Guest Wireless Not working

Unanswered Question
Sep 20th, 2010

Hi

I have two controllers running code 6.0.182 and one guest controller with same version.

I can see the tunnel UP(Both control and data path) in both controller.

Guest users are authenticated by web authentication.Suddenly guest users become too slow to access internet.Web authentication is successfull.But its too slow to access internet.Did anyone face the same issue.Pls reply me at the earliest.

Regards

Danish Ahammed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (7 ratings)
Loading.
Nicolas Darchis Thu, 10/07/2010 - 09:22

Hi,

if the web authentication was successful, then the clients are in "RUN" state and treated like any other clients. If there is a delay, it might be happening between your 2 WLCs. I would analyze with sniffer traces to see really what is slowing down the traffic

Regards,

Nicolas

Davy Ad Sat, 10/09/2010 - 14:57

I need your advice , i have the same issue ,I can see GUEST connection status on IPad, but i can not brows/ access a web page .

Any Help pls?

Here is my Config;

no dot11 igmp snooping-helper

dot11 syslog

!

dot11 ssid OFFICE

   vlan 1

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   accounting acct_methods

!

dot11 ssid GUEST

   vlan 40

   authentication open

   authentication key-management wpa

   guest-mode

   wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXX

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers tkip

!

encryption mode ciphers tkip

!

encryption vlan 40 mode ciphers tkip

!

broadcast-key vlan 1 change 3600 membership-termination capability-change

!

broadcast-key change 3600

!

broadcast-key vlan 40 change 3600

!

!

ssid OFFICE

!

antenna gain 0

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

rts threshold 2312

no cdp enable

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.40

description GUEST

encapsulation dot1Q 40

no ip route-cache

bridge-group 40

bridge-group 40 subscriber-loop-control

bridge-group 40 block-unknown-source

no bridge-group 40 source-learning

no bridge-group 40 unicast-flooding

bridge-group 40 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

hold-queue 160 in

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.40

description GUEST

encapsulation dot1Q 40

no ip route-cache

bridge-group 40

no bridge-group 40 source-learning

bridge-group 40 spanning-disabled

!

interface BVI1

description GUEST

ip address 10.10.X.X 255.255.255.0

no ip route-cache

!

ip default-gateway 10.10.X.X

no ip http server

ip http authentication aaa

ip http secure-server

Davy Ad Mon, 10/11/2010 - 14:22

Thanks

With enabled GUEST ssid , it is still the same issue.

Nicolas Darchis Sun, 10/10/2010 - 22:46

Adewalexdavid => Well It's not the same issue as you seem to be under IOS while the original question was for controller environment :-)

The only thing wrong with your configuration is that you're not enabling the GUEST ssid on your AP at all. Under the "dot11radio0" interface you only have the command "ssid OFFICE" and no "ssid GUEST", so for sure your AP is not serving the GUEST ssid.

If your ipad shows "guest", maybe the ipad is configured to create the GUEST ssid as ad-hoc connection ?

can laptops connect to the guest ssid ? Is anyone receiving an ip address ?

danishahammed015 Sun, 10/10/2010 - 00:10

thanks for your reply

It was a issue with the policy setting on firewall.Now its working.

Regards

Danish Ahammad

Davy Ad Mon, 10/11/2010 - 05:18

Thanks,SSID was added , but i can not login with password.Regards,

Nicolas Darchis Mon, 10/11/2010 - 06:11

Not sure what I can reply to this :-)

any message on AP console ?

what does a "show dot11 assoc all" says ?

Davy Ad Mon, 10/11/2010 - 13:50

Thanks,

But i am still having the same problem ,after enabling the GUEST SSID , My IPAD  cannot obtian IP address.

Could it be on RADIUS server ?

Nicolas Darchis Mon, 10/11/2010 - 22:57

No radius involved since your guest SSID is using a wpa pre-shared key.

Can you try with something else than an ipad ?

do you see your client when doing a "show dot11 assoc" on the AP ?

Do you have a dhcp pool configured on the switch for vlan 40 ?

Nicolas.

Davy Ad Tue, 10/12/2010 - 23:34

Thanks Nicolas,

I have no Int Vlan 40 on the switch. I will configure that and get back to you ASAP.

Would i need to change the IP on BVI1 and also what about Default Gateway on Access Point, and on Switch?

My config on Switch

interface VLAN1

ip address 10.10.10.22 255.255.255.0

no ip directed-broadcast

no ip route-cache

!

ip default-gateway 10.10.10.1

My config on Access Point

interface BVI1

description GUEST

ip address 10.10.10.9 255.255.255.0

no ip route-cache

!

ip default-gateway 10.10.10.1

Regards

Dak

Nicolas Darchis Tue, 10/12/2010 - 23:39

You need an interface vlan40 on a switch that will act as gateway for the clients.

The BVI1 is just to telnet the AP and manage it, so it's fine as it is. The only "strange" part is that your management of the AP is in the guest vlan. So once you have everything working, you might think about having the bridge group 1 and BVI1 on AP that are not for guest access. But no showstopper there.

Davy Ad Wed, 10/13/2010 - 00:10

Thanks Nicolas,

so I need to configure this on SWITCH

interface Vlan40

description guest

ip address 10.10.10.X 255.255.255.0

ip access-group GUEST_ACC in

ip helper-address 10.X.X.X

ip helper-address 10.X.X.X

no ip redirects

Will i need to configure default gateway for Vlan 40, with the above config is on my switch and without changing anything on AP ,everything should be fine?

Dak

Nicolas Darchis Wed, 10/13/2010 - 00:14

Wow, lots of confusion.

With the current config you showed, you are putting the vlan 40 interface in the same subnet as your vlan 1. This is not good.

There is only 1 default gateway per device. So AP has its default gateway in vlan 1, fine. And your switch already had a defautl gateway, so fine as well.

Simply what is needed is : AP configured with 2 vlans (1 and 40), simply bridging them. One switch somewhere having a vlan interface for both vlan 1 and 40 and a dhcp pool for each subnet.

Regards,

Nicolas

Davy Ad Wed, 10/13/2010 - 01:57

Hi Nicolas,

It was typo error , Vlan 40 and Vlan 1 are not on the same subnet.

I just want to know , if i need to create another default Gateway for Vlan 40 on SWITCH.

I know that there is only one default gateway per  AP, which i did. and i have the two Vlans configured already on AP.

My Question is what you mean by Bridging them ; "simply bridging them. One switch somewhere having a vlan interface for both vlan 1 and 40 and a dhcp pool for each subnet."

is it on Switch or AP. And How?

Dak

Tiago Antunes Wed, 10/13/2010 - 01:10

Hi,

Here you can follow a detailed config example for IOS AP with 2 VLANs, including the configuration on the L3 switch for the VLAN interfaces and dhcp pools:

http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.

Hope this helps.

Tiago

PS. Next time please open a discussion for your setup as it has nothing to do with the original post..The original post was for LWAPP deployment.

Yours is for Autonomous AP.

Tiago Antunes Wed, 10/13/2010 - 02:33

Can you please try here:

https://supportforums.cisco.com/servlet/JiveServlet/downloadBody/13436-102-1-30898/vlan_ap_config.pdf.

or

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.

Davy Ad Wed, 10/13/2010 - 07:10

Hello ,

 I tried to configures int vlan 40 and enable it with "no shutdwon",

when i check on the interface , it is down dwon

 VLAN40                      10.0.0.18       YES NVRAM  administratively down down    .

Any Help

DAk

Davy Ad Wed, 10/13/2010 - 07:10

Hello ,

 I tried to configures int vlan 40 and enable it with "no shutdwon",

when i check on the interface , it is down dwon

 VLAN40                      10.0.0.18       YES NVRAM  administratively down down    .

Any Help

DAk

Tiago Antunes Wed, 10/13/2010 - 09:30

As any L3 VLAN, the VLAN needs to be configured on the switch and will only come up if you have it on an interface.

You need to create the vlan, create the vlan interface and add it to the allowed vlan list on the trunk where the AP is connected.

Have you gone through the document i suggested to you?

Did it helped?

Thanks,

Tiago

Davy Ad Wed, 10/13/2010 - 23:03

Hello Tiago,

I appriciate all your effort, i want you to know what i did already and if i am wrong in my configuration let me know  .

On SWITCH I created access Vlan for GUEST and Phone

Int fa0/12

Switchport mode  access

switchport  access vlan 40 >>>>> GUEST VLAN

switchport voice vlan 10 >>>>>>>Phone VLAN

spanning-tree portfast

still Int vlan 40 is still the same ( down down)

Incase  you want more information let me now. the switch is  Cisco 3548 XL

Tiago Antunes Wed, 10/13/2010 - 23:53

Hi,

Is that the config of the port where the AP is connected???

Why would you configure a switchport voice vlan there??

Where have you seen to configure an access port where you have the AP connected  on the document i sent you?

Can you just follow the document?

The config on the port where the AP is connected should be something like:

Switch#configure terminal
Switch#interface fastethernet 0/10
!−−− Enter the interface mode for Fast Ethernet 0/10
Switch#switchport mode trunk
!−−− Configure the switch port mode to trunk mode.
Switch#switchport trunk encapsulation dot1q
!−−− Configure the encapsulation on the switch port to dot1q.
Switch#switchport trunk native vlan x
!−−− Configure the native VLAN as VLAN x.
Switch#switchport trunk allowed vlan add 2,20,30
!−−− Configure the list of VLANs that are allowed on the trunk port.
Switch#switchport nonegotiate

Thanks,

Tiago

Davy Ad Thu, 10/14/2010 - 01:47

Tiago,

No that is not the port AP is going to be pluged in, the configuration was already there before think of AP .I just want to inform you that Guest network or Vlan is already defines in some port. I know that AP port need to be Trunk .which i did already and at the port i allowed all vlans.

Regards

dak

Tiago Antunes Thu, 10/14/2010 - 02:00

Ok, so are those interfaces up?

Can you share with us the output of "sh int status" and "sh vlan"?

Thanks,

Tiago

Davy Ad Thu, 10/14/2010 - 03:53

Hi,

I will get back to you latter , i am at different site.

Dak

Davy Ad Thu, 10/14/2010 - 10:23

Hello Tiago,

Here is all the info you requested for .But i have not plug AP into any port

are these

1    default                          active    Fa0/1, Fa0/3, Fa0/4, Fa0/6,

                                                Fa0/8, Fa0/10, Fa0/12, Fa0/13,

                                                Fa0/14, Fa0/17, Fa0/21, Fa0/22,

                                                Fa0/23

2    DATA_rfarafarrfa                 active

20   VOICE_voippppp                   active    Fa0/5, Fa0/15, Fa0/16, Fa0/18,

                                                Fa0/19, Fa0/24

21   VOICE_Prorama12                  active

50   Weada                            active    Fa0/7

51   VB_PErafaraf_1                   active    Fa0/9

40   GUEST                            active    Fa0/20

1002 fddi-default                     active

1003 token-ring-default               active

1004 fddinet-default                  active

1005 trnet-default                    active

===================================

Fa0/8                      notconnect   1          Auto    Auto 100BaseTX/FX

Fa0/9   XXXXXXXXXXXX1      connected    51         Full     100 100BaseTX/FX

Fa0/10                     notconnect   1          Auto    Auto 100BaseTX/FX

Fa0/11  PC + PHONE         connected    trunk    A-Full   A-100 100BaseTX/FX

Fa0/12                     notconnect   1          Auto    Auto 100BaseTX/FX

Fa0/13  CCCCCCCCCCCC       notconnect   1          Auto    Auto 100BaseTX/FX

Fa0/14  PPPPPPPPPPPPP      notconnect   1          Auto    Auto 100BaseTX/FX

Fa0/15  VOIP               connected    20         Full     100 100BaseTX/FX

Fa0/16  VOIP               connected    20         Full     100 100BaseTX/FX

Fa0/17  cravafabsbs nic 2  connected    1          Full   A-100 100BaseTX/FX

Fa0/18  VOIP               connected    20         Full     100 100BaseTX/FX

Fa0/19  top PC             notconnect   20         Auto    Auto 100BaseTX/FX

Fa0/20  VLAN 40 GUEST Inte notconnect   40        Auto    Auto 100BaseTX/FX

Port    Name               Status       Vlan     Duplex Speed   Type

=================================================
VLAN1                      10.10.1.1     YES NVRAM  up                    up
VLAN40                     10.20.40.1      YES manual administratively down down
FastEthernet0/1            unassigned      YES unset  up                    up
FastEthernet0/2            unassigned      YES unset  up                    up
FastEthernet0/3            unassigned      YES unset  down                  down
FastEthernet0/4            unassigned      YES unset  up                    up
.
I hope these infos are what you want?
Regards,
Tiago Antunes Thu, 10/14/2010 - 23:45

Hi,

So looking at your post it is clear why the VLAN is down...

The VLAN will only come up if the VLAN is active in any port of the switch.

And looking at the output, you only have VLAN 40 assigned to one interface, and that interface is not connected "Fa0/20  VLAN 40 GUEST Inte notconnect   40 " so untill you connect a device to this interface, it will always remain DOWN.

HTH,

Tiago

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Davy Ad Fri, 10/15/2010 - 01:26

Thanks

i will get back to you . I am  on other site.

Regards,

Dak

Davy Ad Mon, 10/18/2010 - 07:32

Hi Tiago,

I just want to inform you that the AP can not connect to GUEST .  Here are the information for trouble shooting.

1.

Oct 18 14:17:03.120: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  402b.a1d2.5
1aa Associated KEY_MGMT[WPA PSK]
Oct 18 14:17:30.080: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 402b.a1d2.51aa Reason: Sending station has left the BSS
Oct 18 14:17:30.141: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  402b.a1d2.5
1aa Associated KEY_MGMT[WPA PSK]
Oct 18 14:18:04.439: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 402b.a1d2.51aa Reason: Sending station has left the BSS
Oct 18 14:18:04.606: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  402b.a1d2.5
1aa Associated KEY_MGMT[WPA PSK]
Oct 18 14:18:05.650: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 402b.a1d2.51aa Reason: Sending station has left the BSS
Oct 18 14:18:10.229: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  402b.a1d2.5
1aa Associated KEY_MGMT[WPA PSK]
Oct 18 14:18:42.313: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 402b.a1d2.51aa Reason: Sending station has left the BSS
Oct 18 14:18:46.923: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  402b.a1d2.5
1aa Associated KEY_MGMT[WPA PSK]
Oct 18 14:19:04.485: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0024.9f52.c
99f Associated KEY_MGMT[WPA PSK]
Oct 18 14:19:18.970: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 402b.a1d2.51aa Reason: Sending station has left the BSS
Oct 18 14:19:34.492: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0024.9f52.c99f Reason: Sending station has left the BSS
Oct 18 14:20:20.041: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0024.9f52.c
99f Associated KEY_MGMT[WPA PSK]
Oct 18 14:20:50.049: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0024.9f52.c99f Reason: Sending station has left the BSS
Oct 18 14:21:01.792: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0024.9f52.c
99f Associated KEY_MGMT[WPA PSK]
Oct 18 14:21:31.799: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0024.9f52.c99f Reason: Sending station has left the BSS
Oct 18 14:21:45.636: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0024.9f52.c
99f Associated KEY_MGMT[WPA PSK]
Oct 18 14:22:15.647: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0024.9f52.c99f Reason: Sending station has left the BSS
Oct 18 14:22:34.543: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0024.9f52.c
99f Associated KEY_MGMT[WPA PSK]

2. show ip int brief :

ocol
VLAN1                      10.21.48.44     YES NVRAM  up                    up >>>>>>>>>>> NATIVE VLAN

VLAN9                     unassigned      YES unset  administratively down down

VLAN40                     10.21.41.2      YES manual administratively down down>>>> GUEST VLAN

FastEthernet0/1            unassigned      YES unset  down                  down

FastEthernet0/2            unassigned      YES unset  down                  down

FastEthernet0/3            unassigned      YES unset  down                  down

FastEthernet0/4            unassigned      YES unset  down                  down

3. on AP show ip int brief

ocol
BVI1                       10.10.48.X      YES NVRAM  up                    up

Dot11Radio0                unassigned      YES NVRAM  up                    up

Dot11Radio0.1              unassigned      YES unset  up                    up

Dot11Radio0.30             unassigned      YES unset  up                    up

Dot11Radio0.40             unassigned      YES unset  up                    up

GigabitEthernet0           unassigned      YES NVRAM  up                    up

GigabitEthernet0.1         unassigned      YES unset  up                    up

GigabitEthernet0.40        unassigned      YES unset  up                    up

4. Trunk Port configure and AP install in Switch port as well

Building configuration..

Current configuration:
!
interface FastEthernet0/25
description TRUNK-to- GUEST Wireless
speed 100
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,40,1002-1005
switchport mode trunk
spanning-tree portfast
spanning-tree rootguard

5. Admin User can connect and browse internet ,but the Guest user can not connect.

This is where i need solution>

I read the pdf you sent, and my Configuration is nearly the same. except hat i used TACAC & Radius server.

Regards,

Dak

Tiago Antunes Mon, 10/18/2010 - 12:06

Hi,

We still see the vlan 40 down/down on the switch...

And what do you mean by "used TACAC & Radius server"?

From the logs the ssid is configured for PSK...is this what you intend?

What is exactly the secuity method you are aiming for?

Can you please share with us the sh run of the switch and of the AP?

Please save them on 2 files and upload the files. Do not paste it here.

Cheers,

Tiago

Tiago Antunes Mon, 10/18/2010 - 23:28

Hi,

Well, looking at the switch configuration we can clearly see why the vlan 40 is still down down...

This is what you have:

!
interface VLAN40
description GUEST
ip address 10.10.40.2 255.255.255.0
ip access-group guest-list in
ip helper-address 10.10.10.13
ip helper-address 10.10.10.12   
no ip redirects
no ip directed-broadcast
no ip route-cache
shutdown
!

Don't you see anything that shouldn't be there?

(Hint: command "shutdown")

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Davy Ad Tue, 10/19/2010 - 03:52

Thanks ,

 But i told you many times in all my mail that i did "NO SHUT DOWN" already , and the port still down down. If it is just no shut down.I will not be waisting your time to tell me what is wrong.

I enable the port interface

I plug in the AP

I enable int vlan 40  ( with No shut )

But, it is still down down. All these i did before asking for Help.

Dak

 

Davy Ad Mon, 10/25/2010 - 21:34

Hello ,

I will like to thank you all for your support , specially on PDF document sent by Tiago.

After lots of trouble shooting,  AP was able to work normally, connected to both GUEST and Admin User (except  one IPAD on GUEST Network)

The Problem was no passive interface for GUEST Network on OSPF routing protocol.

HTH

Dak

Tiago Antunes Mon, 10/25/2010 - 23:30

Hi,

Nice to hear that.

Glad that is working and thanks for sharing the root cause on the routing side.

Cheers,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode