Solved

DHCP Server Not Accessible in Second Cisco VLAN

Posted on 2011-03-09
5
839 Views
Last Modified: 2013-12-09
I have configured a second VLAN in a Cisco 1130AG access point that uses PEAP. The original VLAN, which is the "Native VLAN", is configured for MAC authentication for Radio0-802.11G
 and Radio1-802.11A clients. The second VLAN is also configured for Radio0-802.11G  and Radio1-802.11A clients. I am able to connect to the second SSID and successfully authenticate showing that the encytption/authentication portion is configured correctly as this event log from the DC/DNS/RADIUS server shows:

User OurDomain\Username was granted access.
Fully-Qualified-User-Name = OurDomain/Users/Username
NAS-IP-Address = x.x.x.x
NAS-Identifier = SDS-CISCO
Client-Friendly-Name = Cisco-1130AG
Client-IP-Address = x.x.x.x
Calling-Station-Identifier = 0021.xxxx.xxxx
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = xxxxxxxxxxx
Proxy-Policy-Name = Allow Access if dial-in permission is enabled
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Secure Wireless
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

When connecting to the second SSID, the second VLAN, the client is never able to get an IP address from the DHCP server. The Cisco is plugged into an unmanaged switch.

Are there any settings in the Cisco 1130AG which will allow both SSIDs to access the same DHCP server in the LAN and interact with other servers on the LAN? The "Network ID" for both SSIDs are blank.  I read that a filter could be setup to redirect traffic to another IP but it appears that is either all of nothing, any traffic not specifically defined in the filter will be dropped. I may be misunderstanding its usage.

We have a single-subnet LAN and our DHCP servers are located in the LAN.

I know I can eventually do away with the original VLAN and setup the new VLAN as the "Native VLAN" but I am wondering if there is any easy way to allow clients who connect on the more secure second VLAN (SSID)to participate on the LAN. There is no need for them to interact with clients on the other VLAN or SSID just the ability to get an IP address from our DHCP server and have general connectivity to our LAN. If I can get both SSIDs functional on our LAN then I can better test the second VLAN before blowing away the original VLAN.  Any assistance will be greatly appreciated.
0
Comment
Question by:adoughe
  • 3
  • 2
5 Comments
 
LVL 1

Author Comment

by:adoughe
ID: 35086999
I hard-coded the IP address to an unused one in the LAN and connected via the new SSID. I was only able to ping my own IP Address and nothing else so the issue is not simply a DHCP (broadcast) issue. When I connect the DC log shows a successful connection to the network but now that I had an IP for the first time I just noticed the Cisco event log shows "Error Message    DOT11-4-MAXRETRIES: Packet to client [characters] reached max retries, removing the client". A search for this error shows it is frequently seen due to a noisy RF channel but the other SSID, which uses the same wireless hardware, always connects and works without issues. I suspect the lack of routing for two VLANS is the cause but I am hoping someone can tell me an easy fix in the Cisco other than blowing away the original VLAN and letting the secure VLAN be the only VLAN, the Native VLAN.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35089048
You'll need either a Layer-3 switch or a VLAN-capable Layer-2 switch and a router.
0
 
LVL 1

Author Comment

by:adoughe
ID: 35095456
kdearing,

Thanks for your reply! From what I have read the Native VLAN is not tagged. In order to test the new VLAN after hours I plan on checking "Native VLAN" so that it becomes the Native VLAN.  This, if I understand things correctly, will result in the original VLAN getting tagged and it will stop working in our environment but the new VLAN will begin working. A backout will be to simply change the orginal VLAN to be the Native VLAN again. Is this correct? I will give you the points for my original question but if you can provide this final answer it will be appreciated.
0
 
LVL 13

Accepted Solution

by:
kdearing earned 500 total points
ID: 35095729
Your WAP is plugged into an unmanaged switch.
The switch cannot see tagged traffic, it is not VLAN-capable.

When you put 2 or more VLANs on a port, it becomes a trunk.
By default, every trunk has a native VLAN (usually VLAN1) and that traffic is not tagged; that's why your switch can only see VLAN1.
If you decide to change the native VLAN to VLAN2, then that traffic becomes untagged and the switch will see it (VLAN1 will become tagged).

This is why you need to have either:
1. a Layer-2 VLAN-capable switch (almost every managed and web-managed switch) + a router to route traffic between the VLANS
2. a Layer-3 switch; this will be VLAN-capable and will route traffic internally

Hope this explanation helps
0
 
LVL 1

Author Closing Comment

by:adoughe
ID: 35095773
I suspected as much, simply wanted confirmation before changing things in production. Thank you!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now