I'm having trouble getting my guest network up. I have VLAN 1 that contains all our network resources (servers, desktops, printers, etc). I have the wireless configured to use VLAN1 but authenticate with wpa2 enterprise. The guest network I just wanted to be open or configured with a simple WPA2 personal password on it's own VLAN2. I've looked at tons of documentation and it should be working but I can't even authenticate on the guest network! I've posted this on cisco's support forum a week ago but no one has really responded. I could really use some help. So if anyone could take a look at the configurations I posted and steer me in the right direction I would be extremely grateful.

Thank you!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ESI

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone EST -5

clock summer-time EDT recurring

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-3369945891

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3369945891

revocation-check none

rsakeypair TP-self-signed-3369945891

!

!

crypto pki certificate chain TP-self-signed-3369945891

certificate self-signed 01

(cert is here) quit

ip source-route

!

!

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.5

ip dhcp excluded-address 192.168.1.2

ip dhcp excluded-address 192.168.1.200 192.168.1.210

ip dhcp excluded-address 192.168.1.6

ip dhcp excluded-address 192.168.1.8

ip dhcp excluded-address 192.168.3.1

!

ip dhcp pool ccp-pool

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 10.171.12.5 10.171.12.37

lease 0 2

!

ip dhcp pool guest

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

dns-server 10.171.12.5 10.171.12.37

!

!

ip cef

no ip domain lookup

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO891W-AGN-A-K9 sn FTX153085WL

!

!

username ESIadmin privilege 15 secret 5 $1$g1..$JSZ0qxljZAgJJIk/anDu51

username user1 password 0 pass !

!

!

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key 67Nif8LLmqP_

dns 10.171.12.37 10.171.12.5

pool dynpool

acl 101

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address initiate

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0

description $FW_OUTSIDE$$ES_WAN$

ip address 10...* 255.255.254.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map clientmap

!

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport trunk allowed vlan 1-3,1002-1005

switchport mode trunk

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

crypto map clientmap

!

!

interface Vlan2

description guest

ip address 192.168.3.1 255.255.255.0

ip access-group 120 in

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

!

interface Async1

no ip address

encapsulation slip

!

!

ip local pool dynpool 192.168.1.200 192.168.1.210

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source list 23 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 10.165.0.1

!

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 10.165.0.0 0.0.1.255 any

access-list 110 permit ip 192.168.0.0 0.0.5.255 any

access-list 120 remark ESIGuest Restriction

no cdp run

!

!

!

!

!

!

control-plane

!

!

alias exec dot11radio service-module wlan-ap 0 session

Access point

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ESIRouter

!

no logging console

enable secret 5 $1$yEH5$CxI5.9ypCBa6kXrUnSuvp1

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.1.5 auth-port 1812 acct-port 1813

!

aaa group server radius rad_acct

server 192.168.1.5 auth-port 1812 acct-port 1813

!

aaa authentication login eap_methods group rad_eap

aaa authentication enable default line enable

aaa authorization exec default local

aaa authorization commands 15 default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

clock timezone EST -5

clock summer-time EDT recurring

ip domain name ESI

!

!

dot11 syslog

dot11 vlan-name one vlan 1

dot11 vlan-name two vlan 2

!

dot11 ssid one vlan 1

authentication open eap eap_methods

authentication network-eap eap_methods

authentication key-management wpa version 2

accounting rad_acct

!

dot11 ssid two vlan 2

authentication open

guest-mode

!

dot11 network-map

!

!

username ESIadmin privilege 15 secret 5 $1$p02C$WVHr5yKtRtQxuFxPU8NOx.

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 30

!

!

ssid one !

ssid two !

antenna gain 0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 30

!

!

ssid one !

antenna gain 0

dfs band 3 block

channel dfs

station-role root

!

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

no ip route-cache

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address 192.168.1.2 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

access-list 10 permit 192.168.1.0 0.0.0.255

radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 key ***** bridge 1 route ip