Clients timeout on DHCP lease with Aironet 1141

n_parshina · ‎08-18-2011

Hello

I have an interesting problem that I can't find a solution for.

Backround info:

I'm setting up a Cisco Aironet 1141 (standalone mode, AP) to handle wireless traffic in the office. It gives out 2 mbssids, one of which authenticates domain users through a RADIUS server and places them in an appropriate VLAN (RADIUS options 64, 65, and 81). The other is a guest ssid that uses WPA-PSK and places users in the restricted guest VLAN. Physically, the AP is connected to a 3750 PoE Catalyst, to which RADIUS and DHCP servers are also connected. AP, SSIDs, RADIUS and EAP authentication all work. The configuration given below is a working configuration. People do get authenticated and do get placed in the appropriate vlan.

The problem is that, once authenticated, the "Obtaining IP Address" phase on the client hangs and most clients timeout without getting an IP address. Given that the DHCP server is on the same switch and a test simple ASUS Wi-Fi IP gives out the same scenario (except the multiple VLAN) at the speed of light, I don't think that it's a problem with the network connections between clients and the DHCP server.

After reading some topics here, I realized that probably other communication will be extremely slow, as well, but haven't tested that for sure.

Clients are all non-Cisco - smartphones, notebooks, etc. Most of them are 802.11G, not N.

Configuration is attached below.

Does anyone have any ideas?

Stephen Rodriguez · ‎08-18-2011

can you post the config of the switch port the AP is connected to?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

n_parshina · ‎08-18-2011

Sure, possibly relevant parts:

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig (STP)

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause vmps

errdisable recovery cause storm-control

errdisable recovery cause arp-inspection

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh logging events

ip ssh version 2

!

interface GigabitEthernet1/0/1

description Gi1/0/1 to CAT-CORE

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/4

description Gi1/0/4 to RADIUS_serv

switchport access vlan 240

switchport mode access

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

!

interface GigabitEthernet1/0/8

description Gi1/0/8 to DHCP_serv

switchport access vlan 240

switchport mode access

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

!

interface GigabitEthernet1/0/11

description Aironet 1141 AIRONET-MO-1

switchport trunk encapsulation dot1q

switchport trunk native vlan 240

switchport trunk allowed vlan 240-246,248,249

switchport mode trunk

interface Vlan240

description Admin_Vlan

ip address 192.168.240.244 255.255.255.0

!

ip default-gateway 192.168.240.1

ip classless

no ip http server

ip http secure-server

!

n_parshina · ‎08-18-2011

I've tried manually setting port speed and duplex on both switch and AP, but that doesn't help. The client's connections are still too slow. Some XP notebooks do get an IP address, but most other devices timeout. The ones that do get an IP have a connection so slow that they are not able to really do anything.

n_parshina · ‎08-19-2011

Problem solved. Despite the fact that configuration is accepted, there is a note that:

"RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs."

The way it works is that you do get an IP address from appropriate VLAN, but cannot send any traffic through the AP.

Solution is turning off mbssid configuration completely and leaving only 1 ssid in guest-mode.