Hello!

First, my configuration, (then the problem down below):

I have an Aironet 1142 with mulitple SSIDs [mapped to VLANs] connected to Gi1/0/2 on a 2960 switch in a user-accessible area.  This switch is uplinked to another 2960 switch in a wiring closet, and the Microsoft NPS server is connected to the wiring closet 2960.

Aironet -- 2960 [user area] --- 2960 [closet] -- NPS RADIUS

I have the user-area 2960 configured as an authenticator switch for dot1x, and port Gi1/0/2 is authenticating the Aironet via MAB to RADIUS.  RADIUS is sending VSA device-traffic-class=switch to the 2960.  The closet-2960 has no special 802.1x configuration, nor is it an authenticator swtich; it just has a manually-configured trunk port to the user-area 2960 [for now; i'm trying to take this one step at a time!].

The user-area 2960 correctly converts port Gi1/0/1 to a trunk port when the Aironet is authenticated [via MAB].  The Aironet boots up, the port is opened, I can ping the Aironet on the native VLAN, and all is well [so it seems].  The Aironet's dot11Radio is configured for two SSIDs and mapped to VLANs, which are being spanned via STP thru the user-area 2960 and the closet-2960.  STP is correct and verified on all switches.

I have DHCP snooping configured on the user-area 2960 but only for VLAN 1 [but NOT the wireless user VLANs], the trunk port to the closet 2960 is a trusted port.  Hosts on the wired ports on the user-area 2960 are able to get DHCP IPs.  On the Aironet, "show dot11 associations" shows hosts on the SSIDs are getting DHCP addresses.  Again, I am *NOT* running dhcp snooping on wireless SSID VLANs [i read elsewhere that can cause problems as users roam between Aironets].

I do have CISP configured on the user-area 2960.  I do not have CISP configured on the closet-2960 [best I can tell, that's not required at this stage, but I could be wrong].

Despite the alleged documentation, I could not get the Aironet to use a dot1x credentials profile to authenticate to NPS/RADIUS as an 802.1x supplicant, which is why I resorted to MAB for this exercise.  The Aironet simply would not run dot1x [best I could tell].  The documentation and configuration didn't seem complex, so I was quite confused.

I have upgraded the Aironet to the latest 12.4(25d)JA2 software, and the 2960 is at 12.2(55)SE7 [i saw 12.2(58) has some issues, but i'm willing to be persuaded otherwise, based on sound advice].

Ok, now the problem:  

Users on the guest wireless SSID (Vlan 20) say they cannot connect.  Yep, classic.  VLAN 20 is trunked and spanned to all the sufficient places.  The Aironet shows users in the associations list for that SSID with IP addresses from the DHCP server!  DHCP snooping is not configured on that VLAN. 

I read another support forum post saying CISP and MAB could cause problems with "disappearing" ARP entries.  I appear to have that problem.  However, the user on the Staff wireless (VLAN 10) has full access.  Am I running into a problem with "multi-host" authentication config?  Via tcpdump on my firewall, I see nothing but broadcast and multicast traffic coming from a host on VLAN 20.  What puzzles me is how I do see *SOME* traffic from a VLAN 20 host on this SSID, but no unicast traffic! Argh!

Since you're going to ask, here is my port config for this AP on the 2960 authenticator switch in the user-area, and the AAA config pieces:

#sh run br | in ip dhcp          

ip dhcp snooping vlan 1

no ip dhcp snooping information option

ip dhcp snooping database flash:dhcp_snoop.txt

ip dhcp snooping

#sh ip dhcp snoop

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

1

DHCP snooping is operational on following VLANs:

1

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled

   circuit-id default format: vlan-mod-port

   remote-id: ccd5.3947.7980 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)

-----------------------    -------    ------------    ----------------  

GigabitEthernet1/0/46      no         no              15       

  Custom circuit-ids:

GigabitEthernet1/0/48      yes        yes             unlimited

  Custom circuit-ids:

GigabitEthernet1/0/52      yes        yes             unlimited

  Custom circuit-ids:

#sh run br | incl aaa auth

aaa authentication login default local group rad_eap

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization exec default local group rad_eap

aaa authorization network default group rad_eap local

#sh run int gi1/0/2

interface GigabitEthernet1/0/2

description Wireless Access Points

switchport mode trunk

switchport nonegotiate

srr-queue bandwidth share 1 30 35 5

srr-queue bandwidth limit 50

priority-queue out

authentication host-mode multi-host

authentication order mab dot1x

authentication port-control auto

authentication violation restrict

mab

mls qos trust cos

macro description CISCO_WIRELESS_AP_EVENT

auto qos trust

spanning-tree portfast

#sh int gi1/0/2 sw

Name: Gi1/0/2

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

#sh auth sess int gi1/0/2

            Interface:  GigabitEthernet1/0/2

          MAC Address:  acf2.c5f2.8e27

           IP Address:  10.100.32.42

            User-Name:  acf2c5f28e27

               Status:  Authz Success

               Domain:  DATA

       Oper host mode:  multi-host

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A64200B00000CDA41AFBEDF

      Acct Session ID:  0x00000D00

               Handle:  0xDE000CDA

Runnable methods list:

       Method   State

       mab      Authc Success

       dot1x    Not run

#sh mab int gi1/0/2

MAB details for GigabitEthernet1/0/2

-------------------------------------

Mac-Auth-Bypass           = Enabled

#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan

Gi1/0/1     on               802.1q         trunking      1

Gi1/0/2     on               802.1q         trunking      1

Gi1/0/48    on               802.1q         trunking      1

Gi1/0/52    on               802.1q         trunking      1

Port        Vlans allowed on trunk

Gi1/0/1     1-4094

Gi1/0/2     1-4094

Gi1/0/48    1-2,10,20

Gi1/0/52    1-2,10,20

Port        Vlans allowed and active in management domain

Gi1/0/1     1-2,10,20

Gi1/0/2     1-2,10,20

Gi1/0/48    1-2,10,20

Gi1/0/52    1-2,10,20

Port        Vlans in spanning tree forwarding state and not pruned

Gi1/0/1     1-2,10,20

Gi1/0/2     1-2,10,20

Gi1/0/48    2

Gi1/0/52    1-2,10,20

Ok, what am I missing??