Aironet Wifi clients not getting IP addresses from Cisco router DHCP

Hi

I have just reconfigured a client's Cisco Aironet 1231 access points (from scratch because we didn't have any passwords)

The network is composed of a Cisco Router 1841 and a Catalyst 2960 switch
Both were setup to manage two vlans (Admin (1) and Clients (2)) ...I'm not sure why this is necessary, but I'll assume that it is to keep the clients out of the network management sphere
I have tried to rebuild a configuration with all this in mind
I haven't altered any functional parameters on the 1841 or the 2960, I just reset their passwords

I have created a vlan 1 in native mode and a vlan 2

If I associate the client SSID to vlan 1 then the clients obtain an IP address from the admin subnet.
When associated with vlan2 the clients don't get any IP addresses

Aironet 1231:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
enable secret 5 XXXXXXXXXXXXXXXXXX
!
ip subnet-zero
ip domain name xxxxxxxxxxxxxxx.wifi
!
!
no aaa new-model
dot11 vlan-name admin vlan 1
dot11 vlan-name hotspot vlan 2
!
dot11 ssid ADMIN
   vlan 1
   authentication open
!
dot11 ssid CLIENTS
   vlan 2
   authentication open
   guest-mode
   ip redirection host xxx.xxx.xxx.xxx
!
!
!
username xxxxxxxx privilege 15 password 7 XXXXXXXXXXXXXX
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid ADMIN
 !
 ssid CLIENTS
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root access-point
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 hold-queue 160 in
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface BVI1
 ip address xxx.xxx.xxx.xxx 255.255.255.224
 no ip route-cache
!
ip default-gateway xxx.xxx.xxx.xxx
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Open in new window


Router 1841:
!
! Last configuration change at 11:21:56 MET Mon Feb 26 2018
!
version 12.4
no service pad
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname xxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 32000
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius ssg-proxy
 server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
!
aaa accounting suppress null-username
aaa accounting network DHCP start-stop group ssg-proxy
aaa accounting system default start-stop group ssg-proxy
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 10.62.161.1
!
ip dhcp pool hotspot_vlan2
   network 10.62.161.0 255.255.255.128
   default-router 10.62.161.1
   dns-server 80.10.46.232
   domain-name xxxxxxxxxxxxxxx.com
   lease 0 0 30
   update arp
   accounting DHCP
!
!
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxxxxxxx.wifi
multilink bundle-name authenticated
!
!
!
!
username xxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
archive
 log config
  hidekeys
!
!
ip ssh version 2
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
!
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0/0
 description Hotspot
 no ip address
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description vlan admin
 encapsulation dot1Q 1 native
 ip address 172.20.62.33 255.255.255.224
 no ip redirects
 no ip unreachables
 no cdp enable
!
interface FastEthernet0/0.2
 description vlan hotspot
 encapsulation dot1Q 2
 ip address 10.62.161.1 255.255.255.128
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no cdp enable
 arp authorized
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 snmp trap link-status
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
 snmp trap link-status
 pvc 8/35
  oam-pvc manage
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface Dialer1
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip load-sharing per-packet
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxx
!
interface Dialer2
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip load-sharing per-packet
 encapsulation ppp
 no ip mroute-cache
 dialer pool 2
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
!
ip radius source-interface FastEthernet0/0.1
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 deny   any
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 deny   any
access-list 110 remark controle flux hotspot
access-list 110 remark autorisation DISCOVER DHCP
access-list 110 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 110 remark autorisation RENEW DHCP
access-list 110 permit udp 10.0.0.0 0.255.255.255 eq bootpc 10.0.0.0 0.255.255.255 eq bootps
access-list 110 permit udp 172.16.0.0 0.15.255.255 eq bootpc 172.16.0.0 0.15.255.255 eq bootps
access-list 110 remark deny vers @IP RFC1918
access-list 110 deny   ip any 10.0.0.0 0.255.255.255
access-list 110 deny   ip any 172.16.0.0 0.15.255.255
access-list 110 deny   ip any 192.168.0.0 0.0.255.255
access-list 110 remark deny vers @IP Loopback
access-list 110 deny   ip any 127.0.0.0 0.255.255.255
access-list 110 remark flux clients depuis @IP privees
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
access-list 110 remark deny pour log
access-list 110 deny   ip any any
dialer-list 2 protocol ip permit
snmp-server community wlanread RO 20
snmp-server community wlanwrite RW 20
snmp-server ifindex persist
snmp-server location xxxxxxxxxxxxxx
snmp-server contact "Version 30"
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps atm subif
snmp-server enable traps cnpd
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server host xxx.xxx.xxx.xxx public
snmp-server host xxx.xxx.xxx.xxx public
!
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server timeout 1
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 exec-timeout 5 0
 transport input telnet ssh
 transport output none
 escape-character 5
!
scheduler allocate 20000 1000
ntp clock-period 17178360
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx prefer
end

Open in new window


Catalyst 2960:
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
no aaa new-model
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
system mtu routing 1500
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name xxxxxxxxxxxxx.wifi
!
!
!
!
!
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
!
!
interface FastEthernet0/1
 description AP1
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/2
 description AP2
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/3
 description AP3
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/4
 description AP4
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/5
 description AP5
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/6
 description AP
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/7
 description AP7
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/8
 description AP8
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/9
 description AP9
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/10
 description AP10
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/11
 description AP11
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/12
 description AP12
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/13
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/14
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/15
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/16
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/17
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/18
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/19
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/20
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/21
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/22
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/23
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/24
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface GigabitEthernet0/1
 description routeur
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 media-type rj45
 speed 100
 duplex full
 no cdp enable
!
interface GigabitEthernet0/2
 shutdown
!
interface Vlan1
 ip address 172.20.62.34 255.255.255.224
 no ip route-cache
 shutdown
!
ip default-gateway 172.20.62.33
no ip http server
no ip http secure-server
access-list 3 remark Controle acces admin
access-list 3 permit xxx.xxx.xxx.xxx0.0.0.255
access-list 3 deny   any
access-list 20 remark Controle acces SNMP
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.7
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.15
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.15
access-list 20 deny   any
snmp-server community wlanread RO 20
snmp-server community wlanwrite RW 20
snmp-server location xxxxxxxxxxx
snmp-server contact "Version 30"
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host xxx.xxx.xxx.xxx public
snmp-server host xxx.xxx.xxx.xxx public
!
control-plane
!
line con 0
 exec-timeout 5 0
 login local
line vty 0 4
 access-class 3 in
 exec-timeout 5 0
 login local
 transport input telnet ssh
 transport output none
 escape-character 5
line vty 5 15
 login
!
ntp clock-period 36028930
ntp server 10.163.123.6
ntp server 10.163.123.5 prefer
end

Open in new window

Yann ShukorOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
Does the L2 VLAN exist on the 2960 and your ruter? It isn't in the running-config.
conf t
vlan 2
name clients
exit
show vlan-switch

Open in new window


For what it is worth, it is an easy thing to miss. I still sometimes do.
0
Yann ShukorOwnerAuthor Commented:
The untouched Aironets operate fine with the current setup of the switch and router
It is only the newly reconfigured Aironets that are having the DHCP issue
0
Craig BeckCommented:
Remove ACL 110 from the interface and see if that works.  It doesn't look right to me.

Also, remove the arp authorized command from the Fa0/0.2 interface.  That will break unicast reachability without static ARP entries on the router.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Yann ShukorOwnerAuthor Commented:
Ok, thanks Craig

Like I said these Aironets were working quite fine before I intervened which is why I suspect that it must be my configuration of the access points which isn't totally up to snuff.
0
Yann ShukorOwnerAuthor Commented:
Craig; when you say remove ACL 110, are we talking about the whole ACL 110 set of rules or just the line blocking 10.0.0.0/24 ?
0
Craig BeckCommented:
Just pull it off the Fa0/0.2 interface for now to test.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.