SSID on Air 1131 is getting different IP

I have an air 1131 autonomous AP, one of the SSID is getting an 192.168.1.0 network IP. I started happening out of nowhere. It should be getter one of the vlans ip Address.
SSID [SWECOUS] : 

MAC Address    IP address      Device        Name            Parent         State     
68ae.203e.eb4b 192.168.1.25    unknown       -               self           EAP-Assoc

Open in new window

It should be getting a 192.168.240.0 IP address.
The radius server is working fine, I was able to successfully perform an aaa radius group test to the radius server.
The switchport config on the switch looks good to. i have even reset it to default and re-configured it.
I restarted the AP few times.
The other SSID is working fine (SWECOGUEST) but the is the one you just enter the password in manually. The SWECOUS is the one authenticating to the radius. SWECOGUEST is getting an IP from the vlan 4 and SWECOUS should be getting an ip from vlan 3 but it's not.

SWITCH#show int f0/1 switchport 
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Open in new window


Show run of AP
AP1#show run
Building configuration...

Current configuration : 7848 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1
!
logging buffered informational
enable secret 5 XXXXXXX
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius RAD_EAP
 server XXXX auth-port 1812 acct-port 1813
 server XXXX auth-port 1812 acct-port 1813
!
aaa authentication login default group tacacs+ local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap-method group radius
aaa authentication login EAP group RAD_EAP
aaa authorization network default group RAD_EAP 
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
ip domain name X
!
!
ip ssh version 2
dot11 mbssid
dot11 vlan-name vlan3 vlan 3
!
dot11 ssid SWECOGUEST
   vlan 4
   authentication open 
   authentication key-management wpa
   mbssid guest-mode dtim-period 75
   wpa-psk ascii 7 X
!
dot11 ssid SWECOUS
   vlan 3
   authentication open eap EAP 
   authentication network-eap EAP 
   authentication key-management wpa version 2
   accounting acct_methods
   guest-mode
   mbssid guest-mode
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-2698391444
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2698391444
 revocation-check none
 rsakeypair TP-self-signed-2698391444
!
!
crypto pki certificate chain TP-self-signed-2698391444
 certificate self-signed 01
  3082025F 308201C8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32363938 33393134 3434301E 170D3135 30363131 31333035 
  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36393833 
  39313434 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C2E3 22B2A97A 463AA923 64B88428 A64B967E 9A8EAE0C A466D467 618F2D9C 
  F0F908BC 26F4CC0D 991D648C B1D26F7F 54865260 70F200F9 8A53D04A 590FB75D 
  CA64C24B 9943D130 CA44EAC8 20D185A9 00C79319 77DA49E0 99D59694 5788A1C8 
  97BEB9B3 C1A5AF87 6EA3D6F0 598AE1E2 A46D4CF2 D20AED77 E4406BDD 8ABBD16D 
  69450203 010001A3 81863081 83300F06 03551D13 0101FF04 05300301 01FF3030 
  0603551D 11042930 27822553 757A6C6F 6E5F4269 675F536B 795F4F68 696F5F49 
  4C5F4150 312E7375 7A6C6F6E 2E636F6D 301F0603 551D2304 18301680 14713BED 
  380AC2F2 F8F54B07 233FDA50 A4AB580D D3301D06 03551D0E 04160414 713BED38 
  0AC2F2F8 F54B0723 3FDA50A4 AB580DD3 300D0609 2A864886 F70D0101 04050003 
  818100BD 3A8E08BA 275D273F E79E71CD D9B9B7D5 8C0D2457 915B9B1D 44985019 
  4A122F37 858C8FE9 7D11AF2D AAB8F09E D185DF0A 700AF7AF A26B6034 A514DA17 
  1EAA3722 5D41EA48 06CC58A0 7BC7D0F0 E3B2862B 71FD57C9 1E7F1B3C F1F50206 
  49327D38 A2EED137 C6500623 05BE26B1 42D1B819 2FF30C4F 2230257D D2FB9873 1E5A8B
  quit
username 
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 3 mode ciphers aes-ccm 
 !
 encryption vlan 4 mode ciphers tkip 
 !
 ssid SWECOGUEST
 !
 ssid SWECOUS
 !
 speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0
 channel 2412
 station-role root
 world-mode dot11d country US indoor
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled
!
interface Dot11Radio0.4
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
 bridge-group 4 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 3 mode ciphers aes-ccm 
 !
 encryption vlan 4 mode ciphers tkip 
 !
 ssid SWECOGUEST
 !
 ssid SWECOUS
 !
 dfs band 3 block
 channel dfs
 station-role root
 world-mode dot11d country US indoor
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
 bridge-group 3 spanning-disabled
!
interface Dot11Radio1.4
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
 bridge-group 4 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 3
 no bridge-group 3 source-learning
 bridge-group 3 spanning-disabled
!
interface FastEthernet0.4
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 no bridge-group 4 source-learning
 bridge-group 4 spanning-disabled
!
interface BVI1
 ip address 192.168.239.3 255.255.255.192
 no ip route-cache
!
ip default-gateway 192.168.239.1
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1 
!



snmp-server community XX RO
snmp-server community XXX RW Community_String
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps rogue-ap
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
tacacs-server host XX key 7 XX
radius-server attribute 32 include-in-access-req format %h
radius-server host XXX auth-port 1812 acct-port 1813 key 7 XX
radius-server host XX auth-port 1812 acct-port 1813 key 7 XX
radius-server vsa send accounting
bridge 1 route ip
!

Open in new window

LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shark AttackNetwork adminAuthor Commented:
a minute ago I saw that SWECOUS finally got the right IP but all the rest were the 192.168.1.0 I rebooted the ap and it's back to the same thing all getting the wrong IP
0
Shark AttackNetwork adminAuthor Commented:
the same IP finally was able to get in. It's only that particular IP though

2015-06-11-10-19-26.jpg
0
Craig BeckCommented:
Someone is running a DHCP server on the WLAN from their machine.

Connect a laptop to the WLAN and do a IPCONFIG /ALL to see what the IP of the DHCP server is.  Go to the AP and see which client that is in the association table, and disconnect them.

I can see you're doing EAP authentication so it should be easy for you to block that laptop/user from connecting.

You could also enable PSPF on the WLAN.  That would block all inter-client communication across that AP.  In the AP, just do...

interface dot11Radio0.3
 bridge-group 3 port-protected
!
interface dot11Radio1.3
 bridge-group 3 port-protected

Open in new window


It won't stop people on other APs getting IP addresses from the client though.  For that you'd need to use a PACL or configure DHCP snooping at the switch.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Shark AttackNetwork adminAuthor Commented:
to any wlan? could it be to the ssid that is working OK? or does it need to be to 192.168.1.0 network?
0
Craig BeckCommented:
The config I posted will apply PSPF to the SWECOUS WLAN.  The other WLAN (SWECOGUEST) won't be affected.

The SWECOGUEST WLAN may still be able to suffer from this issue though, if someone connects to that WLAN with a device which is running DHCP, so you might want to configure PSPF on that WLAN too.
0
Shark AttackNetwork adminAuthor Commented:
it stopped. I dont see that anymore what i dont get now is why I have duplicate ssids

Suzlon_Big_Sky_Ohio_IL_AP1#show dot11 associations 

802.11 Client Stations on Dot11Radio1: 

SSID [SWECOGUEST] : 

MAC Address    IP address      Device        Name            Parent         State     
d8fc.932f.43f1 192.168.240.99  ccx-client    Suzlon_Big_Sky_ self           Assoc    

SSID [SWECOUS] : 

MAC Address    IP address      Device        Name            Parent         State     
e880.2e99.08c4 192.168.240.51  unknown       -               self           EAP-Assoc


802.11 Client Stations on Dot11Radio0: 

SSID [SWECOGUEST] : 

MAC Address    IP address      Device        Name            Parent         State     
0024.d7a4.bc40 192.168.240.110 ccx-client    Suzlon_Big_Sky_ self           Assoc    
ac7b.a1b6.e4b4 192.168.240.111 ccx-client    Suzlon_Big_Sky_ self           Assoc    
c485.088d.16f7 192.168.240.96  ccx-client    Suzlon_Big_Sky_ self           Assoc    

SSID [SWECOUS] : 

MAC Address    IP address      Device        Name            Parent         State     
68ae.203e.eb4b 192.168.240.52  unknown       -               self           EAP-Assoc

Open in new window

0
Craig BeckCommented:
One table shows you the clients connected to the 2.4GHz radio (dot11Radio0) and the other table shows clients connected to the 5GHz radio (dot11Radio1).

Each WLAN is broadcast from each radio, so you see each WLAN twice.
0
Shark AttackNetwork adminAuthor Commented:
oh i see, for ya. Thank you so much! I did call the site and surely they connected some wireless router to some port. I disconnected it and is all now working.

Thanks!
0
Craig BeckCommented:
Awesome!  Glad to help :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.