09-12-2013 08:35 AM - edited 07-04-2021 12:49 AM
Hi,
We have a Cisco 1602i access point that is in a geographically remote office and different subnet from the home office and network where the RADIUS server exists that we wish to use to authenticate to.
The offices are joined by a VPN tunnel between an ASA 5510 (home office where the RADIUS server lives) and an ASA5505 in the remote office where the AP lives.
However, the AP, cannot contact the RADIUS server even though the tunnel is wide open, with no port restrictions. We also cannot connect to the remote AP to manage it via the GUI or SSH from the home office network.
The AP is up and we can manage it by using a computer on the same network as it. SSH, GUI, Telnet all work. However, it doesn't even respond to pings sent from the home network, even though other devices do when pinged from the home to the remote network.
So my basic question is, can a Cisco AP only contact devices on the same subnet? That would seem like a silly limitation for an enterprise device that would be deployed in a remote setting.
We have a Cisco SmartNet on the access point, but not on the firewall's, and Cisco has commented that it could be a VPN tunnel issue and we should contact their VPN support group but we do not have paid Cisco SmartNet support for the firewall's.
Can anyone help me out?
Thanks!!
Dave
Solved! Go to Solution.
09-12-2013 09:50 AM
Hi Dave,
Not sure why you have this line of configuration on the AP assuming your gateway is 10.0.2.1
ip route 0.0.0.0 0.0.0.0 10.0.1.1
You can remove this line from the configuration and try the ping.
Regards
Najaf
09-12-2013 08:46 AM
Hi Dave,
Is the AP is light weight AP or autonomous AP?
Can you verify if the AP have a default gateway configured on it?
Regards
Najaf
09-12-2013 09:11 AM
Hi
It's autonomous.
The AP does have a gateway configured.
Thanks
Dave
09-12-2013 09:18 AM
can you share the config of the AP and the switchport it is connected to?
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
09-12-2013 09:18 AM
Hi Dave,
Could you please share the configuration from AP with sensitive information removed..
Also are you able to ping the default gateway configured on AP from Home network?
Regards
Najaf
09-12-2013 09:45 AM
Here is the config.
And I am able to ping the default gateway (for the Remote network) configured on the AP, from my workstation on the home network.
Thanks
Dave
----------------------------------------------------------------------------------------------------------------------------------
Current configuration 2862 bytes
!
! Last configuration change at 183316 -0600 Sun Feb 28 1993 by
! NVRAM config last updated at 095859 -0500 Thu Sep 5 2013 by
! NVRAM config last updated at 095859 -0500 Thu Sep 5 2013 by
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco-AP
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.1.19
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone -0600 -6 0
clock summer-time -0500 recurring
ip cef
!
!
!
dot11 syslog
!
dot11 ssid (removed)
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
!
!
crypto pki token default removal timeout 0
!
!
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm tkip
!
ssid (removed)
!
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm tkip
!
ssid (removed)
!
antenna gain 0
dfs band 3 block
stbc
beamform ofdm
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 10.0.2.4 255.255.255.0
!
ip default-gateway 10.0.2.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path httpwww.cisco.comwarppublic779smbizprodconfighelpeag
ip route 0.0.0.0 0.0.0.0 10.0.1.1
ip radius source-interface BVI1
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.1.19 key (removed)
radius-server vsa send accounting
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
transport input all
!
end
Cisco_AP#
09-12-2013 09:50 AM
Hi Dave,
Not sure why you have this line of configuration on the AP assuming your gateway is 10.0.2.1
ip route 0.0.0.0 0.0.0.0 10.0.1.1
You can remove this line from the configuration and try the ping.
Regards
Najaf
09-12-2013 10:03 AM
Hi
That fixed it.
Thank you very much! I had a feeling it was something I had overlooked.
Have a great day,
Dave
09-12-2013 10:10 AM
Hi Dave,
Great to know that things are workig as expected.
Regards
Najaf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide