LEAP and DHCP Mystery... doesn't work...

jim123 · ‎05-17-2002

I've seen a few forum posts similar to this, but no resolutions...

I have converted to LEAPmy Cisco 340 Access Point. My clients (combination of 340 cards and older Aironet models, all at recent firmware) will successfully LEAP-authenticate, but the do *not* successfully get their IP address from the DHCP server.

My slightly unusual topology: My AP and clients are on a "private LAN", connected to the wider lan via a NAT gateway (actually Win2000 Server running NAT). The Radius server is on the outer side, and the authentication works successfully. However, the DHTP server runs on the gateway, in order to hand out the private addresses. For some reason, the clients do not receive their IP addresses from the DHCP server when they authenticate with LEAP. It *does* work when they authenticate with WEP, so I am completely stumped about what could be different. Any/all pointers and suggestions welcome!

Thanks!

j.viola · ‎05-23-2002

When you say "the Radius server is on the outer side" you mean its on the same segment as the AP or on the other side of the Gateway?

j.viola · ‎05-23-2002

Are you running ACU (Cisco Aironet Client Utilities

) by any chance? I did find this:

Windows NT Client Unable to Get DHCP Address When LEAP Is Disabled

When a client adapter is installed in a Windows NT computer and LEAP is enabled, the system works correctly. However, if LEAP is disabled, the client is unable to receive a DHCP-assigned IP address (CSCdt65963). If LEAP is re-enabled, DHCP still fails. If ACU is removed and re-installed, the client performs normally.

at http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/cutils_r/cu414003.htm

jim123 · ‎05-23-2002

Thanks for the help, but I think I finally figured out what is/was going on.

Using a packet monitor, I was able to see that the LEAP authenticated client was unable to "see" UDP broadcast packets. When it was WEP authenticated, it could see UDP broadcast packets. Naturally, DHCP depends on UDP broadcast...

Apparently, the LEAP protocol uses different keys for unicast communication and broadcast/mulitcast communication...! Discovering this meant I had a clue where to look, and there turned out to be two possibilites: First that the WEP key was properly set (I seemed to have had a second WEP key enabled, but not transmitted, but which may have made just enough of a difference), and second the "Broadcast WEP Key Rotation Interval" in the AP Radio Advanced menu, which enables dynamic Broadcast keys... I set that to 900 (as opposed to the default of 0, or "off"), and the broadcast packets (and hence DHCP) now seems to work.

I'm not sure this explains everything, but as long as it keeps working...

ciscomoderator · ‎05-23-2002

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.