Can't get home Cisco 3702i to work - see config

Andrew White · ‎11-12-2019

Hello,

I have a Cisco 3702i AP at home connected to my Ubiquiti switch as a trunk. If I log onto the AP it can ping all my VLAN gateways so I'm please that works. I can see the SSIDs, but when I try and connect I don't get prompted for the password, what have I done wrong? I wanted both SSIDs on the same VLAN, but I don't think this is possible. So I've tried to set them to VLAN 140 and 141.

Can you see anything wrong?

hostname Cisco-AP2
!
!
logging rate-limit console 9
!
no aaa new-model
no ip source-route
no ip cef
ip domain name home.andy-white.co.uk
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid MyNet-2.4Ghza
   vlan 141
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 xxx
!
dot11 ssid MyNet-5Ghza
   vlan 140
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 xxx
!
!
dot11 ids mfp detector
!
power inline negotiation prestandard source
no ipv6 cef
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 141 mode ciphers aes-ccm
 !
 ssid MyNet-2.4Ghza
 !
 antenna gain 0
 stbc
 mbssid
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
 station-role root
!
interface Dot11Radio0.141
 encapsulation dot1Q 141
 bridge-group 141
 bridge-group 141 subscriber-loop-control
 bridge-group 141 spanning-disabled
 bridge-group 141 block-unknown-source
 no bridge-group 141 source-learning
 no bridge-group 141 unicast-flooding
!
interface Dot11Radio0.254
 encapsulation dot1Q 254 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption vlan 141 mode ciphers aes-ccm
 !
 ssid MyNet-5Ghza
 !
 antenna gain 0
 peakdetect
 no dfs band block
 stbc
 mbssid
 channel width 40-below
 channel dfs
 station-role root
!
interface Dot11Radio1.140
 encapsulation dot1Q 140
 bridge-group 140
 bridge-group 140 subscriber-loop-control
 bridge-group 140 spanning-disabled
 bridge-group 140 block-unknown-source
 no bridge-group 140 source-learning
 no bridge-group 140 unicast-flooding
!
interface Dot11Radio1.254
 encapsulation dot1Q 254 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface BVI1
 mac-address 80e0.1dc6.508c
 ip address 192.168.254.8 255.255.255.0
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip default-gateway 192.168.254.1
ip forward-protocol nd
ip http server
ip http secure-server
!
access-list 111 permit tcp any any neq telnet
bridge 1 route ip

Thanks

Rasika Nayanajith · ‎11-12-2019

Hi Andrew,

Try this config & see

interface GigabitEthernet0.140
encapsulation dot1Q 140
bridge-group 140
!

interface GigabitEthernet0.141
encapsulation dot1Q 141
bridge-group 141
!
interface GigabitEthernet0.254
encapsulation dot1Q 254 native
bridge-group 1
!

HTH

Rasika

*** Pls rate all useful responses ***

Andrew White · ‎11-13-2019

Hello, sorry I don’t understand. What about radio1 for the 5Ghz.

I’m just trying to create 2 SSIDs 1 on 2.4Ghz (Vlan 140) and the other on 5Ghz (Vlan 141).

Management in 254Ghz.

I see them broadcasting but I don’t get prompted for a password that’s all.

Scott Fella · ‎11-13-2019

Typically you don’t split the 2.4GHz and the 5GHz, but we see that more in the home environment. If you don’t get prompted to enter the psk, then your configuration is wrong and your device is not detecting your encryption/auth type.

-Scott
*** Please rate helpful posts ***

Rasika Nayanajith · ‎11-13-2019

I mean add those sub-interfaces to Gigabit Ethernet (simply add those config lines to your configuration, not to replace your existing configs)

HTH

Rasika

Andrew White · ‎11-13-2019

Interesting, I get a password prompt now it logs on, I get a 169.x.x.x so I need to sort my DHCP which is enable on that VLAN.

I don't see he other SSID broadcasting anymore now though (MyNet-5Ghza).

Scott Fella · ‎11-13-2019

Do one thing at a time and figure out the rest. Guest-mode is what broadcast the SSID, but make sure your configuration follows the guides for configuring autonomous AP.

-Scott
*** Please rate helpful posts ***

Andrew White · ‎11-13-2019

Well I have one AP all running with 2 SSID but this is all on one VLAN. This is a Second AP where I wanted the SSIDs on different VLANs and the management IP on a 3rd VLAN nothing more than that. I’ve tried different things but not posted here as it would drive you mad (already am I’m sure).

Andrew White · ‎11-17-2019

Simply adding mbssid-guest-mode to each SSID fixed it all is seems in the end, just testing now. I can connect to both SSIDs and get on different VLANs and can access the internet.