Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issues with 2106 and 1130AG LWAPP

Hello all. I'm trying to do what I thought would be a simple config. 2 APs connected directly to a controller. The controller's 2 management interfaces are in our management VLAN (used for all switches, servers, etc), and I created a new VLAN for the APs and clients per this link: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml. However, I am unable to get the APs to join the controller. Controller was NIB before I configured, and the APs are also NIB with the default config.

24 REPLIES
New Member

Re: Issues with 2106 and 1130AG LWAPP

have you set the time correctly on the controller? if the time is not correct your AP's will fail to register

Also you need to make sure the controller and AP are the same radio domain

If all else fails turn on lwapp debugging to see what the problem is

New Member

Re: Issues with 2106 and 1130AG LWAPP

Thanks for the response. I did set the time after reading a thread here about the certificate issue.

So the radio domain will prevent a connection even if the AP is directly attached to the controller?

New Member

Re: Issues with 2106 and 1130AG LWAPP

Make sure you LWAPP Transport mode is set to Layer 2 and your WLAN are admin enabled. Also, make sure the interface name under WLAN is pointing to the AP VLAN you created.

New Member

Re: Issues with 2106 and 1130AG LWAPP

According to the config guide, Layer 2 is not supported on a 2100 series controller. This seems to be correct as the only option I have in the GUI is Layer 3.

I do have the WLAN admin enabled, and the interface the AP is connected to is in the AP VLAN.

New Member

Re: Issues with 2106 and 1130AG LWAPP

Jeff, my mistake I'm using a 4400 WLC. Are your management and ap-mangement interfaces in the same VLAN?

New Member

Re: Issues with 2106 and 1130AG LWAPP

Yes, I have both management interfaces in a management VLAN that we use to administer switches and other network hardware.

New Member

Re: Issues with 2106 and 1130AG LWAPP

Have you configured either the DHCP option of the DNS option for the APs to find the controller? Also try hard coding the ip address of the management inface on the access point. If you set the DHCP and DNS, make sure you are using the management IP, not ap manager.

New Member

Re: Issues with 2106 and 1130AG LWAPP

I'm trying to use the WLC's internal DHCP server. I've also tried hardcoding the WLC IP address on the AP. After reading through pretty much all of the configuration examples, I'm getting the impression that connecting the APs directly to the WLC is not supported. All of the config examples I read show the WLC and AP(s) connected via a router or switch.

If direct connection is supported, what do you use for a default gateway on the WLC's dynamic interface?

New Member

Re: Issues with 2106 and 1130AG LWAPP

Direct connect to the 2106 is supported. I think that you have your interface configured incorrectly. As far as the gateway, that would be the gateway for the VLAN. If you are using direct connect you configure the interface for the same VLAN as management on that port.

New Member

Re: Issues with 2106 and 1130AG LWAPP

I see. So with direct connect, you can't have the dynamic interface in a different VLAN? That may be the issue (or at least part of it), as that's what I'm trying to do.

New Member

Re: Issues with 2106 and 1130AG LWAPP

Yes, the dynamic interface would by definition be in a different VLAN. You may want to simplify the config as it sounds like there is a issue with the config. If you configure a dynamic interface you have to have something to route said interface as the controller is only a layer 2 device (no VLAN routing).

New Member

Re: Issues with 2106 and 1130AG LWAPP

I believe swyatt is correct. With my 4400 WLC, I have my WLC trunked to a external switch with ip routing enabled. I have all my static and dynamic vlans defined on the switch. I was lead to believe that 2106 had a built in switch, but it does not.

Here's an example of my switch config:

vlan 150

name LWAPP

!

vlan 152

name WUSER

(management and ap-management static vlan)

interface Vlan150

description "LWAPP"

ip address 10.32.150.1 255.255.255.248

no ip redirects

!

(dynamic vlan)

interface Vlan152

description "Wireless Users"

ip address 10.32.152.1 255.255.255.0

no ip redirects

Hall of Fame Super Silver

Re: Issues with 2106 and 1130AG LWAPP

Put your AP's on the same vlan as the management ip on the WLC's. Make sure the ap can get a dhcp address or manually set one. This is just temporary....

If the ap's join then move them to the other vlan you created but make sure you have routing configured correctly for connectiviy back to the WLC subnet.

-Scott
*** Please rate helpful posts ***
New Member

Re: Issues with 2106 and 1130AG LWAPP

Well, as often happens, I had to put this one on the shelf for a bit as other projects cropped up. I've made a bit of progress. I was able to get an AP to join the controller by putting it in the management VLAN temporarily, then assigning it a new address from the WLC.

The issue I'm running into now is that wireless clients can connect to the AP, but are unable to pull an address from the 2106's DHCP server. Config attached.

I have the WLC attached to a trunk port, and the AP on a port configured for my guest VLAN (151). I've added a 2nd inside port on my firewall, also in the 151 VLAN, and my plan is to route those wireless users directly to the firewall.

New Member

Re: Issues with 2106 and 1130AG LWAPP

Well, I managed to fix the DHCP issue. I had the DHCP override checked from when I was testing with the AP directly connected to the WLC. Now I need to figure the best way to route this guest VLAN directly to our firewall. Using a 2nd inside port on the firewall won't work, as the guest VLAN is part of our larger inside address block, and the firewall can't handle the routing.

New Member

Re: Issues with 2106 and 1130AG LWAPP

Wireless LAN Controllers don't route (the exception is the management interface, and the 2106 doesn't have on of those.) All routing is via the default gateways. If you are on a SSID that is associated to a virtual interface called "DMZ", the traffic would route out the gateway for that interface. The gateway would then have to route that traffic on its merry way.

On a 2106 you can plug the one of the physical ports into a DMZ. You would create a virtual interface and add it to the physical port that is plugged into the DMZ. Connect an SSID to that virtual interface and off you go.

Hall of Fame Super Silver

Re: Issues with 2106 and 1130AG LWAPP

Swayatt is correct, but it is actually dynamic interfaces you would create. The virtual is used for other stuff.

-Scott
*** Please rate helpful posts ***
New Member

Re: Issues with 2106 and 1130AG LWAPP

Thanks for the replies. I was able to get things working. I set up the APs (and dynamic interface on the WLC) in a 10.x.x.x block, and put them in a VLAN routed directly to the 2nd inside interface on the ASA via DG. Things seem to be working as hoped, when connected to the guest VLAN, I am unable to access anything on our private network.

Several of the posts in this thread have been very helpful. Is there any issue with scoring multiple posts in a thread?

Hall of Fame Super Silver

Re: Issues with 2106 and 1130AG LWAPP

Glad you got it working.... now you have to work on a custom WebAuth page for the guest and 3rd party cert.

-Scott
*** Please rate helpful posts ***
New Member

Re: Issues with 2106 and 1130AG LWAPP

Actually, these APs will be implemented in an Emergency Operations Center in our Public Safety Building (I work for a county gov't). We were thinking about just running with no auth, just fine-tuning the radios so they don't bleed outside the EOC. If someone wants to try war-driving in a secure building also staffed by our Sheriff's Dept, more power to them. :)

But, I'm always open to suggestions...

New Member

Re: Issues with 2106 and 1130AG LWAPP

That is a bad idea, especially if these APs are on the EOC network. WPA-PSK is so simple to do it isn't funny, and I asssume that since this is the EOC there is a domain controller in use for some of the apps that run. PEAP would be very easy to implement as well.

I've worked in a 911/EOC during a huricane and we had to support a bunch of folks that came in during the event that needed wireless. In that case it is easy to implement a temporary WPA-PSK SSID for the outside folks and take it back down during the emergency.

Hall of Fame Super Silver

Re: Issues with 2106 and 1130AG LWAPP

I must agree again. Since you are a government entity, being secure should be on the top of your list. you don't want to be on 60 minutes for being hacked. WPA2-PSK should be your minimum type of encryption. Turning down the power so the signal won't bleed out is not going to help. all they will need is a yagi antenna and sit far enogh away where they will not be caught. Wardrivers will post locations and encryption keys for anyone to use.

-Scott
*** Please rate helpful posts ***
New Member

Re: Issues with 2106 and 1130AG LWAPP

Like I said, I'm open to suggestions. For now, we're going to go with WPA-TKIP-PSK, and web auth. One anomaly I've noticed with web auth: I can authenticate, then browse the web, but even if I close my browser, disconnect from the WLAN, and reconnect, I do not get prompted to authenticate again. Is this controlled separately from the WLAN session timeout setting?

New Member

Re: Issues with 2106 and 1130AG LWAPP

You would have to be disconnected for more than 300 seconds (default) before the controller would think that you where gone.

524
Views
12
Helpful
24
Replies