Re: WLAN <-> Catalyst <->ASA ---> Trouble

andre · ‎10-12-2009

Hi there

hope, this is the right forum for my problem.

I have a AP 1240AG installed and configured with 3 SSIDs (3 VLANs). This AP is connected to a Cat6506:

---config6506---

interface FastEthernet4/23

description *** direkt WLAN Access Point ***

switchport

switchport access vlan 10

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport mode trunk

switchport nonegotiate

spanning-tree portfast trunk

---/config6506---

All VLANs (20 and 30) work fine, but VLAN 10 doesn't work at all.

VLAN 10 is our "main office VLAN", where the AP1240 has got it's IP Address from.

The ASA is our DHCP Server.

As soon as I connect to the VLAN 10 SSID, it seems to me that the AP does it's assoziation thing (EAP), the client get's connected, but doesn't get an IP Address.

I'm a bit "confused" about the "switchport trunk native vlan 10" statement on the catalyst, as VLAN 10 is not our "native", i.e. untagged vlan, it's tagged as every other vlan as well. But when I remove the statement, I can't connect to the AP anymore ....

Any help is highly appreciated.

Andre

iyde · ‎10-13-2009

Hi Andre.

First of all, the native VLAN concept is local to each trunk, meaning that you can have VLAN10 as native VLAN on one trunk and VLAN 456 as native VLAN on another trunk.

In regard to AP, the native VLAN has to be the same as the one which is defined on the AP as being the native VLAN with the encapsulation dot1q <#> native command and it will be the one to which you ahve bound your BVI with the IP address of the AP. That is why you loose contact with the AP if you do not make VLAN 10 native.

If you connect a cabled port to VLAN 10, do a PC get IP address then?

Is ASA DHCP server for VLAN 20 and 30 as well?

Is config in AP for VLAN 10, 20 and 30 alike?

Maybe you could post the config of the AP as well?

HTH

andre · ‎10-13-2009

Hi

sure, here we go:

---cut---

demucwlan01#wr t

Building configuration...

Current configuration : 5644 bytes

!

! Last configuration change at 13:42:22 UTC Tue Aug 4 2009 by zycko

! NVRAM config last updated at 13:35:05 UTC Tue Aug 4 2009 by zycko

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname demucwlan01

!

logging buffered 2000000 debugging

enable secret 5 xxxxxxxxxxxxxxxxxxx!

ip subnet-zero

!

aaa new-model

!

aaa group server radius rad_eap

server 10.17.0.37 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap2

server 10.17.0.37 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods2 group rad_eap2

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 vlan-name TSC_Guest vlan 50

dot11 vlan-name TSC_Lab vlan 30

dot11 vlan-name TSC_LabMgmt vlan 20

dot11 vlan-name TSC_Main vlan 10

!

dot11 ssid TSC_Guest

vlan 50

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 1xxxxxxxxxxxxxxxxxxx

!

dot11 ssid TSC_Lab

vlan 30

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 1xxxxxxxxxxxxxxxxxxxxxxxx

!

dot11 ssid TSC_LabMgmt

vlan 20

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 1xxxxxxxxxxxxxxxxxxxxxxxxx

!

dot11 ssid TSC_Main

vlan 10

authentication open eap eap_methods2

authentication key-management wpa

mbssid guest-mode

!

power inline negotiation prestandard source

!

username zycko privilege 15 password 7 xxxxxxxxxxxxxxx

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 10 mode ciphers tkip

!

encryption vlan 20 mode ciphers aes-ccm tkip

!

encryption vlan 30 mode ciphers aes-ccm tkip

!

encryption vlan 50 mode ciphers aes-ccm tkip

!

ssid TSC_Guest

!

ssid TSC_Lab

!

ssid TSC_LabMgmt

!

ssid TSC_Main

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio0.30

encapsulation dot1Q 30

no ip route-cache

bridge-group 30

bridge-group 30 subscriber-loop-control

bridge-group 30 block-unknown-source

no bridge-group 30 source-learning

no bridge-group 30 unicast-flooding

bridge-group 30 spanning-disabled

!

interface Dot11Radio0.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

bridge-group 50 spanning-disabled

!

andre · ‎10-13-2009

Part 2

---cut---

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

no bridge-group 10 source-learning

bridge-group 10 spanning-disabled

!

interface FastEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

!

interface FastEthernet0.30

encapsulation dot1Q 30

no ip route-cache

bridge-group 30

no bridge-group 30 source-learning

bridge-group 30 spanning-disabled

!

interface FastEthernet0.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

no bridge-group 50 source-learning

bridge-group 50 spanning-disabled

!

interface BVI1

ip address 10.30.0.2 255.255.255.0

no ip route-cache

!

ip default-gateway 10.30.0.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

logging trap debugging

logging facility local5

logging 10.17.0.41

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.17.0.37 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxx

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

line con 0

transport preferred all

transport output all

line vty 0 4

transport preferred all

transport input all

transport output all

line vty 5 15

transport preferred all

transport input all

transport output all

!

sntp server 10.17.0.43

sntp server 10.17.0.44

sntp broadcast client

end

demucwlan01#

---cut---

Yes, when I connect a PC to a VLAN 10 Port it works like charm (as said, vlan 10 is our office vlan, but not the native (untagged))

Andre

andre · ‎10-22-2009

Hi there

anyone any idea? This is driving me nuts ....

Thanks

Andre

glen.grant · ‎10-22-2009

Deleted.

glen.grant · ‎10-22-2009

Don't see anything inherently wrong with the AP side. Nothing is specified as native on the AP side so the untagged vlan is 1 by default which is what the 6500 end should be also .

andre · ‎10-22-2009

Hi glen

this is exactly what I thought as well.

Strange enough ... the EAP authentication works (i see the client as authenticated in the AP), so the network connection itself must work, the problem is just, that DHCP isn't working.

Even when I go ahead and assign a static IP out of that subnet it's not working .... really looks like that communication with the AP itself to the VLAN 10 is fine, but not for the clients ....

iyde · ‎10-24-2009

Hi Andre.

Sorry for the late reply - I was off on vacation.

"VLAN 10 is our "main office VLAN", where the AP1240 has got it's IP Address from."

So you are saying that the IP address for the AP is from VLAN 10? If that is so, then you need your VLAN 10 to be the native VLAN between the switch and the AP, and you need to ahve the FastEthernet0.10 subinterface of your AP to have the native keyword in the encapsulation line. Furthermore, the bridge-group and the BVI number must be the same for all .10 subinterfaces and BVI interface.

Could you try it out?

HTH