Cisco AAA Configuration on Autonomous AP – CLI

Enable AAA
aaa new-model

Create radius servers
radius server ISE-Server1
address ipv4 10.10.10.10 auth-port 1812 acct-port 1813
key 0 password

radius server ISE-Server2
address ipv4 10.11.11.11 auth-port 1812 acct-port 1813
key 0 password

Create the radius group and add both radius servers
aaa group server radius ISE-ServerGroup
server name ISE-Server1
server name ISE-Server2

Create the authentication login method
aaa authentication login ISE-Login group ISE-ServerGroup

Configure wlan to use the authentication login method
dot11 ssid testISE
authentication open eap ISE-Login
authentication key-management wpa version 2
vlan 10
mbssid guest-mode

Add vlan 10 to sub-interface of radio (5GHz radio in this example)
int d1.10
encapsulation dot1q 10
bridge-group 10

Add wlan to a radio interface
int d1
encryption vlan 10 mode ciphers aes-ccm
ssid testISE
mbssid

If connecting to ISE, Add these two additional commands:
dot11 aaa authentication attributes service framed
radius-server attribute 32 include-in-access-request format %h (or %i for ip address or %d for domain)