Ubiquiti U7 APs on Cisco 2960-X with NPS DHCP Issue

wwfpadmin · 2025-02-24T20:11:02.895Z

So I’m seeing somewhat similar questions but the resolutions are not working for me, so I’m going to go this route.

Have some 2960-X switches that I’m putting in Ubiquiti U7 Pro APs onto. New install.

Have 3 VLANs I’m using, 41 (Corp), 65 (AP Management), and 81 (Personal)

The switchport config looks like this:

interface GigabitEthernet2/0/12
switchport trunk allowed vlan 41,65,81
switchport trunk native vlan 65
switchport mode trunk

The AP itself appears to require the native vlan command else it goes offline. When I connect to the personal network (WPA2/PSK) it works fine and gets an IP address.
When I connect to the Corporate network, it connects with NPS but doesn’t get an IP address

When I make a switchport with VLAN 41 it gets and IP address, so the VLAN setup is fine. So I’m fairly certain I just have a problem with the port setup somehow, as the Ubiquiti AP side is pretty basic (create a network with VLAN 41).

It’s just odd to me that I’m “connection” and not getting a DHCP IP address.

Any thoughts?

ajason · 2025-02-24T20:31:34.917Z

My first thought would be to check the DHCP server that you are using for VLAN 41. Is the SSID configured for the correct DHCP server?

wwfpadmin · 2025-02-24T20:33:58.668Z

That was my thought too. The SSID is set for the 41 VLAN, which when using the 41 VLAN on a wired connection at the same location gets an IP address.
Short of dropping wireshark on the line I’m not sure how else to see why the DHCP request is seemingly rejected.

ajason · 2025-02-24T20:40:45.139Z

I am more of a Meraki guy and haven’t touched any Ubiquiti APs for a few years. Does Ubiquiti have a report in the dashboard showing device errors? I know that Meraki does - if Ubiquiti does, it would save running a Wireshark.

wwfpadmin · 2025-02-24T20:54:44.631Z

New enough to Ubiquiti I may just be looking in the wrong place, but it shows me connected to the wireless network I specify, just with a 169.x IP address. No indication of errors.

PatrickFarrell · 2025-02-24T20:57:10.392Z

Ubiquit is untagged on rhe management traffic which is why you need the native command. Do you have an ip helper set for the other vlans?

wwfpadmin · 2025-02-24T21:10:48.408Z

Yes. IP helper is set on the VLANs. I’m able to get DHCP just fine on a wired port, just not through the AP, on VLAN 41. The weird thing is I get DHCP on VLAN 81. That’s what’s confusing. The only difference being the wireless network on VLAN 81 is WPA2 PSK, and the wireless network on VLAN 41 is WPA2 enterprise. But on both it is indicating successful authentication, just no IP address on VLAN 41 wirelessly.

ajason · 2025-02-24T21:22:52.699Z

It looks like there may be some logs in Ubiquiti that may help shed some light on this issue for you. https://www.youtube.com/watch?v=kkrf8L69JyI is a video that discusses the logs. I also noticed that there is a firewall log, you may want to check there if you have some firewall rules set.

wwfpadmin · 2025-02-24T21:52:08.889Z

Thanks. yeah that’s where it’s showing me that I’m connected.
Interestingly, when I’m using Wireshark, connected to the VLAN 41 network, I’m seeing my VLAN 65 traffic, which makes me think that it’s not actually assigning it to the VLAN. When I’m on the 81 wireless network, I only see the 81 traffic.

Again, the only difference is the VLAN for network, and then PSK/WPA2 vs WPA2 Enterprise

eugkelly · 2025-02-24T21:52:15.697Z

Do you have the switch port that the AP is connected to configured with the VLAN that has your Unifi controller untagged and the other VLANs tagged?

wwfpadmin · 2025-02-24T22:03:59.461Z

The switchport has native vlan of 65, with allowed 41,65, and 81 (Cisco Switch). So I believe that makes all of them tagged.

PatrickFarrell · 2025-02-24T22:08:28.388Z

That’s correct. The “native” VLAN is the untagged VLAN here. Everything else is tagged.

What’s doing the VLAN routing, the switch? If so do you have a VLAN IP assigned on 41? Is that VLAN IP in a subnet covered by a DHCP scope? What’s providing DHCP?

wwfpadmin · 2025-02-24T22:23:36.041Z

Vlan routing is on the core switch (2960-x is L2 only). Windows is providing DHCP.

Again, DHCP works fine if you put VLAN 41 on a wired port. The problem is exclusively when I try and have it set with NPS on the AP. Without digging too deep into the Wireshark packets it looks like the Ubiquiti just isn’t tagging correctly when it authenticates, as the DHCP resquest goes out, but doesn’t come back, and connected it’s seeing broadcast traffic for VLAN 65, the management interface.
So either I need a unconventional setup with the Cisco switch or things aren’t applying correctly with WPA2 enterprise as compared to WPA2 PSK

adammiller8 · 2025-02-24T22:34:25.815Z

On the Unifi side, do you have Radius Assigned VLAN support enabled for wireless? If so, Unifi is expecting RADIUS to hand back what VLAN the client should be put on. Try unchecking that and seeing if that works. - This under the RADIUS profile

image1636×484 29.5 KB

matt7863 · 2025-02-25T00:07:48.522Z

Where are you running wireshark to see vlan 65 traffic? on the device connected to the corp SSID?

Are the Wireless networks in Unifi exactly the same aprt from WPA2 enterprise vs PSK? i.e. no guest policy/acls, the network definitions are vlan only (third party router).

If you create a third test SSID with a psk and assign it to the network definition using vlan 41 - do wifi devices get an IP? If yes this points the issue directly at the SSID/WPA2. If not it points to a AP/switch issue.

wwfpadmin · 2025-02-25T14:16:03.796Z

You are absolutely spot on. Thank you for that. I guess I was reading it as “supports the ability to have assigning of VLANs via RADIUS” rather than “I’m not expecting you to assign me the VLAN”. Up and working. Cheers!