Help, I am in MBSSID VLAN Limbo

Unanswered Question
Feb 27th, 2007

Hello all,

I'm running a cisco 1200 series with IOS 12.3(4) authenticating via PEAP with a self-signed cert back to Windows 2003 IAS. I have everything working like a top with a single global SSID

however now i'm trying to add a guest network and when I begin enabling MBSSID I start getting VLAN errors and my radio won't come up.

I have a few questions maybe you smarter fellas can answer off the top of your head:

#1 - can I run multiples SSIDs without a VLAN switch on my network? (the only cisco I have on my network is this 1200 AP)

#2 - why do I get: [ DOT11-4-NO_MBSSID_VLAN: No VLANs configured in MBSSID mode ] after I add a second SSID?

#3 - why do I get: [ DOT11-4-NO_SSID_VLAN: No SSID with VLAN configured ] after other configurations?

Here's my working config:

--------------------------------------------------------------------------------

Current configuration : 4166 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP

!

enable secret 5 ...

enable password 7 ...

!

username Cisco password 7 096F471A1A0A

username ...

ip subnet-zero

no ip domain lookup

ip domain name MyCompany.com

!

!

aaa new-model

!

!

aaa group server radius Server-group-1

server 10.0.1.50 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login eap_methods group Server-group-1

aaa authorization exec default local

aaa session-id common

!

dot11 ssid MyCompany

authentication open eap eap_methods

authentication key-management wpa

mbssid guest-mode

!

!

crypto ca trustpoint TP-self-signed-1624227575

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1624227575

revocation-check none

rsakeypair TP-self-signed-1624227575

!

!

crypto ca certificate chain TP-self-signed-1624227575

certificate self-signed 01

...

quit

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid MyCompany

!

short-slot-time

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

no dot11 extension aironet

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed auto

half-duplex

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

description Bridge Virtual Interface 1

ip address 10.0.1.42 255.255.255.0

no ip route-cache

!

ip http server

ip http authentication aaa

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

logging snmp-trap emergencies

logging snmp-trap alerts

logging snmp-trap critical

logging snmp-trap errors

logging snmp-trap warnings

radius-server host 10.0.1.50 auth-port 1645 acct-port 1646 key 7 ...

radius-server retransmit 2

radius-server timeout 4

radius-server deadtime 1

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

password 7 ...

transport preferred all

transport output all

line vty 0 4

password 7 ...

transport preferred all

transport input all

transport output all

line vty 5 15

transport preferred all

transport input all

transport output all

!

end

--------------------------------------------------------------------------------

NOW - when I do this:

AP# configure terminal

AP(config)# dot11 ssid MyCompany_Guest

AP(config-ssid)# accounting accounting-method-list

AP(config-ssid)# max-associations 15

AP(config-ssid)# vlan 3762

AP(config-ssid)# exit

AP(config)# interface dot11radio 0

AP(config-if)# ssid MyCompany_Guest

I get the message:

DOT11-4-NO_MBSSID_VLAN: No VLANs configured in MBSSID mode

Why?

Can anyone explain in english?

Thanks Much

Bart

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
weerapatr Wed, 02/28/2007 - 00:33

Hello Bart,

The problem was You try to specify VLAN to SSID but you do not have create VLAN on AP.

So you need to create VLAN on AP first.

To Create VLAN go to SERVICES -> VLAN or use the following commands

interface Dot11Radio0.3762

encapsulation dot1Q 3762

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface FastEthernet0.3762

encapsulation dot1Q 3762

no ip route-cache

bridge-group 255

no bridge-group 255 source-learning

bridge-group 255 spanning-disabled

!

Please remember that switch port that connect to AP must set to dot1q trunk and the native VLAN of this trunk must be AP management VLAN.

Hope this will hep You.

Weerapatr

LouisBHirst Wed, 02/28/2007 - 10:42

Ok, Starting with the above config, which works with my current infrastructure

(Interface Dot11Radio0, Station 0019.d209.12d0 Associated KEY_MGMT[WPA])

First I apply your settings:

interface Dot11Radio0.3762

encapsulation dot1Q 3762

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface FastEthernet0.3762

encapsulation dot1Q 3762

no ip route-cache

bridge-group 255

no bridge-group 255 source-learning

bridge-group 255 spanning-disabled

!

console says %DOT11-4-NO_SSID_VLAN: No SSID with VLAN configured.

So at this point I assume I should assign my SSID to VLAN 3762...

dot11 ssid MyCompany

vlan 3762

!

write mem

!

Ok the radio came back up, But now I can't authenticate to the Access Point

Let me try a reload...

Now I see the error on the console:

%DOT11-4-NO_SSID_VLAN: No SSID with VLAN configured. Dot11 Radio0 not started.

This is why I can't figure this out. Makes no sense. PLEASE HELP

Here's the running-config after reload:

Building configuration...

Current configuration : 4599 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP

!

enable secret 5 ...

enable password 7 ...

!

username Cisco password 7 096F471A1A0A

username ssiadmin privilege 15 password 7 ...

ip subnet-zero

no ip domain lookup

ip domain name MyCompany.com

!

!

aaa new-model

!

!

aaa group server radius Server-group-1

server 10.0.1.50 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login eap_methods group Server-group-1

aaa authorization exec default local

aaa session-id common

!

dot11 ssid MyCompany

vlan 3762

authentication open eap eap_methods

authentication key-management wpa

mbssid guest-mode

!

!

crypto ca trustpoint TP-self-signed-1624227575

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1624227575

revocation-check none

rsakeypair TP-self-signed-1624227575

!

!

crypto ca certificate chain TP-self-signed-1624227575

certificate self-signed 01

...

quit

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

short-slot-time

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

no dot11 extension aironet

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.3762

encapsulation dot1Q 3762

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed auto

half-duplex

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.3762

encapsulation dot1Q 3762

no ip route-cache

bridge-group 255

no bridge-group 255 source-learning

bridge-group 255 spanning-disabled

!

interface BVI1

description Bridge Virtual Interface 1

ip address 10.0.1.42 255.255.255.0

no ip route-cache

!

ip http server

ip http authentication aaa

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

logging snmp-trap emergencies

logging snmp-trap alerts

logging snmp-trap critical

logging snmp-trap errors

logging snmp-trap warnings

radius-server host 10.0.1.50 auth-port 1645 acct-port 1646 key 7 ...

radius-server retransmit 2

radius-server timeout 4

radius-server deadtime 1

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!...

rob.huffman Wed, 02/28/2007 - 12:46

Hi Bart,

Unfortunately, your Question #1 is the clincher;

#1 - can I run multiples SSIDs without a VLAN switch on my network? (the only cisco I have on my network is this 1200 AP)

Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN.*** You can assign only one SSID to a VLAN.***

From this doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080184ac9.html

Q. How many service set identifiers (SSIDs) can you have per VLAN?

A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.

From this good Q&A doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml

Sorry about that,

Hope this helps!

Rob

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode