DHCP Server Not Accessible in Second Cisco VLAN

I have configured a second VLAN in a Cisco 1130AG access point that uses PEAP. The original VLAN, which is the "Native VLAN", is configured for MAC authentication for Radio0-802.11G
 and Radio1-802.11A clients. The second VLAN is also configured for Radio0-802.11G  and Radio1-802.11A clients. I am able to connect to the second SSID and successfully authenticate showing that the encytption/authentication portion is configured correctly as this event log from the DC/DNS/RADIUS server shows:

User OurDomain\Username was granted access.
Fully-Qualified-User-Name = OurDomain/Users/Username
NAS-IP-Address = x.x.x.x
NAS-Identifier = SDS-CISCO
Client-Friendly-Name = Cisco-1130AG
Client-IP-Address = x.x.x.x
Calling-Station-Identifier = 0021.xxxx.xxxx
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = xxxxxxxxxxx
Proxy-Policy-Name = Allow Access if dial-in permission is enabled
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Secure Wireless
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

When connecting to the second SSID, the second VLAN, the client is never able to get an IP address from the DHCP server. The Cisco is plugged into an unmanaged switch.

Are there any settings in the Cisco 1130AG which will allow both SSIDs to access the same DHCP server in the LAN and interact with other servers on the LAN? The "Network ID" for both SSIDs are blank.  I read that a filter could be setup to redirect traffic to another IP but it appears that is either all of nothing, any traffic not specifically defined in the filter will be dropped. I may be misunderstanding its usage.

We have a single-subnet LAN and our DHCP servers are located in the LAN.

I know I can eventually do away with the original VLAN and setup the new VLAN as the "Native VLAN" but I am wondering if there is any easy way to allow clients who connect on the more secure second VLAN (SSID)to participate on the LAN. There is no need for them to interact with clients on the other VLAN or SSID just the ability to get an IP address from our DHCP server and have general connectivity to our LAN. If I can get both SSIDs functional on our LAN then I can better test the second VLAN before blowing away the original VLAN.  Any assistance will be greatly appreciated.
Who is Participating?
kdearingConnect With a Mentor Commented:
Your WAP is plugged into an unmanaged switch.
The switch cannot see tagged traffic, it is not VLAN-capable.

When you put 2 or more VLANs on a port, it becomes a trunk.
By default, every trunk has a native VLAN (usually VLAN1) and that traffic is not tagged; that's why your switch can only see VLAN1.
If you decide to change the native VLAN to VLAN2, then that traffic becomes untagged and the switch will see it (VLAN1 will become tagged).

This is why you need to have either:
1. a Layer-2 VLAN-capable switch (almost every managed and web-managed switch) + a router to route traffic between the VLANS
2. a Layer-3 switch; this will be VLAN-capable and will route traffic internally

Hope this explanation helps
adougheAuthor Commented:
I hard-coded the IP address to an unused one in the LAN and connected via the new SSID. I was only able to ping my own IP Address and nothing else so the issue is not simply a DHCP (broadcast) issue. When I connect the DC log shows a successful connection to the network but now that I had an IP for the first time I just noticed the Cisco event log shows "Error Message    DOT11-4-MAXRETRIES: Packet to client [characters] reached max retries, removing the client". A search for this error shows it is frequently seen due to a noisy RF channel but the other SSID, which uses the same wireless hardware, always connects and works without issues. I suspect the lack of routing for two VLANS is the cause but I am hoping someone can tell me an easy fix in the Cisco other than blowing away the original VLAN and letting the secure VLAN be the only VLAN, the Native VLAN.
You'll need either a Layer-3 switch or a VLAN-capable Layer-2 switch and a router.
adougheAuthor Commented:

Thanks for your reply! From what I have read the Native VLAN is not tagged. In order to test the new VLAN after hours I plan on checking "Native VLAN" so that it becomes the Native VLAN.  This, if I understand things correctly, will result in the original VLAN getting tagged and it will stop working in our environment but the new VLAN will begin working. A backout will be to simply change the orginal VLAN to be the Native VLAN again. Is this correct? I will give you the points for my original question but if you can provide this final answer it will be appreciated.
adougheAuthor Commented:
I suspected as much, simply wanted confirmation before changing things in production. Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.