Ok, let me back up a little then. We are using a single radius server and we have a master local setup. We created 2 radius server profiles, 1 for the master and 1 for the local. We did not specify the NAS IP and identifier for each profile. However, we specified the IPs under the authentication>advanced under radius client NAS IP (setup in master the master's IP, and setup in local the local's IP). We did some packet captures through each controller and verified that the authentication requests sent to the radius are similar except the NAS-IPs and NAS-Identifiers (both are master's IPs or local's IP depending on source of authentication request) and some other attributes that are changing I believe based on the pre-shared key. Also, we verified that both master and local exist as clients in the radius server and that the pre-shared keys for each are correct. Clients associated to APs terminated directly to the master can successfully authenticate. However, clients associated to APs terminated to the local cannot successfully authenticate. When we looked at the radius logs when client through local tries to authenticate, it gives an "invalid message authentication and a shared secret key incorrect" error. We have verified that all radius attributes looks correct since they are similar to the master, pre-shared key is correct. What are we missing? We are using a 6.1.4.3 OS. Any thoughts?