I can authenticate, but after a few minutes it kicks me out, then a few minutes later i can connect again.

I am not getting an IP address. If i plug in, then it will give me one via DHCP, but it will not give me one when i connect wirelessly.

How can i tell if its mapped? Its on vlan 54.

I look on the even log and it says authentication failed.

The layer three device is directly connected to the WAP.

My dhcp server is my asa 5520. How come if i connect to a switchport, it will give me an ip address, but wirelessly it wont?

I dont know why i am doing wrong...?

It is already one a trunk port so that isnt the case.... there are other vlans that are able to get connected wirelessly, but they are going to a radius server, this one is not.

I just wanted WPA2 access with PSK and but go to my ASA for dhcp requests

So, you say authentication isnt successful ?? Did you check the parameters of EAP,and the corresponding settings on the laptop? Is the authentication local to the WAP ? i mean the username/pw defined locally on the access point ? what is the inside interface IP of the ASA providing DHCP requests ? is it on the same broadcast domain as the wireless vlan ?

Raj

Yes, i looked at the event log and it says client authentication failed. I checked the auth and it looks okay.. the inside interface is 0.54 and the the inside interface is 10.0.54.1. Yes it is on the same broadcast domain. Here is my config on my wap.. its going to be related to Dot11 ssid UK_HEALTHCARE, AND VLAN 54.... HELP!!!!! SEE BELOW...

dot11 vlan-name UK_Healthcare vlan 54
dot11 vlan-name Wireless_EAP vlan 20
dot11 vlan-name Wireless_Guest vlan 40
!
dot11 ssid HRMC-GUEST
   vlan 40
   authentication open
!
dot11 ssid HRMC-INTERNAL
   vlan 20
   authentication open eap eap_methods
   authentication key-management wpa
!
dot11 ssid SCOTT-ORTHO
   vlan 47
   authentication open
   authentication key-management wpa
   wpa-psk hex 7 7053E32A4B790F32AC5942A807C5CB76B4E49FB38C8D2C930056605C566F3A94E1
!
dot11 ssid UK-HEALTHCARE
   vlan 54
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 055B532E746A6D283A2041452E28560B0A7D796717713053422756
!
power inline negotiation prestandard source
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 EF8D210E4948321A0A049773C8A1 transmit-key
encryption mode wep mandatory
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 40 key 1 size 128bit 7 AE2A406C5355425F49747E6D9950 transmit-key
encryption vlan 40 mode wep mandatory
!
encryption vlan 47 mode ciphers aes-ccm tkip
!
encryption vlan 54 mode ciphers aes-ccm
!
ssid HRMC-GUEST
!
ssid HRMC-INTERNAL
!
ssid SCOTT-ORTHO
!
ssid UK-HEALTHCARE
!
short-slot-time
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2422
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio0.21
encapsulation dot1Q 21 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
!
interface Dot11Radio0.47
encapsulation dot1Q 47
no ip route-cache
bridge-group 47
bridge-group 47 subscriber-loop-control
bridge-group 47 block-unknown-source
no bridge-group 47 source-learning
no bridge-group 47 unicast-flooding
bridge-group 47 spanning-disabled
!
interface Dot11Radio0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
!
interface Dot11Radio0.54
encapsulation dot1Q 54
no ip route-cache
bridge-group 54
bridge-group 54 subscriber-loop-control
bridge-group 54 block-unknown-source
no bridge-group 54 source-learning
no bridge-group 54 unicast-flooding
bridge-group 54 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface FastEthernet0.21
encapsulation dot1Q 21 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
no bridge-group 40 source-learning
bridge-group 40 spanning-disabled
!
interface FastEthernet0.47
encapsulation dot1Q 47
no ip route-cache
bridge-group 47
no bridge-group 47 source-learning
bridge-group 47 spanning-disabled
!
interface FastEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
!
interface FastEthernet0.54
encapsulation dot1Q 54
no ip route-cache
bridge-group 54
no bridge-group 54 source-learning
bridge-group 54 spanning-disabled
!
interface BVI1
ip address 172.21.0.46 255.255.0.0
no ip route-cache
!
ip default-gateway 172.21.0.1

anyway to see the switchport config and the ap?

If you say you can connect a computer to the interface and get connected tells me that it is in access mode, not trunk mode.

To engagerocks,

Let me rephrase. I am sorry. When i plug the laptop in any access port OTHER THAN WHERE THE WAP is plugged in (which is a access port) it works. meaning, it grabs the DHCP request from the firewall and gets an ip and has internet connection.  I have made sure i am plugging into an access port. I am not plugging into the same port that the wap is plugged into. I am sorry, its hard to decipher shis stuff online sometimes. I attached the config on previous post.

what happens if you give yourself a static ip on your laptop? can you ping your router then? can you access internet then? and as requested before. what is the configuration of the switchport, where the wap is connected? and is the firewall configured as a trunk too?

If i give myself a static IP address then i can surf...but it will not get DHCP request for some reason. All traffic travels through native vlan to the wap. Here is my config of the switchport on my layer 3...The wap is connected to the switchport on my layer 3 switch, in which is connected to the inside sub-interface on the ASA.

interface GigabitEthernet3/0/13
description MDF-WAP1
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape  10  0  0  0
queue-set 2
mls qos trust cos
macro description cisco-wireless
auto qos voip trust
spanning-tree bpduguard enable

This is the trunk port that goes to the ASA, on the same switch....

interface GigabitEthernet3/0/18
description Trunk Link to ASA switchport 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast disable

Hi Hming

I think we need to troubleshoot step-by-step here..

1) for any wireless client to work, authentication is quite critical.. since you said there was an issue with authentication, try doing the following - broadcast the SSID, and remove WPA authentication, and make it open without authentication (to test)... try connecting your laptop and see if you get the DHCP IP..

2) Incase your laptop still doesnt get IP (after open authentication), try giving a static IP and try browsing internet. If it works, then there is some issue connecting to DHCP via wireless..

Let us know how this works out, and we will continue troubleshooting..

Raj

Thanks Raj,

I took off every security feature on the SSID and try to openly connect and it was successful and it actually grabbed an IP this time from the firewall in which thats whats its supposed to do!! Thank you!!

Now my problem is really understanding the encryption and security and such.

I need it to be WPA2-PSK with 128bit encryption.

What are the commands to do that?

I think we are getting on the right track. I am a routing and switching guy, the CCNP is a brief overview of the wireless aspect of it.

Hi Hming

Thats great.. now we know what the issue is..

if you are using an IOS AP, try going through this doc...

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c40b6.shtml

it gives you configuration example of WPA with preshared keys..

are you using external radius server for authentication or is it local ? is it aes encryption or tkip ?

are you using default windows client to connect to wireless or using third party clients ?

Raj

I want to keep the radius local and I want to use AES becuase I think its the best encryption. I am using basic windows client to set up. no third party software.