?
Solved

Cisco Aironet Access Point DHCP via MS2008 R2

Posted on 2014-08-16
25
Medium Priority
?
446 Views
Last Modified: 2014-09-30
Hello,

I have Cisco Access Points (AIR-SAP1602I-E-K9) which I want to run stand alone without a controller and have my MS Server 2008 R2 distributing IP addresses. With my limited knowledge on these devices, I have gotten to the point where I can see my SSID from a wireless device, but cannot seem to gain an IP address from the server DHCP.

I have added server option 43 to my server DHCP but still no joy. My Access point just continually flashes a green light (slowly).

Any help would be appreciated.
0
Comment
Question by:Matt
  • 9
  • 8
  • 5
  • +1
25 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40265234
Can you post your sanitzed config?
0
 

Author Comment

by:Matt
ID: 40265857
ESSAP11#show config
Using 2531 out of 32768 bytes
!
! Last configuration change at 00:29:28 UTC Mon Mar 1 1993 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXX
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name XXXXXXX
!
!
!
dot11 syslog
dot11 vlan-name XXXX vlan 1001
!
dot11 ssid XXXX
   authentication open
!
dot11 ssid XXXXXX
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username XXXX password 7 XXXXXXXXXX
username XXXX privilege 15 password 7 XXXXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid XXXXX
 !
 ssid XXXXX
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40267125
you need to attach <<IP helper address>> of your MS server IP in the config to get the IP form MS server.

command is IP helper-address <<MS server IP>>...check the command
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40267130
check this also:

This example shows how to configure the wireless device as a DHCP server, exclude a range of IP address, and assign a default router:


AP# configure terminal

AP(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.20

AP(config)# ip dhcp pool wishbone

AP(dhcp-config)# network 172.16.1.0 255.255.255.0

AP(dhcp-config)# lease 10

AP(dhcp-config)# default-router 172.16.1.1

AP(dhcp-config)# end
0
 

Author Comment

by:Matt
ID: 40267236
Thank you Sandeep, I don't want the APs to be DHCP servers, DHCP is to come from the MS Server 2008 R2.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40267323
in that case you need to put ip helper-address <<MS server ip>>
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40267324
on the lan interface
0
 

Author Comment

by:Matt
ID: 40267472
Thank you, have done as suggested but still cannot connect to the AP. Here is the updated config, any further suggestions?


!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name XXXXXX
!
!
!
dot11 syslog
dot11 vlan-name XXXX vlan 1001
!
dot11 ssid XXXX
   authentication open
!
dot11 ssid XXXX
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username Cisco password 7 XXXXXX
username XXXX privilege 15 password 7 XXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid XXXX
 !
 ssid XXXX
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40268544
you should put ip helper-address 10.16.1.21 at the BVI1 interface I guess.
0
 

Author Comment

by:Matt
ID: 40269625
Thank you Henk, I have added IP helper-address 10.16.1.21 to the BVI1 interface, still cannot connect to the AP.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40269752
when you give your client a fixed IP address can you connect to your AP and ping the AP?
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40269799
why your radio interface is shutdown?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40269811
can you try this config:

!
! Last configuration change at 00:39:50 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-01
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
!
!
!
dot11 syslog
!
dot11 ssid Office
   vlan 1001
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wifipassword
!
!
!
crypto pki token default removal timeout 0
!
!
username ap_admin privilege 15 secret 0 ap_password
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 1001 mode ciphers aes-ccm 
 !
 !
 ssid Office
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 1001 mode ciphers aes-ccm 
 !
 !
 ssid Office
 !
 antenna gain 0
 no dfs band block
 stbc
 beamform ofdm
 mbssid
 channel dfs
 station-role root
!
interface Dot11Radio1.1001
 encapsulation dot1Q 1001
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

Open in new window

0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40269818
ok..one more point check you have enabled dhcp services:

run the command form global configuration mode:

service dhcp
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40269822
I see you have not enabled it...just do it..it should work
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 40269823
Sandeep Gupta: The topic starter wants to get an IP address from the Windows DHCP Server. You are referring to the DHCP service on the Access Point itself! I think there is something else wrong, that is why I put my config there so the TS can check if it is something else.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 40269832
Henk, as far as I know ....user want to get IP address for MS server and thus he should apply "ip helper-address <<ms server ip>". Such kind of service can work if "service dhcp' is enabled...

if still he is not able to get IP then you are correct there might be some another problem.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40277605
You don't need to attach the IP helper at all - the helper needs to be on the router that serves VLAN 1001, unless the DHCP server is in VLAN 1001 - in that case no helper is needed at all.

Option 43 is used to tell the AP what the controller IP is.  You're using autonomous APs here so Option 43 is not required.

The issue is the interface configuration by the look of it.  I don't think you're configuring via the GUI as the first SSID isn't attached to a VLAN and you HAVE to attach all SSIDs to VLANs when you enable VLANs - you can't have one SSID with a VLAN but another SSID with no VLAN.  If you log in via the GUI and go to the SSID Manager page you will get a popup moaning at you and the radio interfaces will go down.

Did you post the whole config from the AP with only SSIDs and passwords stripped?
0
 

Author Comment

by:Matt
ID: 40278565
Hi Craigbeck,

Thank you for your comments. I have removed the SSID with no VLAN but still have the same issue, I can see the SSID 'ESSWifi' but cannot connect to it. I tried to remove the ip helper-address from all interfaces but seems I was not successful. Please find following the current interface with only my passwords stripped. Would appreciate any further advice.


!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name ess-gabon
!
!
!
dot11 syslog
dot11 vlan-name ESSHQ vlan 1001
!
dot11 ssid ESSWifi
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username Cisco password 7 xxxxxx
username admin privilege 15 password 7 xxxxxx
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid ESSWifi
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end
0
 

Author Comment

by:Matt
ID: 40349560
Hello,

I need to revive this issue again and I am still facing the same problem. Can anybody tell me why I am not seeing the MS Server DHCP?

Really appreciate any help.

Thank you,

Matt
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 1500 total points
ID: 40349615
Try this (just paste it straight into the AP)...

conf t
service dhcp
no dot11 vlan-name ESSHQ vlan 1001
!
dot11 ssid ESSWifi
 no mobility network-id 1001
end

Open in new window

0
 

Author Comment

by:Matt
ID: 40349802
Thank you, I ran as requested but still not seeing the DHCP server. Please note that I removed the ESSHQ ssid. The current config is below, have I missed something?
!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name ess-gabon
!
!
!
dot11 syslog
!
dot11 ssid ESSWifi
   vlan 1001
   authentication open
   mobility network-id 1001
!
!
crypto pki token default removal timeout 0
!
!
username XXXX password XXXXXXXXXXXX
username XXXX privilege 15 password XXXXXXXXXXXXXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid ESSWifi
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 port-protected
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end
0
 

Author Comment

by:Matt
ID: 40349820
Also, incidentally, I cannot connect to ssid ESSWifi using a static IP and the ssid is showing as 'Hidden Network'
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40350334
Ok, I asked you to change what I pasted into my post, but you changed something else.

Can you please do what I suggested, then try again?

The SSID was being broadcast before you removed the guest-mode command from the SSID.  I didn't ask you to do that.  Also, the mobility VLAN ID is still in the config.
0
 

Author Closing Comment

by:Matt
ID: 40352084
Thank you for your help craigbeck, I finally got there, all connecting fine now.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question