The AP is directly connected to a NIC on a firewall appliance. I haven't even gotten that far to test if the new device (wireless camera) is able to be connected to remotely. The AP acts as a DHCP server to all of its authenticated clients and right now, even though the wireless camera appears to be authenticated/associated, it is not receiving an IP from the AP.

Cheers,

Rick

This is the basic that we need to take care of..

>> Just make sure all the VLANs that we are using on the AP should be present on the LAYER 3 devics and allowed on the devices which come in between till the AP.. so that there is no break in the network..

Please make sure if the Firewall is allowing the VLAN which is in concern..

PS : Auth and Association happens on the AP, to get the DHCP IP networkl connectivity to the DHCP server is required!! if you are failing to grab the IP make sure the connectivity to the DHCP and double chek the VLANs allowed on the network!!

Regards

Surendra

That's definitely something I'll start looking at but in the mean time, is it still required even though the AP itself is

the DHCP server?

Ok, if the AP itself is acting as a DHCP server, then the DHCP pool should be on the same subnet of the BVI interface.. then only it will

work, if not it wont!!

Regards

Surendra

The goal is to have both SSID/VLANs be in the same subnet. Again, prior to adding the

second SSID/VLAN, DHCP is working fine and for the original SSID, it still is but I am unable to get DH

CP serving requests for clients that authenticate to the 2nd SSID/VLAN.

From the log, the client seems to authenticate with WPAv2-PSK and appears to associate but does not get an IP. I've tried bridging the connections and now have tried splitting the dhcp scope so that half is with SSID1 and the other with SSID2.

I must be missing something but for the life of me, I am unable to see it.

Thanks,

Rick

They are using the same were using the same subnet. I've since changed it to the following. Is there a way to have a scope associated with an SSID? Not sure how it would know what scope to use with an SSID if there are multiple ones.

here's an except

ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.20.128 192.168.20.140
!
ip dhcp pool wifi-network
   network 192.168.20.0 255.255.255.128
   default-router 192.168.20.2
   domain-name mydomain.com
   dns-server 10.7.0.71 10.7.0.45
!
ip dhcp pool wifi-network2
   network 192.168.20.128 255.255.255.128
   default-router 192.168.20.2
   domain-name mydomain.com
   dns-server 10.7.0.71 10.7.0.45
!

!
dot11 ssid wifi1
   vlan 1
   authentication open eap eap_methods
   authentication key-management wpa version 2
   guest-mode
   mbssid guest-mode
   infrastructure-ssid optional
!
dot11 ssid wifi2
   vlan 13
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 15223F2F4439382D2C6775050602051740
!
dot11 arp-cache optional

paste the config which is under the radio..

Sh run int dot11 0 and Sh run int dot11 1

Lemme see that..

Regards

Surendra

ho-wifi1#sh run int dot11 0
Building configuration...

Current configuration : 370 bytes
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
encryption vlan 13 mode ciphers aes-ccm
!
broadcast-key change 15341
!
broadcast-key vlan 1 change 240
!
broadcast-key vlan 13 change 4356
!
!
ssid wifi1
!
ssid wifi2
!
mbssid
station-role root
end

ho-wifi1#sh run int dot11 1
Building configuration...

Current configuration : 401 bytes
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
encryption vlan 13 mode ciphers aes-ccm
!
broadcast-key change 15341
!
broadcast-key vlan 1 change 240
!
broadcast-key vlan 13 change 4356
!
!
ssid wifi1
!
ssid wifi2
!
dfs band 3 block
mbssid
channel dfs
station-role root
end

Which SSID does not work?? VLAN 1 or 13?

Paste the complete Sh run from the AP here along with the other side connected interface configuration as well..

Regards

Surendra

The issue is that DHCP is not

working on VLAN 13. VLAN 1 is working fine.

Also, when I set a static IP for the camera on VLAN 13, the ARP entry shows as incomplete.

The AP plugs directly into a firewall port and does not pass through a switch.

ho-wifi1#show run
Building configuration...

Current configuration : 7467 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname ho-wifi1
!
logging buffered 8192 debugging
enable secret 5 $1$p9b2$MalSjKu5q.RwL2aI7bJZv.
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.7.0.45 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server 10.7.0.45 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
server 10.7.0.45 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
clock timezone -0800 -8
clock summer-time -0700 recurring
ip domain name mydomain.com
ip name-server 10.7.0.71
ip name-server 10.7.0.45
ip name-server 10.10.0.40
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1 192.168.20.10
ip dhcp excluded-address 192.168.20.128 192.168.20.140
!
ip dhcp pool wifi-network
   network 192.168.20.0 255.255.255.128
   default-router 192.168.20.2
   domain-name mydomain.com
   dns-server 10.7.0.71 10.7.0.45
!
ip dhcp pool wifi-network2
   network 192.168.20.128 255.255.255.128
   default-router 192.168.20.2
   domain-name mydomain.com
   dns-server 10.7.0.71 10.7.0.45
!
!
!
dot11 ssid wifi1
   vlan 1
   authentication open eap eap_methods
   authentication key-management wpa version 2
   guest-mode
   mbssid guest-mode
   infrastructure-ssid optional
!
dot11 ssid wifi2
   vlan 13
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 15223F2F4439382D2C6775050602051740
!
dot11 arp-cache optional
!
crypto pki trustpoint TP-self-signed-2431179486
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2431179486
revocation-check none
rsakeypair TP-self-signed-2431179486
!
!
crypto pki certificate chain TP-self-signed-2431179486
certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343331 31373934 3836301E 170D3038 30393236 31363038
  34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34333131
  37393438 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D253 31C549D8 2B02FCBA C2D84D4B B428749A 4523A582 459B25B4 6FAD692E
  3DDB416F FEC71223 A54C8CE4 FADD9F6D 06AB9054 4E0C5D99 1A145052 21825473
  CC30CE8B F42AAEE0 50970235 7B437554 2C8EB21A 98325D46 96400A0A 5C7682C3
  F11A01D2 A8F88BA6 1019C70A 7D22F659 4595BFBF C76D17EF F41161B6 30DB977E
  A2790203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
  551D1104 1D301B82 19686F2D 77696669 312E7065 6F706C65 73747275 73742E63
  6F6D301F 0603551D 23041830 1680143A 3EE3B3A8 6CABA085 F91D20E3 F673C71A
  46FD7830 1D060355 1D0E0416 04143A3E E3B3A86C ABA085F9 1D20E3F6 73C71A46
  FD78300D 06092A86 4886F70D 01010405 00038181 0074AFB0 DB591671 425B7102
  DA817641 08E14745 40A81A93 FE461C17 833B8943 37541D7C 712ACCF7 AF7FA458
  631453AF 0FFDCD22 C6104E6D DB1CE021 1A663C56 8D7F2884 FDBFE480 1BE11172
  D2800BF7 E94E86A8 CB334006 DB98B2DB 2A59A4F9 6A0081FA 66A7C8FD 4001981D
  2F25D6C0 5A9E9987 7E17C3D9 FF607496 EDD5AA38 13
  quit
username apadmin privilege 15 password 7 08116C5D1A0E550516
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
encryption vlan 13 mode ciphers aes-ccm
!
broadcast-key change 15341
!
broadcast-key vlan 1 change 240
!
broadcast-key vlan 13 change 4356
!
!
ssid wifi1
!
ssid wifi2
!
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.13
encapsulation dot1Q 13
ip helper-address 192.168.20.5
no ip route-cache
bridge-group 13
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
encryption vlan 13 mode ciphers aes-ccm
!
broadcast-key change 15341
!
broadcast-key vlan 1 change 240
!
broadcast-key vlan 13 change 4356
!
!
ssid wifi1
!
ssid wifi2
!
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
no bridge-group 13 source-learning
bridge-group 13 spanning-disabled
!
interface BVI1
ip address 192.168.20.5 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.20.2
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging history size 100
logging trap debugging
logging 10.7.0.150
access-list 111 permit tcp any any neq telnet
snmp-server community monitor RO
snmp-server community trapme RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server host 10.7.0.150 trapme
radius-server local
  group GuestAccess
    ssid GuestMobile
    block count 5 time 30
  !
  user wifiguest nthash 7 153453285D7A7E7D0C606D713054402054727A790B0058533E357C0E7506770471 group GuestAccess
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.7.0.45 auth-port 1645 acct-port 1646 key 7 053D0701024D423D16174741
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
sntp server 199.212.17.22
sntp broadcast client
end

Please remove the Ip helper which is under the dot11 radio interface.. and here is the problem!! the DHCP pool on the AP works only for the BVI interface subnet.

here is the link which states that..

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap5-admin.html#wp1090319

Here there is a note!!

When you configure the access point as a DHCP  server, it assigns IP addresses to devices on its subnet. The devices  communicate with other devices on the subnet but not beyond it. If data  needs to be passed beyond the subnet, you must assign a default router.  The IP address of the default router should be on the same subnet as the  access point configured as the DHCP server.

please move the DHCP for VLAN 13 to any other L3 switch or to any DHCP server..

interface Dot11Radio0.13

encapsulation dot1Q 13

no ip helper-address 192.168.20.5

no ip route-cache

bridge-group 13

bridge-group 13 block-unknown-source

no bridge-group 13 source-learning

no bridge-group 13 unicast-flooding

bridge-group 13 spanning-disabled

lemme know if this helps and please dont forget to rate the post if that resolves the issue!!

Regards

Surendra

I've removed the ip helper for VLAN 13. Does this mean that the DHCP server on the AP cannot assign IP addresses to both VLANs? The problem is that the network for the wifi devices is small and I do not have any servers in there, just the AP. The other problem is that even if I make the IP static on the camera, it does not create the proper ARP entry on the AP. If I can make the camera connect with a static IP, that would be fine as well.

Thank you for all your assistance.

Cheers,

Rick

Q>> Does this mean that the DHCP server on the AP cannot assign IP addresses to both VLANs?

ANS - Yes AP is not capable of assigning ip for Different VLANs.. it can assign only to the subnet bvi int is on!!

lemme know if this answered ur question!!

Regards

Surendra