beaconmcse
asked on
Joining Guest-wireless SSID successfully but no ip address given
Recently I added a 2nd SSID to the wireless AP. It now has two SSIDs which are broadcasting. Both are in different VLANs and both are broadcasting, however when I go to join the Guest_wireless SSID, it does the following. First it succeeds, then it doesn't get an ip address. See debug below.
%DOT11-6-ASSOC: Interface Dot11Radio0, Station a06c.ec0e.72c0 Associated KEY_MGMT[WPAv2 PSK]
dot11_auth_client_abort: Received abort request for client a06c.ec0e.72c0
dot11_auth_client_abort: No client entry to abort: a06c.ec0e.72c0 for application 0x1
%DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station a06c.ec0e.72c0 Reason: Sending station has left the BSS
On the phone device attempting to join the wireless, it connects but then gives this error.
"Failed to obtain an IP address."
Perhaps the configuration is wrong. I suspect it could be a vlan issue with SSID. Can anyone check the configuration below? It works fine connecting to the Corporate-wireless and an IP address is given, just not for Guest_wireless. Perhaps I missed something. Suggestions? I've included the wireless AP below with some lines removed for security purposes.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TestWifiAP
!
logging rate-limit console 9
no logging console
enable secret 5 (omitted)
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.1.x auth-port 1812 acct-port 1813
!
!
aaa group server radius rad_admin
server 192.168.1.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_eap1
server 192.168.1.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius (omitted)
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone Regina -6
ip domain name (omitted)
ip name-server 192.168.1.x
ip name-server 192.168.1.x
!
!
dot11 syslog
!
dot11 ssid TestGuestWireless
vlan 99
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 (key omitted)
!
dot11 ssid TestWifi
vlan 1
authentication open eap eap_methods1
authentication network-eap eap_methods1
authentication key-management wpa version 2
mbssid guest-mode
!
!
!
username robert privilege 15 secret 5 (omitted)
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 99 mode ciphers tkip
!
ssid TestGuestWireless
!
ssid TestWifi
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
!
interface BVI1
ip address 192.168.43.2 255.255.255.0
no ip route-cache
!
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cr-accis-read RO 1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.x auth-port 1812 acct-port 1813 key (ommitted)
radius-server vsa send accounting
bridge 1 protocol ieee
bridge 1 route ip
!
!
banner login ^CC
!!!Access to this wireless network device is restricted to members of the IS department only!!!
^C
!
line con 0
session-timeout 60
privilege level 15
logging synchronous
no activation-character
line vty 0 4
session-timeout 240
access-class 1 in
exec-timeout 120 0
logging synchronous
transport input telnet ssh
!
cns dhcp
end
%DOT11-6-ASSOC: Interface Dot11Radio0, Station a06c.ec0e.72c0 Associated KEY_MGMT[WPAv2 PSK]
dot11_auth_client_abort: Received abort request for client a06c.ec0e.72c0
dot11_auth_client_abort: No client entry to abort: a06c.ec0e.72c0 for application 0x1
%DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station a06c.ec0e.72c0 Reason: Sending station has left the BSS
On the phone device attempting to join the wireless, it connects but then gives this error.
"Failed to obtain an IP address."
Perhaps the configuration is wrong. I suspect it could be a vlan issue with SSID. Can anyone check the configuration below? It works fine connecting to the Corporate-wireless and an IP address is given, just not for Guest_wireless. Perhaps I missed something. Suggestions? I've included the wireless AP below with some lines removed for security purposes.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TestWifiAP
!
logging rate-limit console 9
no logging console
enable secret 5 (omitted)
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.1.x auth-port 1812 acct-port 1813
!
!
aaa group server radius rad_admin
server 192.168.1.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_eap1
server 192.168.1.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius (omitted)
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone Regina -6
ip domain name (omitted)
ip name-server 192.168.1.x
ip name-server 192.168.1.x
!
!
dot11 syslog
!
dot11 ssid TestGuestWireless
vlan 99
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 (key omitted)
!
dot11 ssid TestWifi
vlan 1
authentication open eap eap_methods1
authentication network-eap eap_methods1
authentication key-management wpa version 2
mbssid guest-mode
!
!
!
username robert privilege 15 secret 5 (omitted)
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 99 mode ciphers tkip
!
ssid TestGuestWireless
!
ssid TestWifi
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
!
interface BVI1
ip address 192.168.43.2 255.255.255.0
no ip route-cache
!
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cr-accis-read RO 1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.x auth-port 1812 acct-port 1813 key (ommitted)
radius-server vsa send accounting
bridge 1 protocol ieee
bridge 1 route ip
!
!
banner login ^CC
!!!Access to this wireless network device is restricted to members of the IS department only!!!
^C
!
line con 0
session-timeout 60
privilege level 15
logging synchronous
no activation-character
line vty 0 4
session-timeout 240
access-class 1 in
exec-timeout 120 0
logging synchronous
transport input telnet ssh
!
cns dhcp
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes unless you need to create the VLAN on the router, and if you're using the router as the Guest VLAN's default gateway you'll also need to add an interface for the Guest VLAN, and create a DHCP pool for it.
ASKER
Would the line from the router configuration below conflict? I should be able to have both Vlans 1 & 99 get an ip address from same dhcp scope that was created. There must be a way around this where both vlans can use the same dhcp scope from the config.
interface wlan-ap0
description Service module interface to manage the embedded AP
"ip unnumbered Vlan1"
interface wlan-ap0
description Service module interface to manage the embedded AP
"ip unnumbered Vlan1"
Both VLANs can't use the same IP subnet.
ASKER
In answer to your second question, the AP is bridged via Cisco 861 Integrated router which has two configurations on it. One for the router and one for the wireless AP. The configuration for the integrated router is below. Perhaps I need to change or add another VLAN?
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname TestWifi
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret 5 (omitted)
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone CST -6
!
!
ip source-route
ip dhcp excluded-address 192.168.43.200 192.168.43.254
ip dhcp excluded-address 192.168.43.1 192.168.43.20
!
ip dhcp pool LAN
network 192.168.43.0 255.255.255.0
default-router 192.168.43.1
dns-server 192.168.1.x 192.168.1.x
domain-name (omitted)
lease 0 1
!
!
ip cef
ip domain name (omitted)
ip name-server 192.168.1.x
ip name-server 192.168.1.x
ip name-server 192.168.1.x
!
!
!
!
username robert privilege 15 secret 5 (omitted)
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key (omitted) address (omitted) no-xauth
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN 15 ipsec-isakmp
set peer (omitted)
set transform-set 3DES-SHA
set pfs group2
match address 100
!
archive
log config
hidekeys
!
!
ip tftp source-interface Vlan1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface FastEthernet0
shutdown
!
interface FastEthernet1
description Link to Switch
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
description Link to Cable Modem
ip address (omitted) 255.255.255.0
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map VPN
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description Virtual Interface for LAN
ip address 192.168.43.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 (omitted)
ip route (omitted)
no ip http server
no ip http secure-server
!
!
logging trap debugging
logging 192.168.1.140
logging 192.168.1.207
access-list 1 permit (omitted)
access-list 1 remark SNMP and Remote Access
access-list 1 permit (omitted)
access-list 1 permit (omitted)
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny any log
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 deny ip any host (omitted)
access-list 100 permit ip any any
access-list 100 deny ip any host (omitted)
snmp-server community (omitted)
no cdp run
!
control-plane
!
alias exec dot11radio service-module wlan-ap 0 session
alias exec sis show interface status
!
line con 0
session-timeout 60
exec-timeout 30 0
logging synchronous
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
session-timeout 240
access-class 1 in
exec-timeout 30 0
logging synchronous
length 0
transport preferred none
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 192.168.1.207
end