www.unix.org.ua

[Ryan McLean]

Hi,

On my computer I cannot ping the wlan router nor can I authenticate with the secure SSID.
I can connect to the unsecure SSID and reach the internet.

The switchport the router is connected to has trunking enabled for that port.The deafult vlan on the switch port is 1 though this shouldnt make a difference as all the traffic on the wlan router should be tagged

Code: Select all

sh run
Building configuration...

Current configuration : 4301 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname wifi2
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 172.2.0.64 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
!
aaa session-id common
ip domain name example.com
!
!
dot11 mbssid
dot11 vlan-name MainLAN vlan 2
dot11 vlan-name Internet vlan 3
!
dot11 ssid Secure
   vlan 2
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
   mbssid guest-mode
!
dot11 ssid Unsecure
   vlan 3
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 112221122
!
power inline negotiation prestandard source
!
!
username administrator privilege 15 password 7 11221122
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 3 mode ciphers aes-ccm tkip
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid Secure
!
ssid Unsecure
!
channel 2467
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface FastEthernet0.3
encapsulation dot1Q 3
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
!
interface BVI1
ip address 172.2.0.1 255.255.0.0
no ip route-cache
!
ip default-gateway 172.6.21.254
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.2.0.64 auth-port 1645 acct-port 1646 key 7 12352345325
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
transport preferred ssh
transport output all
line vty 0 4
access-class 111 in
transport preferred ssh
transport input all
transport output all
line vty 5 15
access-class 111 in
transport preferred ssh
transport input all
transport output all
!
sntp server 172.2.0.64
sntp broadcast client
end

Thanks in advance..
Ryan

[Nagaraja Thanthry]

I see that your router is configured with a native VLAN of 2 on the interface connecting to the switch. Can you make sure that the native vlan on the switch side is also 2? (command is "switchport trunk native vlan 2"). It could be that the router is sending vlan 2 traffic untagged and switch is expecting it to be tagged. Hope this helps.


Regards,
NT

[Ryan McLean]

No the default switch side is VLAN 1.

I'll try tweaking it

[Ryan McLean]

That was it..
I feel so stupid I missed that, I had noticed "other" traffic on vlan 1 when I was looking at it but it never clicked..


Thanks a bunch