12-15-2009 12:42 PM - edited 03-06-2019 08:58 AM
Hey guys,
I have set up a wap and gave a particular vlan wireless access on the wap. However, i configured it and i cant get to the net and cant even ping my gateway. Evidently i am missing something small.
The gateway is the defualt router
My ASA 5520 is my DHCP server for this vlan.
I am guessing the connection stops at the wap... can you help?
NOTE: if i plug into a physical switch port, i can surf with no problem.
12-15-2009 01:03 PM
Hi
Are you getting an IP address after connecting to the wireless SSID ? Which VLAN is the SSID mapping to ? and where is the VLAN layer 3 interface configured ? are you passing authentication after connecting to the SSID ?
Raj
12-15-2009 01:09 PM
I can authenticate, but after a few minutes it kicks me out, then a few minutes later i can connect again.
I am not getting an IP address. If i plug in, then it will give me one via DHCP, but it will not give me one when i connect wirelessly.
How can i tell if its mapped? Its on vlan 54.
I look on the even log and it says authentication failed.
The layer three device is directly connected to the WAP.
My dhcp server is my asa 5520. How come if i connect to a switchport, it will give me an ip address, but wirelessly it wont?
I dont know why i am doing wrong...?
12-15-2009 01:22 PM
The port on the switch, is that a trunk port or a switch port.
It appears that you need to have the port the ap is plugged into set-up as a trunk port, then all the vlan on that trunk and you should be good.
12-15-2009 01:56 PM
It is already one a trunk port so that isnt the case.... there are other vlans that are able to get connected wirelessly, but they are going to a radius server, this one is not.
I just wanted WPA2 access with PSK and but go to my ASA for dhcp requests
12-15-2009 02:06 PM
So, you say authentication isnt successful ?? Did you check the parameters of EAP,and the corresponding settings on the laptop? Is the authentication local to the WAP ? i mean the username/pw defined locally on the access point ? what is the inside interface IP of the ASA providing DHCP requests ? is it on the same broadcast domain as the wireless vlan ?
Raj
12-15-2009 05:40 PM
Yes, i looked at the event log and it says client authentication failed. I checked the auth and it looks okay.. the inside interface is 0.54 and the the inside interface is 10.0.54.1. Yes it is on the same broadcast domain. Here is my config on my wap.. its going to be related to Dot11 ssid UK_HEALTHCARE, AND VLAN 54.... HELP!!!!! SEE BELOW...
dot11 vlan-name UK_Healthcare vlan 54
dot11 vlan-name Wireless_EAP vlan 20
dot11 vlan-name Wireless_Guest vlan 40
!
dot11 ssid HRMC-GUEST
vlan 40
authentication open
!
dot11 ssid HRMC-INTERNAL
vlan 20
authentication open eap eap_methods
authentication key-management wpa
!
dot11 ssid SCOTT-ORTHO
vlan 47
authentication open
authentication key-management wpa
wpa-psk hex 7 7053E32A4B790F32AC5942A807C5CB76B4E49FB38C8D2C930056605C566F3A94E1
!
dot11 ssid UK-HEALTHCARE
vlan 54
authentication open
authentication key-management wpa
wpa-psk ascii 7 055B532E746A6D283A2041452E28560B0A7D796717713053422756
!
power inline negotiation prestandard source
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 128bit 7 EF8D210E4948321A0A049773C8A1 transmit-key
encryption mode wep mandatory
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 40 key 1 size 128bit 7 AE2A406C5355425F49747E6D9950 transmit-key
encryption vlan 40 mode wep mandatory
!
encryption vlan 47 mode ciphers aes-ccm tkip
!
encryption vlan 54 mode ciphers aes-ccm
!
ssid HRMC-GUEST
!
ssid HRMC-INTERNAL
!
ssid SCOTT-ORTHO
!
ssid UK-HEALTHCARE
!
short-slot-time
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2422
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio0.21
encapsulation dot1Q 21 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
bridge-group 40 subscriber-loop-control
bridge-group 40 block-unknown-source
no bridge-group 40 source-learning
no bridge-group 40 unicast-flooding
bridge-group 40 spanning-disabled
!
interface Dot11Radio0.47
encapsulation dot1Q 47
no ip route-cache
bridge-group 47
bridge-group 47 subscriber-loop-control
bridge-group 47 block-unknown-source
no bridge-group 47 source-learning
no bridge-group 47 unicast-flooding
bridge-group 47 spanning-disabled
!
interface Dot11Radio0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
!
interface Dot11Radio0.54
encapsulation dot1Q 54
no ip route-cache
bridge-group 54
bridge-group 54 subscriber-loop-control
bridge-group 54 block-unknown-source
no bridge-group 54 source-learning
no bridge-group 54 unicast-flooding
bridge-group 54 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface FastEthernet0.21
encapsulation dot1Q 21 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.40
encapsulation dot1Q 40
no ip route-cache
bridge-group 40
no bridge-group 40 source-learning
bridge-group 40 spanning-disabled
!
interface FastEthernet0.47
encapsulation dot1Q 47
no ip route-cache
bridge-group 47
no bridge-group 47 source-learning
bridge-group 47 spanning-disabled
!
interface FastEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
!
interface FastEthernet0.54
encapsulation dot1Q 54
no ip route-cache
bridge-group 54
no bridge-group 54 source-learning
bridge-group 54 spanning-disabled
!
interface BVI1
ip address 172.21.0.46 255.255.0.0
no ip route-cache
!
ip default-gateway 172.21.0.1
12-15-2009 02:12 PM
anyway to see the switchport config and the ap?
If you say you can connect a computer to the interface and get connected tells me that it is in access mode, not trunk mode.
12-15-2009 05:45 PM
To engagerocks,
Let me rephrase. I am sorry. When i plug the laptop in any access port OTHER THAN WHERE THE WAP is plugged in (which is a access port) it works. meaning, it grabs the DHCP request from the firewall and gets an ip and has internet connection. I have made sure i am plugging into an access port. I am not plugging into the same port that the wap is plugged into. I am sorry, its hard to decipher shis stuff online sometimes. I attached the config on previous post.
12-16-2009 03:26 AM
what happens if you give yourself a static ip on your laptop? can you ping your router then? can you access internet then? and as requested before. what is the configuration of the switchport, where the wap is connected? and is the firewall configured as a trunk too?
12-16-2009 05:09 AM
If i give myself a static IP address then i can surf...but it will not get DHCP request for some reason. All traffic travels through native vlan to the wap. Here is my config of the switchport on my layer 3...The wap is connected to the switchport on my layer 3 switch, in which is connected to the inside sub-interface on the ASA.
interface GigabitEthernet3/0/13
description MDF-WAP1
switchport trunk encapsulation dot1q
switchport trunk native vlan 21
switchport mode trunk
switchport nonegotiate
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-wireless
auto qos voip trust
spanning-tree bpduguard enable
This is the trunk port that goes to the ASA, on the same switch....
interface GigabitEthernet3/0/18
description Trunk Link to ASA switchport 0/1
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast disable
12-16-2009 05:35 AM
Hi Hming
I think we need to troubleshoot step-by-step here..
1) for any wireless client to work, authentication is quite critical.. since you said there was an issue with authentication, try doing the following - broadcast the SSID, and remove WPA authentication, and make it open without authentication (to test)... try connecting your laptop and see if you get the DHCP IP..
2) Incase your laptop still doesnt get IP (after open authentication), try giving a static IP and try browsing internet. If it works, then there is some issue connecting to DHCP via wireless..
Let us know how this works out, and we will continue troubleshooting..
Raj
12-16-2009 06:06 AM
Thanks Raj,
I took off every security feature on the SSID and try to openly connect and it was successful and it actually grabbed an IP this time from the firewall in which thats whats its supposed to do!! Thank you!!
Now my problem is really understanding the encryption and security and such.
I need it to be WPA2-PSK with 128bit encryption.
What are the commands to do that?
I think we are getting on the right track. I am a routing and switching guy, the CCNP is a brief overview of the wireless aspect of it.
12-16-2009 06:19 AM
Hi Hming
Thats great.. now we know what the issue is..
if you are using an IOS AP, try going through this doc...
it gives you configuration example of WPA with preshared keys..
are you using external radius server for authentication or is it local ? is it aes encryption or tkip ?
are you using default windows client to connect to wireless or using third party clients ?
Raj
12-16-2009 06:24 AM
I want to keep the radius local and I want to use AES becuase I think its the best encryption. I am using basic windows client to set up. no third party software.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide