WLC 4402 External DHCP

Unanswered Question
Nov 15th, 2007

I have a WLAN on a VLAN. Testing with open security till I get DHCP working. Using external DHCP server. The DHCP server exists on a different subnet then the scope it gives to clients. I have an interface defined on the VLAN and associated with the WLAN. The interface is the subnet of the scope set in the DHCP server. Clients can connect to the WLAN but are not getting an IP address from DHCP server.

Not sure how to make this work when the DHCP server is on another subnet from the clients scope.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ericgarnel Thu, 11/15/2007 - 08:51

2 questions:

Are you using option 43?

Have you configured dhcp-relay?

(ip helper-address)

cef2lion2 Thu, 11/15/2007 - 09:56

At our school the main network has control over the DHCP server and the router at the head of this wireless network.

As far as I know they are not using option 43. I asked and they said they do have a ip heler-address setup.


cef2lion2 Thu, 11/15/2007 - 10:20

I have security disable for now until I get the DHCP working. The client connect to the WLAN but defaults to the Microsft default IP address. I checked the link you provided and it talks about option 43.

THe main network group at our school has control over the DHCP server and the router I'm behind. They have the DHCP helper address set. They are not receptive to using option 43. The DHCP server is Nominum's DCS v 2.064

What we have now is standalone access points that have an open WLAN. They all sit behind a VPN concentrator. Once they connect to the open WLAN they get a private IP address. They then authenticate to the VPN concentrator with a Cisco VPN client and that let them out. The clients now don't have an issue requesting a DHCP address off the DHCP server using the standalone APs. Issue seems to be the WLC isn't able to talk with the DHCP server or doesn't know how to reach it. My understanding is our DHCP server supports DHCP relay.

What we are trying to do is replace all of our standalone APs with Cisco 1130s and a 4402 concentrator.

I have not gotten to the authentication part yet. I can't get a client to connect to the WLAN and get a private IP from the external DHCP server. For whatever reason it seems like the WLC is not able to relay the DHCP request to the DHCP server.

ericgarnel Thu, 11/15/2007 - 10:28

What is the dhcp server configuration on the WLC interface AND/OR the wlan?

cef2lion2 Thu, 11/15/2007 - 10:36

On the interface for the WLAN I just enter the address of the external DHCP server. The interface I have defined is the subnet of the pool of addresses given out by the DHCP server. I also tried entering the DHCP address in the advanced tap of the WLAN. No luck as well.

Do I need a route statement on the WLC to point to the DHCP server?


ericgarnel Thu, 11/15/2007 - 10:41

The WLC must somehow be able to reach the dhcp server & vice-versa.

cef2lion2 Thu, 11/15/2007 - 10:51

With our older setup our clients have no issue getting a DHCP address using our current APs. The client must connect to the WLAN and do a DHCP request on there own and get an address.

With the WLC from what I know it handles the request for the client. With the WLC you have to point to the DHCP server. For whatever reason it isn't able to do so.

Wondering about the interface I have defined on the WLC. I have the interface defined with the subnet of the DHCP address pool. Itried creating an interface with the subnet that contains the DHCP server. That isn't working. I can't test ping the DHCP server since ping to it is disabled.

ericgarnel Thu, 11/15/2007 - 10:58

Try this.

Put a laptop on the same vlan that you are binding to the wlan on the wlc. If you cannot get an ip via dhcp from the designated dhcp server, then your problem is before you get to the WLC.

Also, another thing to check: are you pruning out the vlan from the trunk between the switch and the WLC? that would stop you cold as well too.

cef2lion2 Thu, 11/15/2007 - 11:15

I tried a laptop on that VLAN and it gets an address no problem.

I have trunking setup on the switch port that the WLC connected to. Must be working as I have anothr VLAN setup with another WLAN and that is working fine. That will be our new form of authentication. I need to get this VPN form of authentication going so I can replace our old APs. That way I can broadcast two SSIDs. The students would then have an easy transition.


ericgarnel Thu, 11/15/2007 - 11:25

So, you are not pruning or removing vlans from the trunk and the dynamic interface on the wlc is bound to the same vlan id?

Do you have dhcp override enabled on the wlan settings perhaps?

cef2lion2 Thu, 11/15/2007 - 11:45

Not pruning or removing vlans. The dynamic interface on the wlc is on the correct vlan. I tried dhcp override on the wlan and pointed it at the DHCP but it didn't change anything. I turned it back off and let the interface handle the DHCP pointer.


cef2lion2 Thu, 11/15/2007 - 12:06

Will do. I'm not really sure what address to use for the interface for this WLAN. Should the address of the interface be on the private subnet that the DHCP will be giving to clients? That is what I have been trying.

For example.

Our DHCP scope for clients is

DHCP server address is in another public subnet.

Should my WLC interface be as follows which defines the subnet. Or does the interface have to be an address in the subnet. That isn't possible now as the DHCP server is giving out all address in that subnet for clients. Mask GW


ericgarnel Thu, 11/15/2007 - 12:21

The wlc interface is bound to the vlan and must have an ip that is routable to the gateway address that resides in the same vlan. The dhcp-relay interface needs to be in the same vlan as well (could be the same device if desired)

see http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/48383.htm#xtocid670622


and here as well



cef2lion2 Thu, 11/15/2007 - 13:09

Not seeing the issue. Going to regroup and have at it again.


dennischolmes Sun, 11/18/2007 - 08:31

Check with the server's manufacturer. Some DHCP servers do not like to receive DHCP request by proxy. Your WLC will proxy the request from the virtual interface. This can cause your symptoms.

cef2lion2 Mon, 11/19/2007 - 06:01

I will double check with our DHCP group. I thought I asked they about that before and they said yes. They are running Nominum's DCS. Maybe I can see if there log show any hits from our WLC. I assume the request would show up from the interface address I have assigned to that WLAN?

What is odd about this setup is this. The WLC interface is on one private subnet. Client will get private IP on another subnet via the DHCP server. The DHCP server is on yet another public subnet. The network group at main campus say they have DHCP helper setup for these subnets.




This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode