• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2649
  • Last Modified:

Configuring DHCP on Aironet 1250 Access Point


I configured a cisco access point as a dhcp server using the following comands. The wireless Clients are able to connect to the AP but cannot get an IP. The access point cannot issue IP addresses. What else should I do to get the AP to issue IPs.

no ip dhcp use vrf connected
ip dhcp excluded-address 10.183.158.1 10.183.158.80
!
ip dhcp pool WirelessClients
   network 10.183.158.0 255.255.255.128
   default-router 10.183.158.18
   dns-server 10.183.158.20
   domain-name go1.kworld.kpmg.com
   option 60 ascii "Cisco AP c1250"
   option 43 hex f104.0ab7.9e1c
   lease 3

0
anyirongo
Asked:
anyirongo
  • 16
  • 13
2 Solutions
 
leibinusaCommented:
I do not think the problem is on DHCP configuration. You need to paste the rest config.
0
 
anyirongoAuthor Commented:
Leibinusa, find below is the config

Current configuration : 4697 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP
!
enable secret 5 $1$/ZsI$5tNCCk6MwmI61itwi/m081
enable password 7 0725031E1E5B49
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name pppp.com
ip name-server 10.183.158.20
no ip dhcp use vrf connected
ip dhcp excluded-address 10.183.158.1 10.183.158.80
!
ip dhcp pool WirelessClients
   network 10.183.158.0 255.255.255.128
   default-router 10.183.158.18
   dns-server 10.183.158.20
   domain-name go1.kworld.kpmg.com
   option 60 ascii "Cisco AP c1250"
   option 43 hex f104.0ab7.9e1c
   lease 3
!
!
!
dot11 ssid ITSWireless
   authentication open
   guest-mode
!

!
dot11 ids mfp detector
dot11 network-map
!
crypto pki trustpoint TP-self-signed-1895452380
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1895452380
 revocation-check none
 rsakeypair TP-self-signed-1895452380
!
!
crypto pki certificate chain TP-self-signed-1895452380
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383935 34353233 3830301E 170D3032 30333031 30303030
  32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393534
  35323338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009E69 EAE68F4A 2EC2007D 10BC209E D41225A0 2351057A FEA31930 9D670C93
  5FAFC3AE F96E3A2C 243C03B4 EF7D404A E59A3DD7 D0B24170 B77536AD 702AF60A
  2E1F9948 AEE072EC 0DDB79E5 3B890728 CCB12C76 C24CEDFC 6426D029 80753E23
  939AEBEA 1421994E DB093DA3 4C9D4013 5E8AE48C 7274589A 4D165383 6E7F27A7
  020D0203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C4C7573 616B6141 502E676F 312E6B77 6F726C64 2E6B706D
  672E636F 6D301F06 03551D23 04183016 80147624 73F76D67 792C623E 9A046768
  0DCCA8B9 1899301D 0603551D 0E041604 14762473 F76D6779 2C623E9A 0467680D
  CCA8B918 99300D06 092A8648 86F70D01 01040500 03818100 9441C8D7 401F296A
  BEEF55FE 39D5FC99 DD0B3B4A 09A2342C B61FB17C A0D6DD7A 59CDD31F 45CFD7D6
  119A8F5A 508797CA FB70B724 D0B69B77 3B7664D9 305AA79B 539AC25B CF81D7FC
  A48E4DEB C736B1AD 4B27F67C E0080E84 6F70AA4F A6BB960A FC7B62A7 44BE0CA2
  567CCE4B F6620E0F 8B2B735F E8C922BF 18791379 75DC6167
  quit
username Abraham privilege 15 password 7 1212151A1552555D73
username Aironet64 password 7 143D30595C567A
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid ITSWireless
 !
 antenna gain 100
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2.
 m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 station-role root
 world-mode dot11d country ZM both
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 ssid ITSWireless
 !
 no dfs band block
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6.
m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.183.158.28 255.255.255.128
 no ip route-cache
!
ip default-gateway 10.183.158.18
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

0
 
amprantiCommented:
Edit your config and delete your passwords....

The config looks correct.
Check your laptop, disable temporarly (if you use) the firewall. Maybe it is blocking dhcp ...
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
anyirongoAuthor Commented:

Even other computers do no get dhcp, its not just my laptop
0
 
amprantiCommented:
If you use a static IP address to your laptop can you ping the gateway?
0
 
anyirongoAuthor Commented:

If I use a commerial wireless network, I am able to get dhcp. could it be something to do with certficates? my WLAN has certificates distributed to all computers on the WLAN
0
 
anyirongoAuthor Commented:
Yes I can ping the gateway from my laptop as well from the AP
0
 
amprantiCommented:
From the config i see you should have disabled 802.1x authentication to your wireless adapter.
The posted config isnt using certificates (or any kinf of 802.1x authentication)
0
 
amprantiCommented:
Try also this:

conf t
ip dhcp pool WirelessClients
no option 60 ascii "Cisco AP c1250"
no option 43 hex f104.0ab7.9e1c
no lease 3

0
 
anyirongoAuthor Commented:

Do I need these commands below

crypto pki trustpoint TP-self-signed-1895452380
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1895452380
 revocation-check none
 rsakeypair TP-self-signed-1895452380
!
!
crypto pki certificate chain TP-self-signed-1895452380
 certificate self-signed 01
0
 
amprantiCommented:
This is the key used for https or ssh (currently you are using https --< "ip http secure-server")
0
 
anyirongoAuthor Commented:

Certficates are configured on the Windows AD and not on the AP. Does the AP also need to get a certficate?

Which config shows disabled 802.1x authentication to the wireless adapter?
0
 
amprantiCommented:
dot11 ssid ITSWireless   authentication open   guest-mode

Authentication is open without 802.1x authentication

If it required certification it should look like that:
 ssid ssid_here
    authentication network-eap eap_methods1

with a lot more stuff above it...
0
 
anyirongoAuthor Commented:

I have made some changes as you have suggested. my config now looks like this below. My laptop tries to search for IP then fails this time
Current configuration : 4814 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryptio
!

!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.183.158.19 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name pppp.com
ip name-server 10.183.158.20
no ip dhcp use vrf connected
ip dhcp excluded-address 10.183.158.1 10.183.158.80
!
ip dhcp pool WirelessClients
   network 10.183.158.0 255.255.255.128
   default-router 10.183.158.18
   dns-server 10.183.158.20
   domain-name pppp.com
!
!
!
dot11 ssid ITSWireless
   authentication open eap eap_methods
   authentication network-eap eap_methods
!
dot11 ids mfp detector
dot11 network-map
!
crypto pki trustpoint TP-self-signed-1895452380
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1895452380
 revocation-check none
 rsakeypair TP-self-signed-1895452380
!
!
crypto pki certificate chain TP-self-signed-1895452380
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383935 34353233 3830301E 170D3032 30333031 30303030
  32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393534
  35323338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009E69 EAE68F4A 2EC2007D 10BC209E D41225A0 2351057A FEA31930 9D670C93
  5FAFC3AE F96E3A2C 243C03B4 EF7D404A E59A3DD7 D0B24170 B77536AD 702AF60A
  2E1F9948 AEE072EC 0DDB79E5 3B890728 CCB12C76 C24CEDFC 6426D029 80753E23
  939AEBEA 1421994E DB093DA3 4C9D4013 5E8AE48C 7274589A 4D165383 6E7F27A7
  020D0203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C4C7573 616B6141 502E676F 312E6B77 6F726C64 2E6B706D
  672E636F 6D301F06 03551D23 04183016 80147624 73F76D67 792C623E 9A046768
  0DCCA8B9 1899301D 0603551D 0E041604 14762473 F76D6779 2C623E9A 0467680D
  CCA8B918 99300D06 092A8648 86F70D01 01040500 03818100 9441C8D7 401F296A
  BEEF55FE 39D5FC99 DD0B3B4A 09A2342C B61FB17C A0D6DD7A 59CDD31F 45CFD7D6
  119A8F5A 508797CA FB70B724 D0B69B77 3B7664D9 305AA79B 539AC25B CF81D7FC
  A48E4DEB C736B1AD 4B27F67C E0080E84 6F70AA4F A6BB960A FC7B62A7 44BE0CA2
  567CCE4B F6620E0F 8B2B735F E8C922BF 18791379 75DC6167
  quit

!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode wep mandatory
 !
 ssid ITSWireless
 !
 antenna gain 100
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2.
 m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 station-role root
 world-mode dot11d country ZM both
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode wep mandatory
 !
 ssid ITSWireless
 !
 no dfs band block
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6.
m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.183.158.28 255.255.255.128
 no ip route-cache
!
ip default-gateway 10.183.158.18
no ip http server
ip http secure-server
0
 
amprantiCommented:
Argg,
 i didnt say to use the above commands!!!


conf tno aaa new-modelaaa new-modelno dot11 ssid ITSWirelessdot11 ssid ITSWireless   authentication openip http authent localint dot0 no encryption mode wep mandatoryssid ITSWireless

The above commands will create a UNENCRYPTED & WITHOUT AUTHENTICATION WIRELESS NETWORK. Try these and check if you will get an IP address


Configuring wireless network for 802.1x is huge task...



0
 
anyirongoAuthor Commented:

still not working
0
 
amprantiCommented:
Can you post the curent config of the AP?
0
 
anyirongoAuthor Commented:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!

!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.183.158.19 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name pppp.com
ip name-server 10.183.158.20
no ip dhcp use vrf connected
ip dhcp excluded-address 10.183.158.1 10.183.158.80
!
ip dhcp pool WirelessClients
   network 10.183.158.0 255.255.255.128
   default-router 10.183.158.18
   dns-server 10.183.158.20
   domain-name pppp.com
!
!
!
dot11 ssid ITSWireless
   authentication open
!
dot11 ids mfp detector
dot11 network-map
!
crypto pki trustpoint TP-self-signed-1895452380
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1895452380
 revocation-check none
 rsakeypair TP-self-signed-1895452380
!
!
crypto pki certificate chain TP-self-signed-1895452380
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383935 34353233 3830301E 170D3032 30333031 30303030
  32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393534
  35323338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009E69 EAE68F4A 2EC2007D 10BC209E D41225A0 2351057A FEA31930 9D670C93
  5FAFC3AE F96E3A2C 243C03B4 EF7D404A E59A3DD7 D0B24170 B77536AD 702AF60A
  2E1F9948 AEE072EC 0DDB79E5 3B890728 CCB12C76 C24CEDFC 6426D029 80753E23
  939AEBEA 1421994E DB093DA3 4C9D4013 5E8AE48C 7274589A 4D165383 6E7F27A7
  020D0203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C4C7573 616B6141 502E676F 312E6B77 6F726C64 2E6B706D
  672E636F 6D301F06 03551D23 04183016 80147624 73F76D67 792C623E 9A046768
  0DCCA8B9 1899301D 0603551D 0E041604 14762473 F76D6779 2C623E9A 0467680D
  CCA8B918 99300D06 092A8648 86F70D01 01040500 03818100 9441C8D7 401F296A
  BEEF55FE 39D5FC99 DD0B3B4A 09A2342C B61FB17C A0D6DD7A 59CDD31F 45CFD7D6
  119A8F5A 508797CA FB70B724 D0B69B77 3B7664D9 305AA79B 539AC25B CF81D7FC
  A48E4DEB C736B1AD 4B27F67C E0080E84 6F70AA4F A6BB960A FC7B62A7 44BE0CA2
  567CCE4B F6620E0F 8B2B735F E8C922BF 18791379 75DC6167
  quit

!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid ITSWireless
 !
 antenna gain 100
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2.
 m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 station-role root
 world-mode dot11d country ZM both
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode wep mandatory
 no dfs band block
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6.
m7. m8. m9. m10. m11. m12. m13. m14. m15.
 power client local
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.183.158.28 255.255.255.128
 no ip route-cache
!
ip default-gateway 10.183.158.18
no ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.183.158.19 auth-port 1645 acct-port 1646 key 7 130E071F0C5
D56797F
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
0
 
amprantiCommented:
I tried the above configuration to  cisco 1242 and works perfect.
I dont know...
0
 
anyirongoAuthor Commented:

thanks will keep trying
0
 
amprantiCommented:
Are you using 802.11b/g or 802.11a network?
0
 
anyirongoAuthor Commented:
Using 802.11 b/g
0
 
anyirongoAuthor Commented:


 I  tried to disable the windows Zero configuration service and used the intel proset/wireless software and its working fine. Not sure were the problem is

thanks
0
 
amprantiCommented:
nice :)
0
 
anyirongoAuthor Commented:

What auhentication config should I use on My laptop and AP?
0
 
amprantiCommented:
For small/SOHO instalaltions prefer WPA2-PSK (preshared key)
0
 
anyirongoAuthor Commented:

Sorry for network authentication. I have 20 users
0
 
anyirongoAuthor Commented:

What would be the correct comand if I want to use

Network Authentication - WPA2
Encryption - WEP
0
 
amprantiCommented:
WPA2 is used for encryption , not for autehntication
WEP for encryption is obselete and shouldnt be used


Start a new question for that, is huge!
0
 
anyirongoAuthor Commented:
good solution
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 16
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now