Cisco Aironet Access Point DHCP via MS2008 R2

Matt
Matt used Ask the Experts™
on
Hello,

I have Cisco Access Points (AIR-SAP1602I-E-K9) which I want to run stand alone without a controller and have my MS Server 2008 R2 distributing IP addresses. With my limited knowledge on these devices, I have gotten to the point where I can see my SSID from a wireless device, but cannot seem to gain an IP address from the server DHCP.

I have added server option 43 to my server DHCP but still no joy. My Access point just continually flashes a green light (slowly).

Any help would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Henk van AchterbergSr. Technical Consultant
Top Expert 2012

Commented:
Can you post your sanitzed config?

Author

Commented:
ESSAP11#show config
Using 2531 out of 32768 bytes
!
! Last configuration change at 00:29:28 UTC Mon Mar 1 1993 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXX
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name XXXXXXX
!
!
!
dot11 syslog
dot11 vlan-name XXXX vlan 1001
!
dot11 ssid XXXX
   authentication open
!
dot11 ssid XXXXXX
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username XXXX password 7 XXXXXXXXXX
username XXXX privilege 15 password 7 XXXXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid XXXXX
 !
 ssid XXXXX
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
you need to attach <<IP helper address>> of your MS server IP in the config to get the IP form MS server.

command is IP helper-address <<MS server IP>>...check the command
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

check this also:

This example shows how to configure the wireless device as a DHCP server, exclude a range of IP address, and assign a default router:


AP# configure terminal

AP(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.20

AP(config)# ip dhcp pool wishbone

AP(dhcp-config)# network 172.16.1.0 255.255.255.0

AP(dhcp-config)# lease 10

AP(dhcp-config)# default-router 172.16.1.1

AP(dhcp-config)# end

Author

Commented:
Thank you Sandeep, I don't want the APs to be DHCP servers, DHCP is to come from the MS Server 2008 R2.
in that case you need to put ip helper-address <<MS server ip>>
on the lan interface

Author

Commented:
Thank you, have done as suggested but still cannot connect to the AP. Here is the updated config, any further suggestions?


!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name XXXXXX
!
!
!
dot11 syslog
dot11 vlan-name XXXX vlan 1001
!
dot11 ssid XXXX
   authentication open
!
dot11 ssid XXXX
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username Cisco password 7 XXXXXX
username XXXX privilege 15 password 7 XXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid XXXX
 !
 ssid XXXX
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end
Henk van AchterbergSr. Technical Consultant
Top Expert 2012

Commented:
you should put ip helper-address 10.16.1.21 at the BVI1 interface I guess.

Author

Commented:
Thank you Henk, I have added IP helper-address 10.16.1.21 to the BVI1 interface, still cannot connect to the AP.
Henk van AchterbergSr. Technical Consultant
Top Expert 2012

Commented:
when you give your client a fixed IP address can you connect to your AP and ping the AP?
why your radio interface is shutdown?
Henk van AchterbergSr. Technical Consultant
Top Expert 2012

Commented:
can you try this config:

!
! Last configuration change at 00:39:50 UTC Mon Mar 1 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP-01
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
!
!
!
dot11 syslog
!
dot11 ssid Office
   vlan 1001
   authentication open 
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 0 wifipassword
!
!
!
crypto pki token default removal timeout 0
!
!
username ap_admin privilege 15 secret 0 ap_password
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 1001 mode ciphers aes-ccm 
 !
 !
 ssid Office
 !
 antenna gain 0
 stbc
 beamform ofdm
 mbssid
 station-role root
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 1001 mode ciphers aes-ccm 
 !
 !
 ssid Office
 !
 antenna gain 0
 no dfs band block
 stbc
 beamform ofdm
 mbssid
 channel dfs
 station-role root
!
interface Dot11Radio1.1001
 encapsulation dot1Q 1001
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

Open in new window

ok..one more point check you have enabled dhcp services:

run the command form global configuration mode:

service dhcp
I see you have not enabled it...just do it..it should work
Henk van AchterbergSr. Technical Consultant
Top Expert 2012

Commented:
Sandeep Gupta: The topic starter wants to get an IP address from the Windows DHCP Server. You are referring to the DHCP service on the Access Point itself! I think there is something else wrong, that is why I put my config there so the TS can check if it is something else.
Henk, as far as I know ....user want to get IP address for MS server and thus he should apply "ip helper-address <<ms server ip>". Such kind of service can work if "service dhcp' is enabled...

if still he is not able to get IP then you are correct there might be some another problem.
Top Expert 2014

Commented:
You don't need to attach the IP helper at all - the helper needs to be on the router that serves VLAN 1001, unless the DHCP server is in VLAN 1001 - in that case no helper is needed at all.

Option 43 is used to tell the AP what the controller IP is.  You're using autonomous APs here so Option 43 is not required.

The issue is the interface configuration by the look of it.  I don't think you're configuring via the GUI as the first SSID isn't attached to a VLAN and you HAVE to attach all SSIDs to VLANs when you enable VLANs - you can't have one SSID with a VLAN but another SSID with no VLAN.  If you log in via the GUI and go to the SSID Manager page you will get a popup moaning at you and the radio interfaces will go down.

Did you post the whole config from the AP with only SSIDs and passwords stripped?

Author

Commented:
Hi Craigbeck,

Thank you for your comments. I have removed the SSID with no VLAN but still have the same issue, I can see the SSID 'ESSWifi' but cannot connect to it. I tried to remove the ip helper-address from all interfaces but seems I was not successful. Please find following the current interface with only my passwords stripped. Would appreciate any further advice.


!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name ess-gabon
!
!
!
dot11 syslog
dot11 vlan-name ESSHQ vlan 1001
!
dot11 ssid ESSWifi
   vlan 1001
   band-select
   authentication open
   guest-mode
   mobility network-id 1001
!
!
dot11 network-map
crypto pki token default removal timeout 0
!
!
username Cisco password 7 xxxxxx
username admin privilege 15 password 7 xxxxxx
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid ESSWifi
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

Author

Commented:
Hello,

I need to revive this issue again and I am still facing the same problem. Can anybody tell me why I am not seeing the MS Server DHCP?

Really appreciate any help.

Thank you,

Matt
Top Expert 2014
Commented:
Try this (just paste it straight into the AP)...

conf t
service dhcp
no dot11 vlan-name ESSHQ vlan 1001
!
dot11 ssid ESSWifi
 no mobility network-id 1001
end

Open in new window

Author

Commented:
Thank you, I ran as requested but still not seeing the DHCP server. Please note that I removed the ESSHQ ssid. The current config is below, have I missed something?
!
hostname ESSAP11
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no ip routing
no ip cef
ip domain name ess-gabon
!
!
!
dot11 syslog
!
dot11 ssid ESSWifi
   vlan 1001
   authentication open
   mobility network-id 1001
!
!
crypto pki token default removal timeout 0
!
!
username XXXX password XXXXXXXXXXXX
username XXXX privilege 15 password XXXXXXXXXXXXXXXXXXXX
!
!
ip ssh version 1
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption key 1 size 40bit 7 AD267B074B62 transmit-key
 encryption mode wep mandatory
 !
 encryption vlan 1001 key 1 size 40bit 7 047A5F14383E transmit-key
 encryption vlan 1001 mode wep optional
 !
 ssid ESSWifi
 !
 antenna gain 0
 traffic-metrics aggregate-report
 stbc
 beamform ofdm
 power local 10
 channel 2462
 station-role root
 dot11 dot11r pre-authentication over-air
!
interface Dot11Radio0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 port-protected
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 ip helper-address 10.16.1.21
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1001
 encapsulation dot1Q 1001 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 ip address 10.16.1.26 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.16.1.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

Author

Commented:
Also, incidentally, I cannot connect to ssid ESSWifi using a static IP and the ssid is showing as 'Hidden Network'
Top Expert 2014

Commented:
Ok, I asked you to change what I pasted into my post, but you changed something else.

Can you please do what I suggested, then try again?

The SSID was being broadcast before you removed the guest-mode command from the SSID.  I didn't ask you to do that.  Also, the mobility VLAN ID is still in the config.

Author

Commented:
Thank you for your help craigbeck, I finally got there, all connecting fine now.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial