Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1099
Views
0
Helpful
5
Replies

Need help with Cisco AP c1200 configuration to access external DHCP server

Harsha A.
Level 1
Level 1

‎06-21-2013 04:05 PM - edited ‎07-04-2021 12:16 AM

Hello All,

I have a Cisco AP c1200 (IOS AP) in our network and all these days it has been using a DHCP pool (configured in the IOS) for assigning IP address to the client.

Now, I have created a DHCP server (Windows Server 2008) to assign clients an IP address.

I have a Cisco ACS that is being used for authentication and accounting purpose.

I have been going through various posts and I did find something called DHCP option 43 configuration for LWAP but I would like to know in detail how to configure this option on my DHCP server so that clients who connect to the AP can get IP address from the DHCP server.

Note: I do not have a Wireless LAN Controller in my network and most of the configurations involve WLC IP to be included in the HEX value.

Kindly help me out.

Thanks,

Harsha

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎06-21-2013 04:43 PM

Option 43 is only used for the access points to find the WLC from the dhcp address the ap gets. For the clients to get an IP address from dhcp, you need an IP helper on the clients subnet BVI interface.

http://www.cisco.com/en/US/docs/ios/12_4t/ip_addr/configuration/guide/htdhcpre.html

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎06-21-2013 04:46 PM

Here is a doc in case you need to use multiple vlans.

https://supportforums.cisco.com/docs/DOC-14496

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Harsha A.
Level 1
Level 1
In response to Scott Fella

‎06-24-2013 12:40 PM

Hello Scott,

I did follow the guidelines and added ip helper-address command to the int BVI1.

But right now when I try to connect to the Access Point I do see that my wireless keeps saying Attempting to Authenticate.

I checked our Cisco ACS and in the logs I found "Invalid message authenticator in EAP request".

Then I did search for that message here on Cisco.com and found that it could be because of the incorrect shared key between Access Point and ACS.

Then I have changed the shared key on both AP and ACS and saved config on the AP and tired a reload but still I get to see the same error message on the Failed Attempts log file in the ACS.

Need some suggestions on this error.

Thanks,

Harsha

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎06-24-2013 12:51 PM

Your policy for authentication must be wrong. How do you have it configured?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Harsha A.
Level 1
Level 1
In response to Scott Fella

‎06-24-2013 01:05 PM

Hello Scott,

This is the show run output.

ip domain name mydomain.com

ip host DHCPSERVER 10.20.9.56

ip name-server 10.20.9.48

ip dhcp excluded-address 10.20.9.1 10.20.9.210

!

ip dhcp-server 10.20.9.56

ip dhcp-client default-router distance 1

--More--

aaa new-model

!

!

aaa group server radius rad_eap1

server 10.20.9.30 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

!

aaa group server radius rad_eap

server 10.20.9.30 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods1 group rad_eap1

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid SSID

    authentication open eap eap_methods1

    authentication network-eap eap_methods1

    authentication key-management wpa

    guest-mode

!

short-slot-time

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

ip address 10.20.9.13 255.255.255.0

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.20.9.9 255.255.255.0

ip helper-address 10.20.1.56

no ip route-cache

!

ip default-gateway 10.20.9.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

logging snmp-trap emergencies

logging snmp-trap alerts

logging snmp-trap critical

logging snmp-trap errors

logging snmp-trap warnings

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.20.9.30 auth-port 1645 acct-port 1646 key 7 (KEY)

radius-server vsa send accounting

bridge 1 route ip

!

!

!

Thanks,

Harsha

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top