Solved: Cisco AIR-AP1131G wireless setup using WPA-PSK

smith606306 · ‎09-02-2011

Hi ,

I have an AP1131ag access point which i am trying to run 2 SSIDs off.

The first is untrusted and uses VLAN 325 and goes through a seperate internet connection it gets its IP addresses from an ISP router with DHCP enabled. (IP helper on vlan interface to isp router)

The second is a trusted network which i want to connect to our company network. It uses VLAN 324 and i want it to get its IP address from the onsite DHCP server.

The untrusted Guest network works perfectly well but with the trusted one although i can see the network it doesnt get an IP address.

Below is the config: I would appreciate if anyone could give me some poiters.

AP Config

hostname
!
logging rate-limit 10
no logging console
!
no aaa new-model
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
ip telnet source-interface BVI1
no ip domain lookup
ip domain name cisco
!
!
ip ssh time-out 30
ip ssh source-interface BVI1
ip ssh version 2
dot11 vlan-name trusted_VLAN vlan 324
dot11 vlan-name untrusted_VLAN vlan 325
!
dot11 ssid untrusted-Guest
   vlan 325
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii guest
!
dot11 ssid trusted
   vlan 324
   authentication open
   authentication key-management wpa
   wpa-psk ascii trusted
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-967987752
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-967987752
revocation-check none
rsakeypair TP-self-signed-967987752
!
!
crypto pki certificate chain TP-self-signed-967987752
certificate self-signed 01
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 324 mode ciphers tkip
!
encryption vlan 325 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid untrusted-Guest
!
ssid trusted
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.324
description Trusted_VLAN
encapsulation dot1Q 324
no ip route-cache
bridge-group 24
bridge-group 24 subscriber-loop-control
bridge-group 24 block-unknown-source
no bridge-group 24 source-learning
no bridge-group 24 unicast-flooding
bridge-group 24 spanning-disabled
!
interface Dot11Radio0.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
bridge-group 25 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 324 mode ciphers tkip
!
encryption vlan 325 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid untrusted-Guest
!
ssid trusted
!
no dfs band block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel dfs
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.324
description Trusted_VLAN
encapsulation dot1Q 324
no ip route-cache
bridge-group 24
bridge-group 24 subscriber-loop-control
bridge-group 24 block-unknown-source
no bridge-group 24 source-learning
no bridge-group 24 unicast-flooding
bridge-group 24 spanning-disabled
!
interface Dot11Radio1.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
bridge-group 25 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.324
description Trusted_VLAN
encapsulation dot1Q 324
no ip route-cache
bridge-group 24
no bridge-group 24 source-learning
bridge-group 24 spanning-disabled
!
interface FastEthernet0.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
no bridge-group 25 source-learning
bridge-group 25 spanning-disabled
!
interface BVI1
ip address 10.123.122.123 255.255.255.128
no ip route-cache
!
ip default-gateway 10.123.122.122
ip http server
ip http access-class 30
ip http authentication local
ip http secure-server
ip http max-connections 2
ip tacacs source-interface BVI1

bridge 1 route ip
!
!
b
line con 0
session-timeout 15
exec-timeout 15 0
logging synchronous
login local
stopbits 1
line vty 0 4
session-timeout 15
access-class 30 in
exec-timeout 15 0

logging synchronous
login tacacs
transport input ssh
line vty 5 15
session-timeout 15
access-class 30 in
exec-timeout 15 0

logging synchronous
login tacacs
transport input telnet ssh
!
sntp server 10.127.255.124
sntp server 10.127.255.125
sntp source-interface BVI1

VLAN config on switch

interface Vlan324
description Wireless Trusted Vlan
ip address 10.123.122.122 255.255.255.128
ip helper-address 10.123.121.1

interface Vlan325
description Wireless Guest UNTRUSTED Vlan
ip address 10.123.122.250 255.255.255.128
ip helper-address 10.123.122.254

Switchport config

interface FastEthernet0/46

description Wireless AP1

switchport trunk encapsulation dot1q

switchport trunk native vlan 324

switchport trunk allowed vlan 300,324,325

switchport mode trunk

priority-queue out

spanning-tree portfast

spanning-tree bpduguard enable

daviwatk · ‎09-02-2011

Try this AP Config out. You need your native vlan to be defined (see below), I have added native to your d0.324, and f0.324 subinterface dot1q tags. Also, this native VLAN needs to belong to bridge-group 1. Your switchport is configured with 324 native, which is why it needs to be defined on the AP. Currently it is tagging your 324 traffic, which is not understood by the switchport as it is expecting 324 to be native, not tagged. I removed bridge-group 1 from the base radio interfaces, and made sure the native VLAN 324 was assigned bridge-group 1. See what you get.

hostname
!
logging rate-limit 10
no logging console
!
no aaa new-model
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
ip telnet source-interface BVI1
no ip domain lookup
ip domain name cisco
!
!
ip ssh time-out 30
ip ssh source-interface BVI1
ip ssh version 2
dot11 vlan-name trusted_VLAN vlan 324
dot11 vlan-name untrusted_VLAN vlan 325
!
dot11 ssid untrusted-Guest
   vlan 325
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii guest
!
dot11 ssid trusted
   vlan 324
   authentication open
   authentication key-management wpa
   wpa-psk ascii trusted
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-967987752
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-967987752
revocation-check none
rsakeypair TP-self-signed-967987752
!
!
crypto pki certificate chain TP-self-signed-967987752
certificate self-signed 01
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 324 mode ciphers tkip
!
encryption vlan 325 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid untrusted-Guest
!
ssid trusted
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root

!
interface Dot11Radio0.324
description Trusted_VLAN
encapsulation dot1Q 324 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
bridge-group 25 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 324 mode ciphers tkip
!
encryption vlan 325 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid untrusted-Guest
!
ssid trusted
!
no dfs band block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel dfs
station-role root

!

interface Dot11Radio1.324
description Trusted_VLAN
encapsulation dot1Q 324 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
bridge-group 25 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.324
description Trusted_VLAN
encapsulation dot1Q 324 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
no bridge-group 25 source-learning
bridge-group 25 spanning-disabled
!
interface BVI1
ip address 10.123.122.123 255.255.255.128
no ip route-cache
!
ip default-gateway 10.123.122.122
ip http server
ip http access-class 30
ip http authentication local
ip http secure-server
ip http max-connections 2
ip tacacs source-interface BVI1

bridge 1 route ip
!
!
b
line con 0
session-timeout 15
exec-timeout 15 0
logging synchronous
login local
stopbits 1
line vty 0 4
session-timeout 15
access-class 30 in
exec-timeout 15 0

logging synchronous
login tacacs
transport input ssh
line vty 5 15
session-timeout 15
access-class 30 in
exec-timeout 15 0

logging synchronous
login tacacs
transport input telnet ssh
!
sntp server 10.127.255.124
sntp server 10.127.255.125
sntp source-interface BVI1

View solution in original post

daviwatk · ‎09-02-2011

Try this AP Config out. You need your native vlan to be defined (see below), I have added native to your d0.324, and f0.324 subinterface dot1q tags. Also, this native VLAN needs to belong to bridge-group 1. Your switchport is configured with 324 native, which is why it needs to be defined on the AP. Currently it is tagging your 324 traffic, which is not understood by the switchport as it is expecting 324 to be native, not tagged. I removed bridge-group 1 from the base radio interfaces, and made sure the native VLAN 324 was assigned bridge-group 1. See what you get.

hostname
!
logging rate-limit 10
no logging console
!
no aaa new-model
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
ip telnet source-interface BVI1
no ip domain lookup
ip domain name cisco
!
!
ip ssh time-out 30
ip ssh source-interface BVI1
ip ssh version 2
dot11 vlan-name trusted_VLAN vlan 324
dot11 vlan-name untrusted_VLAN vlan 325
!
dot11 ssid untrusted-Guest
   vlan 325
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii guest
!
dot11 ssid trusted
   vlan 324
   authentication open
   authentication key-management wpa
   wpa-psk ascii trusted
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed-967987752
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-967987752
revocation-check none
rsakeypair TP-self-signed-967987752
!
!
crypto pki certificate chain TP-self-signed-967987752
certificate self-signed 01
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 324 mode ciphers tkip
!
encryption vlan 325 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid untrusted-Guest
!
ssid trusted
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root

!
interface Dot11Radio0.324
description Trusted_VLAN
encapsulation dot1Q 324 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
bridge-group 25 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 324 mode ciphers tkip
!
encryption vlan 325 mode ciphers tkip
!
encryption mode ciphers tkip
!
ssid untrusted-Guest
!
ssid trusted
!
no dfs band block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel dfs
station-role root

!

interface Dot11Radio1.324
description Trusted_VLAN
encapsulation dot1Q 324 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
bridge-group 25 subscriber-loop-control
bridge-group 25 block-unknown-source
no bridge-group 25 source-learning
no bridge-group 25 unicast-flooding
bridge-group 25 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.324
description Trusted_VLAN
encapsulation dot1Q 324 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.325
description Untrusted_Visitor_VLAN
encapsulation dot1Q 325
no ip route-cache
bridge-group 25
no bridge-group 25 source-learning
bridge-group 25 spanning-disabled
!
interface BVI1
ip address 10.123.122.123 255.255.255.128
no ip route-cache
!
ip default-gateway 10.123.122.122
ip http server
ip http access-class 30
ip http authentication local
ip http secure-server
ip http max-connections 2
ip tacacs source-interface BVI1

bridge 1 route ip
!
!
b
line con 0
session-timeout 15
exec-timeout 15 0
logging synchronous
login local
stopbits 1
line vty 0 4
session-timeout 15
access-class 30 in
exec-timeout 15 0

logging synchronous
login tacacs
transport input ssh
line vty 5 15
session-timeout 15
access-class 30 in
exec-timeout 15 0

logging synchronous
login tacacs
transport input telnet ssh
!
sntp server 10.127.255.124
sntp server 10.127.255.125
sntp source-interface BVI1

smith606306 · ‎09-05-2011

thankyou that worked perfectly and was really easy to understand where i was going wrong.

I appreciate the help