Cisco → [HELP] 887V unable to get IP for Guest Wireless

hi guys, here's the scenario:
onsite dhcp server hands out IPs to local lan. i wish to setup this 887V to act as a DHCP server only for Wireless Guest Clients on VLAN100. i'm able to connect to the AP but get no IP. any ideas?

SH RUN


Router#sh run
Building configuration...

Current configuration : 4688 bytes
!
! Last configuration change at 20:40:34 UTC Wed Nov 21 2012
! NVRAM config last updated at 19:37:33 UTC Wed Nov 21 2012
! NVRAM config last updated at 19:37:33 UTC Wed Nov 21 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 password
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2791270254
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2791270254
revocation-check none
rsakeypair TP-self-signed-2791270254
!
!
crypto pki certificate chain TP-self-signed-2791270254
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373931 32373032 3534301E 170D3132 31313135 31363033
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37393132
37303235 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810087A1 70BB6AB5 ACE57A92 37E51112 754CEBB8 3BB0263F 4E61277C 4D2D2BDC
DAC96ABB E8B80901 67924FE7 B48D2457 CE5CC11D ABC2CA1C 789C56D2 6E3D478F
4638DC8C F93A71CA 9CFD974F 9279D19B EC3A1A4C 2A383FC3 F9EB11B0 E6C1BB18
D1833BB2 EA9A6127 BFE29B99 637B8551 02C3A21B F4F6A7CD 01B59FD2 4B12ECF1
9E030203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140594BB D4D004B4 B6D79D8E 4BDDF9A8 43490725 39301D06
03551D0E 04160414 0594BBD4 D004B4B6 D79D8E4B DDF9A843 49072539 300D0609
2A864886 F70D0101 05050003 8181001B B60EB33A 268161B2 7B07118C DC436AB5
8BA1FAD9 6BFE3BE8 5B84E454 668CAF1A 0890A45C 3C7BA4F7 ABE4126A 86B1EAA6
08DFE03A 6557CE66 FFE98D31 85F510C1 87E34C8D A4379868 B7D82760 1F584CF1
94229F80 54484267 9D617C44 D28A9463 6A18ACDB 9E87863E 0A7332C8 A4467190
E2498A22 CFCAF6DC 21308D36 6A3EEF
quit
ip source-route
ip cef
!
!
!
!
ip dhcp pool GUEST
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 8.8.8.8
lease 0 2
!
!
no ip domain lookup
ip domain name domain.local
no ipv6 cef
!
!
license udi pid C887VA-W-A-K9 sn FTX160381M6
!
!
username admin privilege 15 password 0 password
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
no ip address
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Vlan100
description GUEST
ip address 192.168.100.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username user@email.com password 0 password
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.35.200 25 interface Dialer0 25
ip nat inside source static tcp 192.168.35.200 443 interface Dialer0 443
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 23 permit 192.168.35.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.35.0 0.0.0.225 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.35.0 0.0.0.255
access-list 101 permit ip any any
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 3
transport input all
line vty 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Router#


SH RUN from AP


ap#sh run
Building configuration...

Current configuration : 1978 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
logging rate-limit console 9
enable secret 5 password
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid GUEST
vlan 100
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 050C130A32581C594857
!
!
!
username admin privilege 15 secret 5 password
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 100 mode ciphers aes-ccm
!
broadcast-key vlan 100 change 30
!
!
ssid GUEST
!
antenna gain 0
mbssid
channel 2412
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
interface BVI1
ip address 192.168.35.252 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.253
ip http server
no ip http secure-server
ip http help-path »www.cisco.com/warp/publi ··· help/eag
ip radius source-interface BVI1
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login
!
end

ap#


nm... This is very tricky as you have two separate modules talking to each other and the bridge grps are not really matching not sure how you got what you have currently. I'd restart from scratch. it'd be quicker. use the web interface to get you the basics and than tweak it with commandline...

I think the BVI should have an IP address in the native VLAN subnet.
I also think you need to add Bridge 100 route IP to the config and remove the line in access-list 101 that denies the 100 subnet access to the native VLAN, but I'll stand to be corrected on that.

Is this an 887V o an 887V-W model of router, just to clarify?

Regards

I also note you have MBSSID configured. I've found when using autonomous Access Points (1142's or 1242's) if you only have a single SSID running configuring MBSSID can cause it to not work.

To fix your wifi issue, as markysharkey mentioned, the BVI IP address needs to be on the 192.168.100.0 subnet

Other things you need to look at...
- ACL 101 needs to be redone, permit in the middle of the ACL. Remove & re-add it correctly
- ACL 100 does not include the wifi subnet, so they will have no internet access