WGB with EAP-FAST in UWNS

In this post we will see how to configure the WGB with WPA2-Dot1x EAP-FAST in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

Fast1

WLC Configuration:

First we have to configure a WLAN “Test” with WPA2 policy and 802.1x authentication key management.

Fast2

Fast3

Now we have to create an EAP Profile “WGB_TEST” and assign it to WLAN for EAP-FAST authentication.

Fast4

Fast5

We must assign the order of authentication for local EAP.

Fast6

End of WLC configuration, we should create a username and password to authenticate with WGB and assign this user to specific WLAN.

Fast7

WGB Configuration:

Here is the configuration of WGB with EAP-FAST.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open eap eap_FAST
 authentication network-eap eap_FAST
 authentication key-management wpa version 2
 dot1x credentials WGB_FAST
 dot1x eap profile WGB_TEST
 !
 eap profile WGB_TEST
 method fast
 !
 dot1x credentials WGB_FAST
 username testuser
 password 7 15060E1F107B79777C66
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

 *Jul 24 01:53:14.255: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [EAP-FAST WPAv2]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              EAP-Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 36.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -75  dBm           Connected for    : 221 seconds
 Signal to Noise   : 22  dB            Activity Timeout : 13 seconds
 Power-save        : Off                Last Activity    : 2 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 20799              Packets Output   : 1663
 Bytes Input       : 3847215            Bytes Output     : 180188
 Duplicates Rcvd   : 0                  Data Retries     : 812
 Decrypt Failed    : 0                  RTS Retries      : 18
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. testuser
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 308 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 Re-Authentication Timeout........................ 86111
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... 802.1x
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... EAP-FAST
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

 

Advertisements

1 Comment

  1. I’m impressed, I must say. Rarely do I come across a blog
    that’s equally educative and engaging, and without a doubt, you’ve
    hit the nail on the head. The problem is something too few people are speaking intelligently about.
    I’m very happy I found this during my hunt for something relating
    to this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s