Anyone good with Cisco Wireless stuff?

oddjob62 · 27 Mar 2009 at 13:32

Trying to set up 2 SSIDs on 2 VLANS on a 1131AG WAP. Just can't seem to get it to work.

Can someone see any glaringly obvious error in my config? I have looked at quite a few "solution" on the web and they all seem the say that my config should work.

Code:

no aaa new-model
!
!
!
dot11 ssid CANTEENWIFI
   vlan 110
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxx
!
dot11 ssid PRIVWIFI
   vlan 401
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 xxxxxxxxxxxxxxxxx
!
power inline negotiation prestandard source
!
!
username Cisco password 7 xxxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 110 mode ciphers tkip
 !
 encryption vlan 401 mode ciphers tkip
 !
 ssid CANTEENWIFI
 !
 ssid PRIVWIFI
 !
 station-role root
!
interface Dot11Radio0.41
 encapsulation dot1Q 401 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.110
 encapsulation dot1Q 110
 no ip route-cache
 bridge-group 110
 bridge-group 110 subscriber-loop-control
 bridge-group 110 block-unknown-source
 no bridge-group 110 source-learning
 no bridge-group 110 unicast-flooding
 bridge-group 110 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.41
 encapsulation dot1Q 401 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.110
 encapsulation dot1Q 110
 no ip route-cache
 bridge-group 110
 no bridge-group 110 source-learning
 bridge-group 110 spanning-disabled
!
interface BVI1
 ip address xx.xx.xx.xx 255.255.255.0
 no ip route-cache
!
ip default-gateway xx.xx.xx.xx
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
bridge 1 route ip

thanks in advance for any assistance.

oddjob62 · 27 Mar 2009 at 14:54

Andyt_uk said:

add

Code:

interface Dot11Radio0.110
 encapsulation dot1Q 110
 no ip route-cache
 bridge-group 110
 bridge-group 110 subscriber-loop-control
 bridge-group 110 block-unknown-source
 no bridge-group 110 source-learning
 no bridge-group 110 unicast-flooding
 bridge-group 110 spanning-disabled

but replace all the 110's with 401

I'm not sure what you mean...

- There is already an subinterface set up for the 401 vlan (subint dot11radio0.41)
- Bridge group needs to be 1 because it's the native vlan (so i've read)
- Bridge groups only go up to 255.

oddjob62 · 27 Mar 2009 at 16:29

I wouldn't have thought that would make a difference. the subnet number is usually whatever you want, and it's the "encapsulation dot1Q 401" command that assigns the vlan to the subinterface. I'll give it a go, but it still doesn't explain why the other one doesn't work either.

oddjob62 · 27 Mar 2009 at 16:43

Well it looks like i must take my hat off and salute you sir. However i don't recall ever having to have the subinterface as the same number as the vlan... good thing to know, well... if i ever have to set something like this up from scratch again. Andyt, if you're ever in my neighbourhood, i owe you a few beers. Many thanks

oddjob62 · 27 Mar 2009 at 17:21

Curiosityx said:
Yes the subinterface id should always match the vlan number, appart from that the config looks fine.

Fair enough... think i've only used vlans with subinterfaces once in the past, probably made them the same without realising

oddjob62 · 27 Mar 2009 at 18:13

Curiosityx said:
You are correct the subinterface id doesnt have to match the vlan id, but is both best practise and realy helps when troubleshooting. It can also cause problems that you have been experiencing.

I guess it's a quirk specific to their wireless IOS. I'm just happy that AndyT knew of this quirk and saved me what could have been days of frustration. Now i need to get it working with 802.1x. Andy, i've now got you on forum speed dial just in case

oddjob62 · 27 Mar 2009 at 23:19

Andyt_uk said:
802.1x is where the fun begins...

You using a Cisco ACS box or an alternative? We have a couple of ACS's but i'm in the process of moving them over to use a windows IAS box instead... Tough going so far, should really get around to actually testing my configs

I'm going to jump in to the deep end and try to get NAP working with windows 2008. We are hoping to run this for all our switched network as well (Extreme not Cisco)

Curiosityx: I have already set up the required PKI..... well designed??... we will have to wait and see