Go Premium for a chance to win a PS4. Enter to Win


DHCP Server Not Accessible in Second Cisco VLAN

Posted on 2011-03-09
Medium Priority
Last Modified: 2013-12-09
I have configured a second VLAN in a Cisco 1130AG access point that uses PEAP. The original VLAN, which is the "Native VLAN", is configured for MAC authentication for Radio0-802.11G
 and Radio1-802.11A clients. The second VLAN is also configured for Radio0-802.11G  and Radio1-802.11A clients. I am able to connect to the second SSID and successfully authenticate showing that the encytption/authentication portion is configured correctly as this event log from the DC/DNS/RADIUS server shows:

User OurDomain\Username was granted access.
Fully-Qualified-User-Name = OurDomain/Users/Username
NAS-IP-Address = x.x.x.x
NAS-Identifier = SDS-CISCO
Client-Friendly-Name = Cisco-1130AG
Client-IP-Address = x.x.x.x
Calling-Station-Identifier = 0021.xxxx.xxxx
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = xxxxxxxxxxx
Proxy-Policy-Name = Allow Access if dial-in permission is enabled
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Secure Wireless
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

When connecting to the second SSID, the second VLAN, the client is never able to get an IP address from the DHCP server. The Cisco is plugged into an unmanaged switch.

Are there any settings in the Cisco 1130AG which will allow both SSIDs to access the same DHCP server in the LAN and interact with other servers on the LAN? The "Network ID" for both SSIDs are blank.  I read that a filter could be setup to redirect traffic to another IP but it appears that is either all of nothing, any traffic not specifically defined in the filter will be dropped. I may be misunderstanding its usage.

We have a single-subnet LAN and our DHCP servers are located in the LAN.

I know I can eventually do away with the original VLAN and setup the new VLAN as the "Native VLAN" but I am wondering if there is any easy way to allow clients who connect on the more secure second VLAN (SSID)to participate on the LAN. There is no need for them to interact with clients on the other VLAN or SSID just the ability to get an IP address from our DHCP server and have general connectivity to our LAN. If I can get both SSIDs functional on our LAN then I can better test the second VLAN before blowing away the original VLAN.  Any assistance will be greatly appreciated.
Question by:adoughe
  • 3
  • 2

Author Comment

ID: 35086999
I hard-coded the IP address to an unused one in the LAN and connected via the new SSID. I was only able to ping my own IP Address and nothing else so the issue is not simply a DHCP (broadcast) issue. When I connect the DC log shows a successful connection to the network but now that I had an IP for the first time I just noticed the Cisco event log shows "Error Message    DOT11-4-MAXRETRIES: Packet to client [characters] reached max retries, removing the client". A search for this error shows it is frequently seen due to a noisy RF channel but the other SSID, which uses the same wireless hardware, always connects and works without issues. I suspect the lack of routing for two VLANS is the cause but I am hoping someone can tell me an easy fix in the Cisco other than blowing away the original VLAN and letting the secure VLAN be the only VLAN, the Native VLAN.
LVL 13

Expert Comment

ID: 35089048
You'll need either a Layer-3 switch or a VLAN-capable Layer-2 switch and a router.

Author Comment

ID: 35095456

Thanks for your reply! From what I have read the Native VLAN is not tagged. In order to test the new VLAN after hours I plan on checking "Native VLAN" so that it becomes the Native VLAN.  This, if I understand things correctly, will result in the original VLAN getting tagged and it will stop working in our environment but the new VLAN will begin working. A backout will be to simply change the orginal VLAN to be the Native VLAN again. Is this correct? I will give you the points for my original question but if you can provide this final answer it will be appreciated.
LVL 13

Accepted Solution

kdearing earned 2000 total points
ID: 35095729
Your WAP is plugged into an unmanaged switch.
The switch cannot see tagged traffic, it is not VLAN-capable.

When you put 2 or more VLANs on a port, it becomes a trunk.
By default, every trunk has a native VLAN (usually VLAN1) and that traffic is not tagged; that's why your switch can only see VLAN1.
If you decide to change the native VLAN to VLAN2, then that traffic becomes untagged and the switch will see it (VLAN1 will become tagged).

This is why you need to have either:
1. a Layer-2 VLAN-capable switch (almost every managed and web-managed switch) + a router to route traffic between the VLANS
2. a Layer-3 switch; this will be VLAN-capable and will route traffic internally

Hope this explanation helps

Author Closing Comment

ID: 35095773
I suspected as much, simply wanted confirmation before changing things in production. Thank you!

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question