Link to home
Start Free TrialLog in
Avatar of redmanjb
redmanjb

asked on

Cisco Aironet 1240AG with Two SSIDs - can connect to one but not the other.

Hello EE.  Im trying to do a reconfiguration of our wireless infrastructure and am having some difficulties.  I have 4 Cisco Aironet 1240AGs, and am trying to configure them with two SSIDs.  One SSID (called WiFi) is for employees, set up with WPA2, TKIP, RADIUS authentication.  The other SSID (called Guest) is to be used for people visiting our company.  This SSID uses WPA2-PSK with TKIP.  Both SSIDs are attached to both Radios.

I have two VLANs set up, one for each SSID, and one VLAN allows Network/Internet, the other allows only Internet.  And these VLANs have been in use for a long time, and are configured correctly and are working with no problems.  I am absolutely certain that the VLANs are not the cause of any problem I am having.  The switch that the WAP is connected to is also configured correctly, with the port that the WAP connects to being tagged appropriately.  The switch has been triple-checked, and has not been modified since the previous AP was installed in a similar configuration with two SSID's, both with WPA-PSK and neither using RADIUS.  One was attached to the VLAN with network access, the other SSID was attached to the VLAN with only internet access.

With the WiFi SSID with RADIUS authentication (using 2008 NPS), everything works great, people are connecting to it with no problem.  On my test laptops (XP and Vista), I am unable to connect to the Guest network.  I know the client side configuration is ok (WPA2-PSK, TKIP, and yes, I have the correct key typed in :)  ).  When I try to connect, all I get is Waiting for the network& for a minute, then it stops, and it never connects or give me any other message.  I dont see anything on the WAP Event Log, nor on the client machine.  Ive also tried WPA-PSK as well to no avail.
Any ideas?  Thanks guys! :)

Below is my config, with some info modified to protect the innocent:

!
! Last configuration change at 22:50:40 -0400 Thu Aug 13 2009 by tech
! NVRAM config last updated at 22:50:40 -0400 Thu Aug 13 2009 by tech
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP4
!
enable secret 5 blah$blah$blah$.
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
 server 10.10.10.101 auth-port 1645 acct-port 1646
 server 10.10.10.102 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local 
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
 all
!
!
aaa session-id common
clock timezone -0500 -5
clock summer-time -0400 recurring
ip domain name corp.company
ip name-server 4.2.2.2
ip name-server 65.2.1. 5
ip name-server 10.10.10.102
!
!
dot11 vlan-name guest vlan 99
dot11 vlan-name wifi vlan 98
!
dot11 ssid WiFi
   vlan 98
   authentication open eap eap_methods1 
   authentication key-management wpa version 2
   mobility network-id 98
!
dot11 ssid guest
   vlan 99
   authentication open 
   authentication key-management wpa version 2
   guest-mode
   mobility network-id 99
   wpa-psk ascii 7 blahblahblahblahblahblah
   information-element ssidl advertisement
!
power inline negotiation prestandard source
!
!
username tech privilege 15 password 7 blahblahblahblahblah
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip 
 !
 encryption vlan 98 mode ciphers tkip 
 !
 encryption vlan 99 mode ciphers tkip 
 !
 ssid WiFi
 !
 ssid guest
 !
 station-role root
!
interface Dot11Radio0.98
 encapsulation dot1Q 98 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 bridge-group 99 subscriber-loop-control
 bridge-group 99 block-unknown-source
 no bridge-group 99 source-learning
 no bridge-group 99 unicast-flooding
 bridge-group 99 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip 
 !
 encryption vlan 98 mode ciphers tkip 
 !
 encryption vlan 99 mode ciphers tkip 
 !
 ssid WiFi
 !
 ssid guest
 !
 dfs band 3 block
 channel dfs
 station-role root
!
interface Dot11Radio1.98
 encapsulation dot1Q 98 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 bridge-group 99 subscriber-loop-control
 bridge-group 99 block-unknown-source
 no bridge-group 99 source-learning
 no bridge-group 99 unicast-flooding
 bridge-group 99 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.98
 encapsulation dot1Q 98 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 no bridge-group 99 source-learning
 bridge-group 99 spanning-disabled
!
interface BVI1
 ip address 10.10.10.4 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.10.10.253
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1 
snmp-server community snmp1212123 RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.10.102 auth-port 1645 acct-port 1646 key 7 blahblahblahblah
radius-server host 10.10.10.101 auth-port 1645 acct-port 1646 key 7 blahblahblahblah
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
 transport output all
line vty 0 4
 transport input all
 transport output all
line vty 5 15
 transport input all
 transport output all
!
sntp server 192.10.10.18
sntp broadcast client
end

Open in new window

Avatar of netcmh
netcmh
Flag of United States of America image
You're missing

dot11 mbssid

dot11 ssid guest
   mbssid guest-mode dtim-period 1
Avatar of redmanjb
redmanjb

ASKER

Thank you for the super-fast response! :)
Where would I put those lines?  I configured all from the Web Interface.  Would those lines be the same checking the box saying "Set SSID as Guest Mode" in the "Multiple BSSID Beacon Settings"?
Avatar of netcmh
netcmh
Flag of United States of America image
Backup your working configs first. I don't use the gui much. But, it looks like you've got it.
Avatar of redmanjb
redmanjb

ASKER

Sorry netcmh, but where would I put those lines?  I'd like to try it the code way if possible.
Avatar of netcmh
netcmh
Flag of United States of America image
you'll have to telnet into the device, and get into config mode

then, you can actually just copy and paste them as is.
Avatar of redmanjb
redmanjb

ASKER

Hmmm...didn't seem to fix anything, and I did see the changes that the commands had made in the web interface, by checking that check box and setting the DTIM.  Does my setup require Guest Mode, since both SSID's use WPA, and the "guest" SSID is tied to the "guest" VLAN, and requires a pre-shared key?
Avatar of netcmh
netcmh
Flag of United States of America image
here's my working config:
Current configuration : 3141 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname wifi05
!
enable secret cisco
!
clock timezone Eastern -5
clock summer-time -0400 recurring
ip subnet-zero
no ip domain lookup
!
!
no aaa new-model
dot11 mbssid
!
dot11 ssid wifi1
   vlan 1
   authentication open
   authentication key-management wpa optional
   mbssid guest-mode dtim-period 1
   wpa-psk ascii batman
!
dot11 ssid wifi2
   vlan 100
   authentication open
   authentication key-management wpa optional
   mbssid dtim-period 1
   wpa-psk ascii robin
!
dot11 network-map
!
!
username cisco privilege 15 password cisco
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 100 mode ciphers tkip wep128
 !
 encryption vlan 1 mode ciphers tkip wep128
 !
 ssid wifi1
 !
 ssid wifi2
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 no cdp enable
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
 bridge-group 100 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 no cdp enable
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.100
 encapsulation dot1Q 100
 no ip route-cache
 no cdp enable
 bridge-group 100
 no bridge-group 100 source-learning
 bridge-group 100 spanning-disabled
!
interface BVI1
 ip address dhcp client-id FastEthernet0
 no ip route-cache
!
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
snmp-server chassis-id wifi05
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps syslog
snmp-server host 192.168.1.1 breakme disassociate deauthenticate authenticate-fail rogue-ap wlan-wep syslog
no cdp run
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
sntp server 192.168.1.2
sntp broadcast client
end

Open in new window

Avatar of redmanjb
redmanjb

ASKER

Thank you for posting your config.  It's really different than my own however, so I have to do some reviewing.  Does my situation require Guest Mode?  Does it require BSSID's?
ASKER CERTIFIED SOLUTION
Avatar of netcmh
netcmh
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of redmanjb
redmanjb

ASKER

Unfortunately, no change, as this was already enabled.  Thank you very much for your patience netcmh.
Avatar of netcmh
netcmh
Flag of United States of America image
There's a difference between

mbssid guest-mode

and

guest-mode
Avatar of redmanjb
redmanjb

ASKER

I typed the info in again, still no change, still cannot log into the the "guest" SSID, but can to the other one...
Avatar of redmanjb
redmanjb

ASKER

And are you sure that I need to enable "guest mode" for the SSID that still requires a passphrase to connect?  Again, one SSID is tied to one VLAN that allows traversing our internal network, and uses RADIUS on an external RADIUS server...this works fine.  The other SSID that is problematic we call "guest", is tied to the VLAN that allows internet-only connectivity, and the people that use this must use the passphrase we provide...this isn't an "wifi hotspot", Starbucks-type of wide-open access we are providing for the general population.  What we are providing is simply a way for people that are visiting our business for meetings and such to be able to access the internet.  I'm not sure that "guest mode" is needed, or mbssid's, etc..
Thank you again...
Avatar of netcmh
netcmh
Flag of United States of America image
Is your mobility configured properly via wslm?
Avatar of redmanjb
redmanjb

ASKER

Hi netcmh.  I ended up resolving the problem accidentally.  Sorry, I really don't recall how I did it, but it is working fine now.  Thank you for your patience, and sorry I didn't get back to you sooner to close out this ticket.  Take care...