Solved

Joining Guest-wireless SSID successfully but no ip address given

Posted on 2013-06-03
5
805 Views
Last Modified: 2013-10-07
Recently I added a 2nd SSID to the wireless AP. It now has two SSIDs which are broadcasting. Both are in different VLANs and both are broadcasting, however when I go to join the Guest_wireless SSID, it does the following. First it succeeds, then it doesn't get an ip address. See debug below.

%DOT11-6-ASSOC: Interface Dot11Radio0, Station  a06c.ec0e.72c0 Associated KEY_MGMT[WPAv2 PSK]

dot11_auth_client_abort: Received abort request for client a06c.ec0e.72c0
dot11_auth_client_abort: No client entry to abort: a06c.ec0e.72c0 for application 0x1
%DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station a06c.ec0e.72c0 Reason: Sending station has left the BSS

On the phone device attempting to join the wireless, it connects but then gives this error.
"Failed to obtain an IP address."

Perhaps the configuration is wrong. I suspect it could be a vlan issue with SSID. Can anyone check the configuration below? It works fine connecting to the Corporate-wireless and an IP address is given, just not for Guest_wireless. Perhaps I missed something. Suggestions? I've included the wireless AP below with some lines removed for security purposes.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TestWifiAP
!
logging rate-limit console 9
no logging console
enable secret 5 (omitted)
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.1.x auth-port 1812 acct-port 1813
!
!
aaa group server radius rad_admin
 server 192.168.1.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_eap1
 server 192.168.1.x auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius (omitted)
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone Regina -6
ip domain name (omitted)
ip name-server 192.168.1.x
ip name-server 192.168.1.x
!
!
dot11 syslog
!
dot11 ssid TestGuestWireless
   vlan 99
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 (key omitted)
!
dot11 ssid TestWifi
   vlan 1
   authentication open eap eap_methods1
   authentication network-eap eap_methods1
   authentication key-management wpa version 2
   mbssid guest-mode
!
!
!
username robert privilege 15 secret 5 (omitted)
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 encryption vlan 1 mode ciphers aes-ccm
 !
 encryption vlan 99 mode ciphers tkip
 !
 ssid TestGuestWireless
 !
 ssid TestWifi
 !
 antenna gain 0
 mbssid
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 bridge-group 99 subscriber-loop-control
 bridge-group 99 block-unknown-source
 no bridge-group 99 source-learning
 no bridge-group 99 unicast-flooding
 bridge-group 99 spanning-disabled
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 no bridge-group 99 source-learning
 bridge-group 99 spanning-disabled
!
interface BVI1
 ip address 192.168.43.2 255.255.255.0
 no ip route-cache
!
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cr-accis-read RO 1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.x auth-port 1812 acct-port 1813 key (ommitted)
radius-server vsa send accounting
bridge 1 protocol ieee
bridge 1 route ip
!
!
banner login ^CC
!!!Access to this wireless network device is restricted to members of the IS department only!!!
^C
!
line con 0
 session-timeout 60
 privilege level 15
 logging synchronous
 no activation-character
line vty 0 4
 session-timeout 240
 access-class 1 in
 exec-timeout 120 0
 logging synchronous
 transport input telnet ssh
!
cns dhcp
end
0
Comment
Question by:beaconmcse
  • 3
  • 2
5 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
Firstly, you've configured WPA2 but you're using TKIP for encryption.  I'd suggest you use AES only with WPA2, as some clients don't like to use TKIP with WPA2.  Similarly, clients don't like to use AES with WPA1.

Second, what are you connecting the AP to?  Does VLAN99 exist on your switch and router?
0
 

Author Comment

by:beaconmcse
Comment Utility
Thanks for your suggestion regarding the encryption. The WPA2 encryption ciphers for Guest wireless was changed to AES-CCM

In answer to your second question, the AP is bridged via Cisco 861 Integrated router which has two configurations on it. One for the router and one for the wireless AP. The configuration for the integrated router is below. Perhaps I need to change or add another VLAN?

version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname TestWifi
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret 5 (omitted)
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone CST -6
!
!
ip source-route
ip dhcp excluded-address 192.168.43.200 192.168.43.254
ip dhcp excluded-address 192.168.43.1 192.168.43.20
!
ip dhcp pool LAN
   network 192.168.43.0 255.255.255.0
   default-router 192.168.43.1
   dns-server 192.168.1.x 192.168.1.x
   domain-name (omitted)
   lease 0 1
!
!
ip cef
ip domain name (omitted)
ip name-server 192.168.1.x
ip name-server 192.168.1.x
ip name-server 192.168.1.x
!
!
!
!
username robert privilege 15 secret 5 (omitted)
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key (omitted) address (omitted) no-xauth
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN 15 ipsec-isakmp
 set peer (omitted)
 set transform-set 3DES-SHA
 set pfs group2
 match address 100
!
archive
 log config
  hidekeys
!
!
ip tftp source-interface Vlan1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface FastEthernet0
 shutdown
!
interface FastEthernet1
 description Link to Switch
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 description Link to Cable Modem
 ip address (omitted) 255.255.255.0
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 crypto map VPN
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0

!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Vlan1
 description Virtual Interface for LAN
 ip address 192.168.43.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 (omitted)
ip route (omitted)
no ip http server
no ip http secure-server
!
!
logging trap debugging
logging 192.168.1.140
logging 192.168.1.207
access-list 1 permit (omitted)
access-list 1 remark SNMP and Remote Access
access-list 1 permit (omitted)
access-list 1 permit (omitted)
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny   any log
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 deny   ip any host (omitted)
access-list 100 permit ip any any
access-list 100 deny   ip any host (omitted)
snmp-server community (omitted)
no cdp run

!
control-plane
!
alias exec dot11radio service-module wlan-ap 0 session
alias exec sis show interface status
!
line con 0
 session-timeout 60
 exec-timeout 30 0
 logging synchronous
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 session-timeout 240
 access-class 1 in
 exec-timeout 30 0
 logging synchronous
 length 0
 transport preferred none
 transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 192.168.1.207
end
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Yes unless you need to create the VLAN on the router, and if you're using the router as the Guest VLAN's default gateway you'll also need to add an interface for the Guest VLAN, and create a DHCP pool for it.
0
 

Author Comment

by:beaconmcse
Comment Utility
Would the line from the router configuration below conflict? I should be able to have both Vlans 1 & 99 get an ip address from same dhcp scope that was created. There must be a way around this where both vlans can use the same dhcp scope from the config.

interface wlan-ap0
description Service module interface to manage the embedded AP
"ip unnumbered Vlan1"
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Both VLANs can't use the same IP subnet.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now