Solved: Re: Clients cannot obtain an IP address - Page 2

mikep83 · ‎02-28-2019

Hi there, I hope you can help, I have been looking at this issue for a while now but am hoping it is something simple.

We have Meraki APs located in our 4 of our remote offices and they all connect to "Corporate Wifi" SSID which using Radius authentication. The clients obtain an IP from their onsite Windows DHCP server. However this does not work in our Birmingham office. I have spoken to Meraki support and they have proved by running a packet capture that DHCP requests are made, pass through to the AP and then are sent successfully out of the AP, so something upstream is stopping it. The wierd thing is that other SSIDs on the network which just us WPA2 for authentication ( no radius) work just fine and they obtain their IP from the same windows server that I am trying to reach from the "Corporate Wifi"SSID.

There is only one switch involved - a 2960 catalyst, and everything is connected to it.

Corporate Wifi has been set up to use VLAN 41 but doesnt get a DHCP address.

"Staff Wifi" has been set up to not use a VLAN and it obtains DHCP fine. When i look on the meraki the VLAN says "NATIVE".

Looking at the config of the catalyst everything is in the default VLAN 1 ( the switch was nuked and rebuilt swiftly a few months ago). Im not aware of any ACL in play or anything specifically that could be blocking things.

I have changed the Corporate WIFI to use VLAN 1 temporarily and this still does not work. I have added an IP helper address to VLAN 41 , no joy. There is no interface IP configured on VLAN 41 and when i try to look at the setup of VLAN 41 it states "Internet Protocol Processing Disabled". Should i have an interface IP on VLAN 41 or is this irrelevant?

I just cant see how the same Windows 10 laptop obtains DHCP from Staff wifi and not from corporate WIFI when both SSIDs should be using the same DHCP server to get an IP.

Can any of you assist me in where to look or do you need to see any particular config which I can copy and paste if required?

mikep83 · ‎02-28-2019

Im not going to be able to use VLAN41 as i want the clients to have an IP in 10.9.1.x and unfortuantely VLAN1 is already set up for this.

I am now thinking that Meraki doesnt like to use VLAN1 or something as I cant make it so that it comes up "native" for my Corporate Wifi SSID, it only ever comes up as VLAN41 or VLAN1. If i remove Birmingham from being a VLAN altogether on the Meraki it still comes up as VLAN1.

So what i am saying is even if a corporate wifi user is in VLAN1 which is already set up and gives clients a DHCP of 10.9.1.x, it still does not work.

Jaderson Pessoa · ‎02-28-2019

Dear, Your vlan 1 is managed by your ISP, is not manage by your L2 device. All changes that you need in your network without a L3 device, you wont be able.

If you need manage it, you need a L3 device and change from your ISP to your new device.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Georg Pauwen · ‎02-28-2019

Hello,

on a side note, I take it that three of the four offices are working...can you post the configs of one of the working offices ?

That said, reading through the post I am having a hard time to figure out what your topology actually looks like. Can you post a schematic drawing including the devices involved, and how they are interconnected ? You talk about VLAN 41, but I do not see any ports in VLAN 41 in the switch configuration.

My apologies if I am asking redundant questions. How is your RADIUS configured ?

mikep83 · ‎03-01-2019

Hi there, the other 3 offices work fine. All offices are connected via MPLS

The issue here is that all ports are in the default VLAN1 and this is because a few months ago the switch was wiped and quickly rebuilt. I dont see why i need a port in VLAN41 if the devices i am trying to connect are wireless and going through the Meraki AP which is in a trunk port?

the other issue is, I want to keep all the wifi devices in the same range as the computers which is 10.9.1.x, but they are all in VLAN1 so I want to keep the Meraki connected Corporate Wifi clients also on 10.9.1.x and i guess this means they have to now go in VLAN1.

The network is really simple. Meraki AP and Windows server and all clients plug into the one single L2 switch. The server is also in VLAN1 and hands on DHCP.

The is a connection from our L2 switch to the MPLS providers L3 switch which i believe is on 10.9.1.1

Radius is handled by Windows Network Access Protection on a server sat on 10.1.0.239 over at our head office. The MPLS provider have advised that all VLANs should be able to communicate with all other VLANS as the network is 10.0.0.0/16.

When I connect a laptop to Staff Wifi it comes up Native VLAN in Meraki for reasons i am unsure of, but then it works. It gets a 10.9.1.x address. When i disconnect that SSID and reconnect to "Corporate Wifi" using the same laptop, it cant get DHCP.

DHCP is done by a server on 10.9.1.252 sat in the same office connected to the same switch.

I have tried to make the Corporate Wifi come up as NATIVE in meraki but it wont do it, it can only be either VLAN1 or VLAN41 for example but not NATIVE.

mikep83 · ‎03-01-2019

attached to this reply is the config from a branch office where everything works fine

Georg Pauwen · ‎03-01-2019

Hello,

I noticed that the 'working' switch is in VTP transparent mode and member of a VTP domain:

vtp domain Lodder-dll.
vtp mode transparent

Are the other two 'working' branch office switches configured the same way ?

paul driver · ‎03-01-2019

Hello

@mikep83 wrote

There is only one switch involved - a 2960 catalyst, and everything is connected to it.

Corporate Wifi has been set up to use VLAN 41 but doesnt get a DHCP address.

"Staff Wifi" has been set up to not use a VLAN and it obtains DHCP fine. When i look on the meraki the VLAN says "NATIVE".

Looking at the config of the catalyst everything is in the default VLAN 1 ( the switch was nuked and rebuilt swiftly a few months ago). Im not aware of any ACL in play or anything specifically that could be blocking things.

I have changed the Corporate WIFI to use VLAN 1 temporarily and this still does not work. I have added an IP helper address to VLAN 41 ,
I just cant see how the same Windows 10 laptop obtains DHCP from Staff wifi and not from corporate WIFI when both SSIDs should be using the same DHCP server to get an IP.

I am thinking as the meraki ssids are centrally managed and are working in other offices then they are correctly setup

Do you only have mearki Aps, no MX or MS devices and these aps are connected to this l2 switch?

I see no reference below to vlan 41 in your switch configuration lod-ch-comms-2960-asw

Iits not being allowed on the trunks towards you aps?

cooperate wifi = vlan 41
Staff Wifi ssid = vlan 1 Native vlan ?

vlan 20
name SERVER_NET

vlan 21
name DATA_USERS_NET

vlan 22
name VOICE_USERS_NET

vlan 23
name VIDEO_USERS_NET

vlan 24
name PRINTERS

vlan 61
name GUEST_USERS_NET

interface Port-channel1
description ***** Link To WarwickNet *****
switchport trunk allowed vlan 1,20-23,61

interface GigabitEthernet xxx
description **** LCAP0X ****
switchport trunk allowed vlan 20,21,61

interface GigabitEthernet1/0/48
description ***** Link to Cisco Cube Router ***** <-----WHAT does this router do
switchport access vlan 22
switchport mode access

interface Vlan20
ip address 10.2.0.4 255.255.255.0

interface Vlan20
ip address 10.2.0.4 255.255.255.0

interface Vlan21 <--not required
interface Vlan22 <--not required

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

mikep83 · ‎03-04-2019

Hi Paul, thanks for the response. Though that config is for our Cheltenham office.

However I have been thinking over the weekend. Radius must be working because when users sign into the "Corporate Wifi" SSID, it accepts their Windows credentials and it connects them to Corporate Wifi - Only thing they dont get is an IP. But the same laptop does get an IP from the same DHCP server and in the same range, albeit on the Staff Wifi.

Here is the other weird thing which i cant explain but you may get a clue from - I looked at the other 14 access points we have dotted around in the different geographic locations. The Access point itself is tagged in a VLAN, such as Cheltenham APs are all tagged in the VLAN 21, Henley are all tagged in VLAN 31. The problematic ( birmingham) APs are not tagged in a VLAN, but when I do tag them in VLAN1 they have a meltdown and both change to DHCP IP addressing in the exact same range as what they were on when they were static ( 10.9.1.14 and 10.9.1.250). Everything else stays the same such as DNS, GW etc.

So i call Meraki and they tell me that this is due to an ARP error possily. But they couldnt explain to me why me putting the APs in VLAN makes them change from static to DHCP and get an IP in the same range.

So what we have is a situation where the Staff Wifi SSID gets DHCP fine, the AP itself gets a DHCP address fine ( not that we want it to ), and yet the Radius authenticated SSID when I connect to it, means my same laptop doesnt get a DHCP address.

So its not like the laptops or APs cant communciate or are blocked from Radius or from DHCP server (10.9.1.252) but something odd is certainly happening.

Does this shed any more light on things? I have attached a picture of where i mean when i tag the Meraki AP.