I have configured a second VLAN in a Cisco 1130AG access point that uses PEAP. The original VLAN, which is the "Native VLAN", is configured for MAC authentication for Radio0-802.11G
and Radio1-802.11A clients. The second VLAN is also configured for Radio0-802.11G and Radio1-802.11A clients. I am able to connect to the second SSID and successfully authenticate showing that the encytption/authentication portion is configured correctly as this event log from the DC/DNS/RADIUS server shows:
User OurDomain\Username was granted access.
Fully-Qualified-User-Name = OurDomain/Users/Username
NAS-IP-Address = x.x.x.x
NAS-Identifier = SDS-CISCO
Client-Friendly-Name = Cisco-1130AG
Client-IP-Address = x.x.x.x
Calling-Station-Identifier = 0021.xxxx.xxxx
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = xxxxxxxxxxx
Proxy-Policy-Name = Allow Access if dial-in permission is enabled
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Secure Wireless
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
When connecting to the second SSID, the second VLAN, the client is never able to get an IP address from the DHCP server. The Cisco is plugged into an unmanaged switch.
Are there any settings in the Cisco 1130AG which will allow both SSIDs to access the same DHCP server in the LAN and interact with other servers on the LAN? The "Network ID" for both SSIDs are blank. I read that a filter could be setup to redirect traffic to another IP but it appears that is either all of nothing, any traffic not specifically defined in the filter will be dropped. I may be misunderstanding its usage.
We have a single-subnet LAN and our DHCP servers are located in the LAN.
I know I can eventually do away with the original VLAN and setup the new VLAN as the "Native VLAN" but I am wondering if there is any easy way to allow clients who connect on the more secure second VLAN (SSID)to participate on the LAN. There is no need for them to interact with clients on the other VLAN or SSID just the ability to get an IP address from our DHCP server and have general connectivity to our LAN. If I can get both SSIDs functional on our LAN then I can better test the second VLAN before blowing away the original VLAN. Any assistance will be greatly appreciated.