Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

switch/router can't to ping to access point and aaa authentication failed.

Dear sir,

We have a running cisco secure acs version 4.1 and configured a dhcp server pool in windows server 2003 for the wireless users. The dhcp address pool are from 172.30.39.66 to 172.30.39.126 .As shown in "switch configuration.txt, we have configured a vlan for wireless as well. for acs configuration, We have configured at the acs --> network configuration by adding 2 ap as aaa clients . On the wireless access point, all the interface are up on the "sh ip int brief" . Please advise why we can't ping to ap and aaa authentication failed.

Your effort shall be highly rated and appreciated.

Thanks you very much.

9 REPLIES

Re: switch/router can't to ping to access point and aaa authenti

the switch ports connecting to the APs should have the additional command:

switchport trunk native vlan 2

as vlan 2 is configured as the native vlan on the AP - see the following url:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml#native

cheers

andy

New Member

Re: switch/router can't to ping to access point and aaa authenti

Hi andy,

Thank you very much for your correction. Based on the attachment "ap configuration.txt" , You can see the below the ip address for the ap is 172.30.39.5 255.255.255.224 .

interface BVI1

ip address 172.30.39.5 255.255.255.224

no ip route-cache

!

ip default-gateway 172.30.39.1

_________________

Questions : I've try to configure another ap with different ip address and default-gateway as shown belows:-

interface BVI1

ip address 172.30.39.4 255.255.255.224

no ip route-cache

!

ip default-gateway 172.30.39.65 <-- (Different default-gateway )

The ap can works perfectly as well. Please advise why it can work ?

Thanks and appreciation.

Re: switch/router can't to ping to access point and aaa authenti

hi there

the ap mgmt ip address and its DG are in differnet subnets. the AP ip address is in the range 172.30.39.1 to 172.30.39.30 whereas its DG is in the range 172.30.39.65 to 172.30.39.94.

hth

andy

Re: switch/router can't to ping to access point and aaa authenti

had a look at router config - ap should be on vlan 4? if so ap should have an ip in range:

172.30.39.65 to 172.30.39.126 (with a SM of 255.255.255.192)

also the switchport config for the new ap should have the "switchport trunk native vlan 4" command

cheers

andy

New Member

Re: switch/router can't to ping to access point and aaa authenti

Hi Andy,

Thank your for your response. Below is the design. Yes, ap is on vlan 4 but management vlan is in vlan 2 . I've 2 ap in the network ap1 connected to port fa0/22 and ap2 connected to port f0/23.

Questions: why i assign AP1 int bvi1 ip address as 172.30.39.4 255.255.255.224, ip default-gateway 172.30.39.65

and AP2 ip address as 172.30.39.5 255.255.255.224 , ip default-gateway 172.30.39.1 .

As you can see AP1 ip default-gateway is 172.30.39.65 but AP2 ip default-gateway is 172.30.39.1 . Both are not pointing to the same gateway but both AP1 and AP2 still can works without any issue ?

Any idea?

Thanks and appreciation.

______________________

"Network/Servers 172.30.39.0/27

255.255.255.224 - Vlan2"

172.30.39.1 Gateway Router

172.30.39.2 Switch1

172.30.39.3 Switch2

172.30.39.4 AP1

172.30.39.5 AP2

172.30.39.6 Printer

172.30.39.7 - 30 <----- Free ip address , can assign for anythings.

172.30.39.31 Broadcast

__________________________-

"LAN User 172.30.38.32/27 255.255.255.224 Vlan 3"

172.30.39.32 Network

172.30.39.33 Gateway

172.30.39.34- 62 <----- Free ip address, can assign for anythings.

172.30.39.63 Broadcast

___________________________

"Wireless DHCP Pool 172.30.38.64/26 255.255.255.192

Vlan 4"

172.30.39.64 Network

172.30.39.65 Gateway

172.30.39.66-126 <----- Free ip address, can assign for anythings.

172.30.39.127 Broadcast

Re: switch/router can't to ping to access point and aaa authenti

hi fungchai

if the management IPs of your APs are in the range 172.30.39.0/26 (vlan 2) then their default gateways should be 172.30.39.1. if you want to use a DG for your APs that is in a different subnet you will have to have a look at proxy arp - see url:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

why are you using the DG of 172.30.39.65 on AP1?

hth

cheers

andy

New Member

Re: switch/router can't to ping to access point and aaa authenti

Hi Andy,

Thank you for your fast reply. Due to the design i post to you earlier, i just test it out whether it can work or not . Surprisingly , it works as well if i set the DG=Default Gateway of 172.30.39.65 on AP1. Can you explaint why it can works? Strange ya.. :)

Thanks andy.

Re: switch/router can't to ping to access point and aaa authenti

hi fungchai

your router config doesn't have the "no ip proxy-arp" command on the ethernet interfaces which will explain why it worked. proxy arp is enabled by default but can be disabled (its disabled on the serial interface) usually for the reasons given in the url of my previous post.

cheers

andy

New Member

Re: switch/router can't to ping to access point and aaa authenti

Hi Andy,

You are brilliant 1 !! :)

Thank you very much.

609
Views
13
Helpful
9
Replies
CreatePlease to create content