS packets with EAP-TLS can be large. Ensure no path MTU issues between WLC and RADIUS server
Server timeout too low: Increase the RADIUS server timeout to 10 seconds for Cloud RADIUS over WAN links

Authentication Rejected

Shared secret mismatch: The shared secret must match exactly between WLC and IronWiFi. Check for trailing spaces or copy-paste issues
User not found: Verify the username exists in IronWiFi and is assigned to the correct network
Certificate issues (EAP-TLS): Ensure the client certificate is signed by the CA configured in IronWiFi and has not expired

VLAN Not Applied

AAA Override disabled: Enable AAA Override on the WLAN (AireOS) or aaa-override in the policy profile (Catalyst 9800)
VLAN not configured: The VLAN ID returned by RADIUS must exist on the WLC interface and on upstream trunk ports
Missing tunnel attributes: Verify all three RADIUS attributes are returned: Tunnel-Type=VLAN (13), Tunnel-Medium-Type=802 (6), and Tunnel-Private-Group-ID=<VLAN-ID>

Checking Logs

AireOS WLC: Use debug aaa all enable and debug dot1x all enable for real-time authentication tracing (disable after troubleshooting)
Catalyst 9800: Use debug radius all and check show wireless client mac-address <MAC> detail for per-client status
IronWiFi: Review the Authentication Log in the console for complete RADIUS transaction details, including accept/reject reasons and returned attributes

Frequently Asked Questions

Does the Cisco AireOS WLC support external Cloud RADIUS servers?

Yes. Cisco AireOS WLCs fully support external RADIUS servers for 802.1X authentication. Navigate to Security > RADIUS > Authentication to add the Cloud RADIUS server IP, port (1812), and shared secret. You can configure primary and secondary servers for failover.

How do I configure RADIUS on a Cisco Catalyst 9800 via CLI?

On the Catalyst 9800, use the radius server command to define the server, then create a server group with aaa group server radius, and apply it to a WLAN policy profile. The CLI commands include: radius server IRONWIFI-PRIMARY, address ipv4 <IP> auth-port 1812 acct-port 1813, and key <shared-secret>.

What is the difference between AireOS and IOS-XE for RADIUS configuration?

AireOS WLCs use a GUI-driven workflow where RADIUS servers are added under Security > RADIUS and then assigned to WLANs. Catalyst 9800 (IOS-XE) uses a policy-profile model where RADIUS servers are defined globally, grouped into server groups, and then referenced in AAA method lists that are applied to policy profiles.

Why is my Cisco WLC failing RADIUS authentication with a timeout?

RADIUS timeout errors on Cisco WLCs typically indicate network connectivity issues. Common causes: firewall blocking UDP 1812/1813, incorrect RADIUS server IP, the WLC management IP not registered as a NAS in the RADIUS server, shared secret mismatch, or MTU issues causing fragmented RADIUS packets to be dropped.

Can I use dynamic VLAN assignment with Cisco WLCs and Cloud RADIUS?

Yes. Configure the WLAN to allow AAA override (AireOS) or enable RADIUS-based VLAN assignment in the policy profile (Catalyst 9800). The RADIUS server returns Tunnel-Type=VLAN, Tunnel-Medium-Type=802, and Tunnel-Private-Group-ID=<VLAN-ID> attributes to dynamically assign the client to the appropriate VLAN.

Tags: Cisco WLC AireOS Catalyst 9800 IOS-XE RADIUS WPA-Enterprise 802.1X EAP-TLS Cloud RADIUS

Table of Contents