Announcement

Collapse
No announcement yet.

Cisco 1131 AP & DHCP Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1131 AP & DHCP Issue

    Hi,

    seeing some strange things happening on a 1131ag WiFi access point, some of the mobile clients seemingly getting random 10.x.x.x addresses and ive no idea where from or if they are actually getting them at all.

    ap1#sh dot11 associations

    802.11 Client Stations on Dot11Radio0:

    SSID [WSLOCAL] :

    MAC Address IP address Device Name Parent State
    74de.2b68.c265 192.168.71.6 unknown - self Assoc
    ac81.1244.bc38 192.168.71.4 unknown - self Assoc

    SSID [WSPUB] :

    MAC Address IP address Device Name Parent State
    1474.114e.02fc 192.168.71.69 unknown - self Assoc
    d8b3.77d6.4995 10.98.20.128 unknown - self Assoc
    And the same command run just two seconds later:
    ap1#sh dot11 associations

    802.11 Client Stations on Dot11Radio0:

    SSID [WSLOCAL] :

    MAC Address IP address Device Name Parent State
    74de.2b68.c265 192.168.71.6 unknown - self Assoc
    ac81.1244.bc38 192.168.71.4 unknown - self Assoc

    SSID [WSPUB] :

    MAC Address IP address Device Name Parent State
    1474.114e.02fc 192.168.71.69 unknown - self Assoc
    d8b3.77d6.4995 192.168.71.68 unknown - self Assoc

    And then if I run the command again it may show anoter random 10.x.x.x IP this only seems to be happening on the smart phones and im not sure if the address is actually chaging on the device or just in the output on the AP

    AP Config:
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    no service dhcp
    !
    hostname ap1
    !
    enable secret 5 xxx
    !
    aaa new-model
    !
    !
    aaa authentication login CLI_ACCESS group radius local
    aaa authorization exec CLI_ACCESS group radius if-authenticated
    !
    aaa session-id common
    clock timezone London 0
    clock summer-time GMT+1 recurring last Sun Mar 1:00 last Sun Oct 2:00
    ip domain name ashprojects.local
    !
    !
    ip ssh version 2
    !
    dot11 ssid WSLOCAL
    vlan 40
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
    wpa-psk ascii 7 xxx
    !
    dot11 ssid WSPUB
    vlan 30
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
    wpa-psk ascii 7 xxx
    !
    power inline negotiation injector override
    power inline negotiation prestandard source
    !
    !
    username admin privilege 15 password 7 x
    !
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 30 mode ciphers aes-ccm
    !
    encryption vlan 40 mode ciphers aes-ccm
    !
    ssid WSLOCAL
    !
    ssid WSPUB
    !
    mbssid
    station-role root
    no dot11 extension aironet
    bridge-group 1
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface Dot11Radio0.30
    encapsulation dot1Q 30
    no ip route-cache
    bridge-group 3
    bridge-group 3 subscriber-loop-control
    bridge-group 3 block-unknown-source
    no bridge-group 3 source-learning
    no bridge-group 3 unicast-flooding
    bridge-group 3 spanning-disabled
    !
    interface Dot11Radio0.40
    encapsulation dot1Q 40
    no ip route-cache
    bridge-group 4
    bridge-group 4 subscriber-loop-control
    bridge-group 4 block-unknown-source
    no bridge-group 4 source-learning
    no bridge-group 4 unicast-flooding
    bridge-group 4 spanning-disabled
    !
    interface Dot11Radio1
    no ip address
    no ip route-cache
    shutdown
    no dfs band block
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    speed 100
    full-duplex
    !
    interface FastEthernet0.20
    encapsulation dot1Q 20 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0.30
    encapsulation dot1Q 30
    no ip route-cache
    bridge-group 3
    no bridge-group 3 source-learning
    bridge-group 3 spanning-disabled
    !
    interface FastEthernet0.40
    encapsulation dot1Q 40
    no ip route-cache
    bridge-group 4
    no bridge-group 4 source-learning
    bridge-group 4 spanning-disabled
    !
    interface BVI1
    ip address 192.168.70.16 255.255.255.192
    no ip route-cache
    !
    ip default-gateway 192.168.70.254
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779...onfig/help/eag
    radius-server host 192.168.70.1 auth-port 1812 acct-port 1813 key xxxxxxx
    radius-server vsa send authentication
    bridge 1 route ip
    !
    !
    !
    line con 0
    transport preferred none
    line vty 0 3
    exec-timeout 30 0
    login authentication CLI_ACCESS
    transport preferred ssh
    transport input ssh
    line vty 4
    exec-timeout 30 0
    login authentication CLI_ACCESS
    transport input ssh
    line vty 5 15
    exec-timeout 30 0
    login authentication CLI_ACCESS
    transport input ssh
    !
    sntp server 192.168.70.1
    end


  • #2
    Re: Cisco 1131 AP & DHCP Issue

    Rouge dhcp server out there? I cant see the ip's, looks like its been cut off when posting.


    What does show arp say?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco 1131 AP & DHCP Issue

      Definitely another DHCP server running somewhere on the network. This was happening all the time in our network and we later found out the programming guys were running their own individual routers and sometimes looped the connections back into the domain network.

      Hosts wouldn't auto-configure themselves with a 10. address.

      Comment


      • #4
        Re: Cisco 1131 AP & DHCP Issue

        This is one of the clients that seem to be changing

        d8b3.77d6.4995 10.98.20.128 unknown - self Assoc
        d8b3.77d6.4995 192.168.71.68 unknown - self Assoc

        The I donít think I made it clear in my original post but the strange thing is it seems like like clients are bouncing back an forth from the 192.x.x.x to the 10.x.x.x IP. e.g. I can run the "sh dot11 associations" 10 times in a row and 3 out of 10 the IP might show the 10.x.x.x IP. Also it only seems to affect a few SMART phones and never the PC's. Also I'm not 100% sure that the IP is changing on the device or just the AP is displaying some weird info.

        Rouge DHCP server would be an obvious thing to spring into mind but on vlan30 & 40 there is no DHCP server all requests forwarded by the router to a server in vlan 20, and also the random bouncing back and forth wouldnt make sense.

        Comment


        • #5
          Re: Cisco 1131 AP & DHCP Issue

          Do you have a dhcp scope on your dhcp server in that 10.X.X.X range? What about someone with a 3G hotspot? May be a good idea to block those mac addresses of those devices this is occurring on. This way when the user comes complaining that they cant connect you can take a look at the device. If you dont want to do it via mac you can use a standard acl. This will block anyone host from that 192.168.x.x range. They will however still be able to associate to the AP. The mac filter will stop them from associating with the AP

          access-list 700 deny 0040.96a5.b5d4 0000.0000.0000

          dot11 association mac-list 700

          or

          access-list 25 deny 192.168.0.0 0.0.255.255
          access-list 25 permit any


          interface dot11radio0
          access-group 25 in
          Last edited by auglan; 1st April 2012, 18:35.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Cisco 1131 AP & DHCP Issue

            When a host receives a 10.x.x.x address, run ipconfig /all from that host. You will see the IP address of the DHCP server that issued the lease. Ping that DHCP server, then do an arp -a so you can see the MAC address for that DHCP server. Then on your manage switches, do a search for that MAC, find the port, and follow the cable.

            After you clean this up, you may consider implementing port security or some type of MAC learning on your edge switches and only allow one MAC learned per port. If someone changes out a computer, or adds a switch, the port will trip and disable. While this technique adds more admin work, you will easily find people that violate your corporate policies by connecting un-authorized devices.
            JM @ IT Training & Consulting
            http://www.itgeared.com

            Comment

            Working...
            X