Cisco Aironet Access Point DHCP via MS2008 R2

Hello,

I have Cisco Access Points (AIR-SAP1602I-E-K9) which I want to run stand alone without a controller and have my MS Server 2008 R2 distributing IP addresses. With my limited knowledge on these devices, I have gotten to the point where I can see my SSID from a wireless device, but cannot seem to gain an IP address from the server DHCP.

I have added server option 43 to my server DHCP but still no joy. My Access point just continually flashes a green light (slowly).

Any help would be appreciated.
MattAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henk van AchterbergSr. Technical ConsultantCommented:
Can you post your sanitzed config?
0
MattAuthor Commented:
ESSAP11#show config
Using 2531 out of 32768 bytes
!
! Last configuration change at 00:29:28 UTC Mon Mar 1 1993 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXX
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name XXXXXXX
!
!
!
dot11 syslog
dot11 vlan-name XXXX vlan 1001
!
dot11 ssid XXXX
   authentication open
!
dot11 ssid XXXXXX
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username XXXX password 7 XXXXXXXXXX
username XXXX privilege 15 password 7 XXXXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid XXXXX
 !
 ssid XXXXX
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
0
Sandeep GuptaConsultantCommented:
you need to attach <<IP helper address>> of your MS server IP in the config to get the IP form MS server.

command is IP helper-address <<MS server IP>>...check the command
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Sandeep GuptaConsultantCommented:
check this also:

This example shows how to configure the wireless device as a DHCP server, exclude a range of IP address, and assign a default router:


AP# configure terminal

AP(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.20

AP(config)# ip dhcp pool wishbone

AP(dhcp-config)# network 172.16.1.0 255.255.255.0

AP(dhcp-config)# lease 10

AP(dhcp-config)# default-router 172.16.1.1

AP(dhcp-config)# end
0
MattAuthor Commented:
Thank you Sandeep, I don't want the APs to be DHCP servers, DHCP is to come from the MS Server 2008 R2.
0
Sandeep GuptaConsultantCommented:
in that case you need to put ip helper-address <<MS server ip>>
0
Sandeep GuptaConsultantCommented:
on the lan interface
0
MattAuthor Commented:
Thank you, have done as suggested but still cannot connect to the AP. Here is the updated config, any further suggestions?


!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name XXXXXX
!
!
!
dot11 syslog
dot11 vlan-name XXXX vlan 1001
!
dot11 ssid XXXX
   authentication open
!
dot11 ssid XXXX
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username Cisco password 7 XXXXXX
username XXXX privilege 15 password 7 XXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid XXXX
 !
 ssid XXXX
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end
0
Henk van AchterbergSr. Technical ConsultantCommented:
you should put ip helper-address 10.16.1.21 at the BVI1 interface I guess.
0
MattAuthor Commented:
Thank you Henk, I have added IP helper-address 10.16.1.21 to the BVI1 interface, still cannot connect to the AP.
0
Henk van AchterbergSr. Technical ConsultantCommented:
when you give your client a fixed IP address can you connect to your AP and ping the AP?
0
Sandeep GuptaConsultantCommented:
why your radio interface is shutdown?
0
Henk van AchterbergSr. Technical ConsultantCommented:
can you try this config:

!
! Last configuration change at 00:39:50 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-01
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
!
!
!
dot11 syslog
!
dot11 ssid Office
   vlan 1001
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wifipassword
!
!
!
crypto pki token default removal timeout 0
!
!
username ap_admin privilege 15 secret 0 ap_password
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 1001 mode ciphers aes-ccm 
 !
 !
 ssid Office
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 1001 mode ciphers aes-ccm 
 !
 !
 ssid Office
 !
 antenna gain 0
 no dfs band block
 stbc
 beamform ofdm
 mbssid
 channel dfs
 station-role root
!
interface Dot11Radio1.1001
 encapsulation dot1Q 1001
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

Open in new window

0
Sandeep GuptaConsultantCommented:
ok..one more point check you have enabled dhcp services:

run the command form global configuration mode:

service dhcp
0
Sandeep GuptaConsultantCommented:
I see you have not enabled it...just do it..it should work
0
Henk van AchterbergSr. Technical ConsultantCommented:
Sandeep Gupta: The topic starter wants to get an IP address from the Windows DHCP Server. You are referring to the DHCP service on the Access Point itself! I think there is something else wrong, that is why I put my config there so the TS can check if it is something else.
0
Sandeep GuptaConsultantCommented:
Henk, as far as I know ....user want to get IP address for MS server and thus he should apply "ip helper-address <<ms server ip>". Such kind of service can work if "service dhcp' is enabled...

if still he is not able to get IP then you are correct there might be some another problem.
0
Craig BeckCommented:
You don't need to attach the IP helper at all - the helper needs to be on the router that serves VLAN 1001, unless the DHCP server is in VLAN 1001 - in that case no helper is needed at all.

Option 43 is used to tell the AP what the controller IP is.  You're using autonomous APs here so Option 43 is not required.

The issue is the interface configuration by the look of it.  I don't think you're configuring via the GUI as the first SSID isn't attached to a VLAN and you HAVE to attach all SSIDs to VLANs when you enable VLANs - you can't have one SSID with a VLAN but another SSID with no VLAN.  If you log in via the GUI and go to the SSID Manager page you will get a popup moaning at you and the radio interfaces will go down.

Did you post the whole config from the AP with only SSIDs and passwords stripped?
0
MattAuthor Commented:
Hi Craigbeck,

Thank you for your comments. I have removed the SSID with no VLAN but still have the same issue, I can see the SSID 'ESSWifi' but cannot connect to it. I tried to remove the ip helper-address from all interfaces but seems I was not successful. Please find following the current interface with only my passwords stripped. Would appreciate any further advice.


!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name ess-gabon
!
!
!
dot11 syslog
dot11 vlan-name ESSHQ vlan 1001
!
dot11 ssid ESSWifi
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username Cisco password 7 xxxxxx
username admin privilege 15 password 7 xxxxxx
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid ESSWifi
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end
0
MattAuthor Commented:
Hello,

I need to revive this issue again and I am still facing the same problem. Can anybody tell me why I am not seeing the MS Server DHCP?

Really appreciate any help.

Thank you,

Matt
0
Craig BeckCommented:
Try this (just paste it straight into the AP)...

conf t
service dhcp
no dot11 vlan-name ESSHQ vlan 1001
!
dot11 ssid ESSWifi
 no mobility network-id 1001
end

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MattAuthor Commented:
Thank you, I ran as requested but still not seeing the DHCP server. Please note that I removed the ESSHQ ssid. The current config is below, have I missed something?
!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name ess-gabon
!
!
!
dot11 syslog
!
dot11 ssid ESSWifi
   vlan 1001
   authentication open
   mobility network-id 1001
!
!
crypto pki token default removal timeout 0
!
!
username XXXX password XXXXXXXXXXXX
username XXXX privilege 15 password XXXXXXXXXXXXXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid ESSWifi
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 port-protected
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end
0
MattAuthor Commented:
Also, incidentally, I cannot connect to ssid ESSWifi using a static IP and the ssid is showing as 'Hidden Network'
0
Craig BeckCommented:
Ok, I asked you to change what I pasted into my post, but you changed something else.

Can you please do what I suggested, then try again?

The SSID was being broadcast before you removed the guest-mode command from the SSID.  I didn't ask you to do that.  Also, the mobility VLAN ID is still in the config.
0
MattAuthor Commented:
Thank you for your help craigbeck, I finally got there, all connecting fine now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.