I have a second WLAN implmentation underway. We have 5 APs and a Cisco 3550 switch. I have deleted all the default vlans / ssids from the IOS AP1200 ver 12.2 and then created two new ones:
SSID GUEST associated to VLAN 10 Native
SSID Engineer associated to VLAN 11
When my clients connect to guest.Life is good. They can access the network but when they connect to Engineer they can't access the network.They can't even ping the AP. All my clients have static IPs. I did this to make sure DHCP wa sout of the trouble loop. Here is my config any ideas would be highly appreciated ...
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
With AP's doing VLAN Mapping, I take what is happening is when you map Vlan 10 or Vlan 11 to the Native, it starts working. WEll, if on your switch, your ACS (or whatever authenticates EAP) is in the Switches Native VLAN, then only clients that are mapped to that native vlan will be able to talk to the authentication server. You need a router for inter vlan communications, so Vlan 11 will not talk to Vlan 10, (VLAN 10 being mapped to the native of the switch where DHCP and ACS reside).
Also, when a client connects to an AP, there are 2 connections established. One connection is set to blocking only state. The other connection is set to blocking, with 802.1x forewarding. Once 802.1x auth is complete ,(EAP), then the other connection is set to active from blocking and the client can begin communication with the network.
Hope that you had already solved your problem, but if not then try to create int BVI11 with empty config beneath. I am not joking. There's a misbehaviour observed with VLAN configs like this. Or try to put both user VLANs into separate non-native VLANs and leave native vlan alone.
Just had a look at this. you say that the GUEST SSID associated to VLAN10 is OK. Well, under your dot11radio0 interface, there is a statement that applies to the encryption mode to be used for VLAN 11, but none for VLAN 10. Hence, it may well be that the GUEST SSID VLAN is not being encrypted and, therefore, no encryption mismatch issues, therefore all traffic passes without issue.
I have seen issues where association to the AP was fine, but could not pass traffic, as there was an encryption mismatch.
I would suggest turning off all encryption, test that. If that works, then check that the clients support the encryption method that you want to implement. But to start with, it is worth just turning on static WEP to initialise the radio interface and make sure that works.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...