«

Hi there,
First of all I'm from Switzerland. Therefore I'm pre-sorry for my bad
english.

My Problem is the following:
I'm trying to set up an Cisco 1231 AP (IOS 12.3). I configured (with
the GUI) an SSID 'intern' associated with the VLAN 250.
Now I got the two new virtual Interfaces Dot11radio0.250 and
FastEthernet0.250.
They are both in the 'bridge-group 250'. The physical interface
'Dot11radio0' itself is in the 'Bridge-group 1' as well as the physical
interface FastEthernet0.

Now I configured these DHCP Scopes like that:

ip dhcp excluded-address 10.1.0.1 10.1.0.2
ip dhcp pool INTERN
network 10.1.0.0 /28
lease 10

ip dhcp excluded-address 10.0.0.1 10.0.0.3
ip dhcp pool DEFAULT
network 10.0.0.0 /28
lease 10

The following IP settings are set:
Dot11radio0: no ip address
Dot11radio0.250 : 10.1.0.1 /28
FastEthernet0: no ip address
FastEthernet0.250: no ip address
BVI 1: 10.0.0.2 /28

Now when I try to connect to the AP using the SSID 'intern', I get no
IP-Address.

I even tried to configure a BVI 250 interface with the IP-Address
10.1.0.2 /28, it doesn't help. On the AP I turned on all 'debug ip dhcp
server' stuff and I don't even see a DHCPDISCOVER.
I also tried to abstract the Dot11radio0 interface from the
bridge-group 1 which isn't allowed as the AP says.

Probably I don't understand the Bridge-group thing very well but isn't
it inconsistent when the 'root' interface dot11radio0 is in
bridge-group 1 and the sub-if dot11radio0.250 itself is in bridge-group
250?

I tried one more thing:
I did exactly the same configuration (in the GUI) without assigning the
SSID 'intern' to a VLAN. In that case I get an IP Address out of the
DEFAULT Pool.

---

You wanna probably know where i actually want to get:
The target is to set up 3 SSIDs.
intern: clients that are allowed to communicate with the wired LAN and
the WAN
extern: clients that are allowed to communicate with the WAN
infrastructure: ssid-infrastructure to add a repeater-device later

To get that I think i need different address pools that i can easily
set up the access-lists.

Well, pre-thanks
greets bck

please post

1. show version

2. show run

3. conf t
logging buffer 10000 debug
exit
wri mem

clear log

debug dhcp detail

! have wireless client assoicate to SSID an attempt to obtain DHCP
address

undebug all

4. post output of "show log" after associate with AP

1. show version
Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA2,
RELEASE SOFTWARE (fc1)
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(JA, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:12:00:9D:F3:60
Part Number : 73-8704-07
PCA Assembly Number : 800-23211-08
PCA Revision Number : A0
PCB Serial Number : FOC08350KSM
Top Assembly Part Number : 800-23304-07
Top Assembly Serial Number : FCZ0841Z0YR
Top Revision Number : B0
Product/Model Number : AIR-AP1231G-E-K9



2. show run
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IPA2006_AP1
!
enable secret 5 $1$SmqK$SohoAaAZCXOxIzUeh5WOw/
!
ip subnet-zero
ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.0.0.1 10.0.0.3
!
ip dhcp pool INTERN
network 10.1.0.0 255.255.255.240
lease 10
!
ip dhcp pool DEFAULT
network 10.0.0.0 255.255.255.240
lease 10
!
!
no aaa new-model
!
dot11 ssid intern
vlan 250
authentication open
!
!
!
username Cisco password 7 14341B180F0B
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 250 key 1 size 128bit 7 ED8B9B24F79337ABFC10BFF2126B
transmit-key
encryption vlan 250 mode wep mandatory
!
ssid intern
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
channel 2447
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.250
encapsulation dot1Q 250
ip address 10.1.0.1 255.255.255.240
no ip route-cache
bridge-group 250
bridge-group 250 subscriber-loop-control
bridge-group 250 block-unknown-source
no bridge-group 250 source-learning
no bridge-group 250 unicast-flooding
bridge-group 250 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.250
encapsulation dot1Q 250
no ip route-cache
bridge-group 250
no bridge-group 250 source-learning
bridge-group 250 spanning-disabled
!
interface BVI1
ip address 10.0.0.2 255.255.255.240
no ip route-cache
!
interface BVI250
ip address 10.1.0.2 255.255.255.240
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/public/779...onfig/help/eag
!
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
!
end


3. turned on "debug dhcp detail", connected to the AP, the output goes
like that:
*Mar 1 02:16:24.967: %DOT11-6-DISASSOC: Interface Dot11Radio0,
Deauthenticating Station 0040.96a8.0737 Reason: Disassociated because
sending station is leaving (or has left) BSS
*Mar 1 02:16:26.254: DHCPD: checking for expired leases.
*Mar 1 02:16:32.690: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
DEG-THO2 0040.96a8.0737 Associated KEY_MGMT[NONE]


nothing more after associate with AP

1. SSID "intern" needs to be configured to be part of VLNAN 250

see Cisco doc Configuring VLANS
http://www.cisco.com/en/US/products/...0804e7d4e.html


2. disable encyption on SSID intern until the DHCP issue is addressed.

3. ensure wireless client has sucessfully assocaited
show dot11 assoc client

4. check DHCP to see that DHCP discovery messages are being
received from wirlesss client
show ip dhcp binding
show ip dhcp server statistics

1. Yes I have this document too, and I really wondered, why I can't to
the following on my AP:
IPA2006_AP1(config)#int
IPA2006_AP1(config)#int do0
IPA2006_AP1(config-if)#ssi
IPA2006_AP1(config-if)#ssid intern
IPA2006_AP1(config-if)#vlan 250
^
% Invalid input detected at '^' marker.

But in my config there's the section:
dot11 ssid intern
vlan 250
authentication open

So, I assume that the SSID 'intern' is configured to be part of VLAN
250.
I checked DHCP but there's nothing that would help. It just happens
nothing!
Oh, and Yes, clients do associate successfully with the AP. Even the
repeater does it.

Looks like Cisco may have change some command usage:

dot11 ssid

Use the dot11 ssid global configuration command to create a global
SSID. The SSID is inactive until you use the ssid configuration
interface command to assign the SSID to a specific radio interface.

dot11 ssid ssid

In Cisco IOS Release 12.3(4)JA, you can configure SSIDs globally or for
a specific radio interface. However, when you create an SSID using the
ssid configuration interface command, the access point stores the SSID
in global configuration mode.
Syntax Description

This command has no arguments or keywords.
Defaults

This command has no defaults.
Command Modes

Global configuration
Command History
Release

Modification

12.3(2)JA


This command was introduced.

Examples

This example shows how to:

·Create an SSID in global configuration mode

·Configure the SSID for RADIUS accounting

·Set the maximum number of client devices that can associate using
this SSID to 15

·Assign the SSID to a VLAN

·Assign the SSID to a radio interface

AP# configure terminal

AP(config)# dot11 ssid batman

AP(config-ssid)# accounting accounting-method-list

AP(config-ssid)# max-associations 15

AP(config-ssid)# vlan 3762

AP(config-ssid)# exit

AP(config)# interface dot11radio 0

AP(config-if)# ssid batman




so try :


! configure SSId intern at global config command level

dot11 ssid intern
vlan 250
authentication open
exit
exit

! apply the SSID internal to interface d0

int d0
ssid intern
exit

You can't configure the same VLAN with two different IP subnets. If you want
the radio and fast Ethernet to be on different subnets then change the VLAN
number on the radio (or get ride of it completely) and delete the bridge
config.

Scott

"bck" <> wrote in message
news: oups.com...
> 1. show version
> Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA2,
> RELEASE SOFTWARE (fc1)
> BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(JA, EARLY
> DEPLOYMENT RELEASE SOFTWARE (fc1)
>
> 32K bytes of flash-simulated non-volatile configuration memory.
> Base ethernet MAC Address: 00:12:00:9D:F3:60
> Part Number : 73-8704-07
> PCA Assembly Number : 800-23211-08
> PCA Revision Number : A0
> PCB Serial Number : FOC08350KSM
> Top Assembly Part Number : 800-23304-07
> Top Assembly Serial Number : FCZ0841Z0YR
> Top Revision Number : B0
> Product/Model Number : AIR-AP1231G-E-K9
>
>
>
> 2. show run
> !
> version 12.3
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname IPA2006_AP1
> !
> enable secret 5 $1$SmqK$SohoAaAZCXOxIzUeh5WOw/
> !
> ip subnet-zero
> ip dhcp excluded-address 10.1.0.1
> ip dhcp excluded-address 10.0.0.1 10.0.0.3
> !
> ip dhcp pool INTERN
> network 10.1.0.0 255.255.255.240
> lease 10
> !
> ip dhcp pool DEFAULT
> network 10.0.0.0 255.255.255.240
> lease 10
> !
> !
> no aaa new-model
> !
> dot11 ssid intern
> vlan 250
> authentication open
> !
> !
> !
> username Cisco password 7 14341B180F0B
> !
> bridge irb
> !
> !
> interface Dot11Radio0
> no ip address
> no ip route-cache
> !
> encryption vlan 250 key 1 size 128bit 7 ED8B9B24F79337ABFC10BFF2126B
> transmit-key
> encryption vlan 250 mode wep mandatory
> !
> ssid intern
> !
> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
> 36.0 48.0 54.0
> channel 2447
> station-role root
> bridge-group 1
> bridge-group 1 block-unknown-source
> no bridge-group 1 source-learning
> no bridge-group 1 unicast-flooding
> bridge-group 1 spanning-disabled
> !
> interface Dot11Radio0.250
> encapsulation dot1Q 250
> ip address 10.1.0.1 255.255.255.240
> no ip route-cache
> bridge-group 250
> bridge-group 250 subscriber-loop-control
> bridge-group 250 block-unknown-source
> no bridge-group 250 source-learning
> no bridge-group 250 unicast-flooding
> bridge-group 250 spanning-disabled
> !
> interface FastEthernet0
> no ip address
> no ip route-cache
> duplex auto
> speed auto
> bridge-group 1
> no bridge-group 1 source-learning
> bridge-group 1 spanning-disabled
> !
> interface FastEthernet0.250
> encapsulation dot1Q 250
> no ip route-cache
> bridge-group 250
> no bridge-group 250 source-learning
> bridge-group 250 spanning-disabled
> !
> interface BVI1
> ip address 10.0.0.2 255.255.255.240
> no ip route-cache
> !
> interface BVI250
> ip address 10.1.0.2 255.255.255.240
> no ip route-cache
> !
> ip http server
> no ip http secure-server
> ip http help-path
> http://www.cisco.com/warp/public/779...onfig/help/eag
> !
> !
> control-plane
> !
> bridge 1 route ip
> !
> !
> !
> line con 0
> transport preferred all
> transport output all
> line vty 0 4
> login local
> transport preferred all
> transport input all
> transport output all
> line vty 5 15
> login
> transport preferred all
> transport input all
> transport output all
> !
> end
>
>
> 3. turned on "debug dhcp detail", connected to the AP, the output goes
> like that:
> *Mar 1 02:16:24.967: %DOT11-6-DISASSOC: Interface Dot11Radio0,
> Deauthenticating Station 0040.96a8.0737 Reason: Disassociated because
> sending station is leaving (or has left) BSS
> *Mar 1 02:16:26.254: DHCPD: checking for expired leases.
> *Mar 1 02:16:32.690: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
> DEG-THO2 0040.96a8.0737 Associated KEY_MGMT[NONE]
>
>
> nothing more after associate with AP
>

Yep, I see.
But that's exactly the same I already have in my config, isn't it?

Well, I don't wanna configure the same VLAN with two different IP
subnets. And I don't want the radio and the Ethernet to be on different
subnets either.

The thing I want:
2 DHCP Pools (INTERN, EXTERN)
2 SSIDs (intern, extern)
When you connect with SSID 'intern' you get an IP Address out of the
INTERN Pool and vice versa.

Therefore I actually need 2 different VLANs associated with SSIDs.

My current running config:

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IPA2006_AP1
!
logging buffered 10000 debugging
enable secret 5 $1$SmqK$SohoAaAZCXOxIzUeh5WOw/
!
ip subnet-zero
ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.0.0.1 10.0.0.4
!
ip dhcp pool INTERN
network 10.1.0.0 255.255.255.240
default-router 10.1.0.1
dns-server 212.90.199.2
lease 10
!
ip dhcp pool EXTERN
network 10.2.0.0 255.255.255.240
default-router 10.2.0.1
dns-server 212.90.199.2
lease 10
!
ip dhcp pool TESTPPOL
network 10.0.0.0 255.255.255.240
lease 10
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.2 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
dot11 vlan-name extern vlan 251
!
dot11 ssid extern
vlan 251
authentication open
!
dot11 ssid infrastructure
vlan 1
authentication open
infrastructure-ssid
!
dot11 ssid intern
vlan 250
authentication open mac-address mac_methods eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
!
!
!
username Cisco password 7 14341B180F0B
username 004096a80737 password 7 0256540F5B5F5920141E5E4A52
username 004096a80737 autocommand exit
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip wep128
!
encryption vlan 250 mode ciphers aes-ccm tkip
!
broadcast-key change 18000
!
broadcast-key vlan 250 change 18000
!
!
ssid extern
!
ssid infrastructure
!
ssid intern
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
channel 2447
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.250
encapsulation dot1Q 250
ip address 10.1.0.1 255.255.255.240
no ip route-cache
!
interface Dot11Radio0.251
encapsulation dot1Q 251
ip address 10.2.0.1 255.255.255.240
no ip route-cache
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.2 255.255.255.240
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path
http://www.cisco.com/warp/public/779...onfig/help/eag
ip radius source-interface BVI1
!
radius-server local
nas 10.0.0.2 key 7 071C244F5C0C0D
user hstucki nthash 7
0558222D056918504E2140435D55540B7C7271616576312234 525304010B050356
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key 7
0518030C33495A
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
line con 0
line vty 5 15
!
end


And still:
When I connect to FaEth0 with a CAT5 Cable, I get an IP-Address out of
the TESTPOOL. With enabled DHCP Debug Messages i see all the
Choreography successfully.

When I connect over the WLAN Adapter with an SSID intern or extern, I
don't see anything and I get the std. 169.x.x.x crap.