Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1252 trunk default vlan route to radius

I have in place switching with both static and dynamic vlans (dynamic is done by radius). I have another vendors wirless equipment and it is working fine in this setup. I can not get my 1252 WAPS working tho. My 1252 GigabitEthernet0 interface is plugged into a trunked switch port allowing all vlans (tagged). No vlans are untagged on this port except vlan 1 (native).

Below is my 1252 config, There are two issues:

1. I can not manage/ping the web interface which is on vlan 10, subnet 10.148.198.x. I only want to be able to manage the switch from vlan10 and its subnet. Vlan1 should have no management abilities.

2. Clients trying to connect to ssid BSC cannot auth with the radius server. I beleive the 1252 cant contact the radius server because it is on vlan 10. How do I tell the 1252 to go out GigabitEthernet0 interface tagged on vlan10 to find the radius server? Is there a command for a default vlan route before clients auth?

3. In my config is theGigabitEthernet0 interface correctly configured as a trunk allowing all vlans (tagged)? Vlan1 shouldn't be tagged.

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ip54

!

enable secret 5 $1$zH/A$

enable password 7 1404430

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.148.198.47 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

ip domain name domain1

!

!

dot11 vlan-name BSC vlan 10

dot11 vlan-name DEF vlan 1

dot11 vlan-name PRT vlan 50

dot11 vlan-name ROUGE vlan 20

!

dot11 ssid BSC

vlan 1

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa version 2

mbssid guest-mode

!

dot11 ssid vlan10

vlan 10

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii 7 04574hjgh

!

power inline negotiation prestandard source

!

!

username Cisco privilege 15 secret 5 $1$1mmmh

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

!

encryption vlan 10 mode ciphers aes-ccm

!

encryption vlan 20 mode ciphers aes-ccm

!

encryption vlan 1 mode ciphers aes-ccm

!

encryption vlan 50 mode ciphers aes-ccm

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio0.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

bridge-group 50 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

encryption vlan 10 mode ciphers aes-ccm

!

encryption vlan 20 mode ciphers aes-ccm

!

encryption vlan 1 mode ciphers aes-ccm

!

encryption vlan 50 mode ciphers aes-ccm

!

ssid BSC

!

ssid vlan10

!

no dfs band block

mbssid

channel 5765

station-role root

!

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

interface Dot11Radio1.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio1.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

bridge-group 50 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

no bridge-group 10 source-learning

bridge-group 10 spanning-disabled

!

interface GigabitEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

!

interface GigabitEthernet0.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

no bridge-group 50 source-learning

bridge-group 50 spanning-disabled

!

interface BVI1

ip address 10.148.198.54 255.255.254.0

no ip route-cache

!

ip default-gateway 10.148.198.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.148.198.47 auth-port 1812 acct-port 1813 key 7 143517070

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

2 REPLIES

Re: 1252 trunk default vlan route to radius

HI ,

You did not map the BVI right.

The correct configuration need to look:

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 11               Just an example

no bridge-group 11 source-learning

bridge-group 11 spanning-disabled

interface GigabitEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 1               Now VLAN 10 is mapped to BVI1 with you IP for managing and Radius communication

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

If you want to be able to manage the AP via Wireless you need to change the interfaces in the same way.

But maybe you are not able to change the BVI ot Interface 0.1 so I would recommend to change the config and upload the hole one new.

- Sebastian

New Member

Re: 1252 trunk default vlan route to radius

Thanks for the reply. I changed the config to make all three 0.1 sub interfaces bridge-group 11 and all three 0.10 sub interfaces bridge-group 1. This made it so I can manage via 10.148.198.x and also made the radius server contactable by the AP Thanks!

However, a major problem still exists: When I go on any vlan client with radius they seem to associate but not get dhcp. There is a DHCP on each subnet/vlan. This setup is working with my other wireless vendor. Also if the radius server assigns vlan 10 to a client the connecting wireless dialog in WinXP speeds up but never connects. In the 1252 web page I can see that radius has assigned it to the correct vlan based but no DHCP. There is still a major config issue and I beleive it has to do with the vlans and bvi etc. If I set an SSID without radius and (eg the ssid called vlan10) it works fine!

Thanks again.

300
Views
0
Helpful
2
Replies