cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2138
Views
0
Helpful
8
Replies

Access Point unable to contact subnet with RADIUS server

krawdad37
Level 1
Level 1

Hi,


We have a Cisco 1602i access point that is in a geographically remote office and different subnet from the home office and network where the RADIUS server exists that we wish to use to authenticate to. 

The offices are joined by a VPN tunnel between an ASA 5510 (home office where the RADIUS server lives) and an ASA5505 in the remote office where the AP lives.


However, the AP, cannot contact the RADIUS server even though the tunnel is wide open, with no port restrictions.  We also cannot connect to the remote AP to manage it via the GUI or SSH from the home office network.


The AP is up and we can manage it by using a computer on the same network as it.  SSH, GUI, Telnet all work. However, it doesn't even respond to pings sent from the home network, even though other devices do when pinged from the home to the remote network.

So my basic question is, can a Cisco AP only contact devices on the same subnet? That would seem like a silly limitation for an enterprise device that would be deployed in a remote setting.


We have a Cisco SmartNet on the access point, but not on the firewall's, and Cisco has commented that it could be a VPN tunnel issue and we should contact their VPN support group but we do not have paid Cisco SmartNet support for the firewall's.

Can anyone help me out?

Thanks!!

Dave

1 Accepted Solution

Accepted Solutions

Hi Dave,

Not sure why you have this line of configuration on the AP assuming your gateway is 10.0.2.1

ip route 0.0.0.0 0.0.0.0 10.0.1.1

You can remove this line from the configuration and try the ping.

Regards

Najaf

View solution in original post

8 Replies 8

kcnajaf
Level 7
Level 7

Hi Dave,

Is the AP is light weight AP or autonomous AP?

Can you verify if the AP have a default gateway configured on it?

Regards

Najaf

Hi

It's autonomous.

The AP does have a gateway configured.

Thanks

Dave

can you share the config of the AP and the switchport it is connected to?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Hi Dave,

Could you please share the configuration from AP with sensitive information removed..

Also are you able to ping the default gateway configured on AP from Home network?

Regards

Najaf

Here is the config. 

And I am able to ping the default gateway (for the Remote network) configured on the AP, from my workstation on the home network.

Thanks

Dave

----------------------------------------------------------------------------------------------------------------------------------

Current configuration  2862 bytes

!

! Last configuration change at 183316 -0600 Sun Feb 28 1993 by

! NVRAM config last updated at 095859 -0500 Thu Sep 5 2013 by

! NVRAM config last updated at 095859 -0500 Thu Sep 5 2013 by

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Cisco-AP

!

!

logging rate-limit console 9

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.0.1.19

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

!

!

!

!

aaa session-id common

clock timezone -0600 -6 0

clock summer-time -0500 recurring

ip cef

!

!

!

dot11 syslog

!

dot11 ssid (removed)

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa version 2

   guest-mode

!

!

crypto pki token default removal timeout 0

!

!

!

!

bridge irb

!

!

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers aes-ccm tkip

!

ssid (removed)

!

antenna gain 0

stbc

beamform ofdm

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1

no ip address

!

encryption mode ciphers aes-ccm tkip

!

ssid (removed)

!

antenna gain 0

dfs band 3 block

stbc

beamform ofdm

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface GigabitEthernet0

no ip address

duplex auto

speed auto

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface BVI1

ip address 10.0.2.4 255.255.255.0

!

ip default-gateway 10.0.2.1

ip forward-protocol nd

ip http server

ip http authentication aaa

no ip http secure-server

ip http help-path httpwww.cisco.comwarppublic779smbizprodconfighelpeag

ip route 0.0.0.0 0.0.0.0 10.0.1.1

ip radius source-interface BVI1

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.0.1.19 key (removed)

radius-server vsa send accounting

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

transport input all

!

end

Cisco_AP#

Hi Dave,

Not sure why you have this line of configuration on the AP assuming your gateway is 10.0.2.1

ip route 0.0.0.0 0.0.0.0 10.0.1.1

You can remove this line from the configuration and try the ping.

Regards

Najaf

Hi

That fixed it.

Thank you very much! I had a feeling it was something I had overlooked.

Have a great day,

Dave

Hi Dave,

Great to know that things are workig as expected.

Regards

Najaf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: