Month: October 2014

Passive Client Feature

In this post we will learn about the passive client feature.

My Real Problem Scenario:

From last 2 weeks I am facing problem with a device connected behind a WGB. This device has static IP address.

I tried before 2 weeks and it was working but now it’s not. I don’t know what was wrong.

So on one hand it is working (At one place) – Did not enable passive client , still working

On other hand it’s not working (on another location) – Enable passive client and its working

So let’s deep drive in to this topic:

What is passive client?

Passive clients are wireless devices, such as printers, machine that are configured with a static IP address. These types of clients do not transmit any IP information when they associate with an AP. As a result, the WLC never knows the IP address unless they use the DHCP.

Must Remembering Points:

  • This feature is not supported with the AP groups and HREAP (Flex-Connect) centrally switched WLANs
  • This feature works in multicast-multicast and multicast-unicast The controller sources the multicast packets using its management IP address.
  • Earlier it was only supported on Cisco 5500 and Cisco 2100 Series Controllers but now 2504 WLC also supported.

WLCs act as a proxy for ARP requests. Upon receiving an ARP request, the controller responds with an ARP response instead of passing the request directly to the client. This scenario has two advantages:

  • The upstream device that sends out the ARP request to the client will not know where the client is located.
  • Power for battery-operated devices such as mobile phones and printers is preserved because they do not have to respond to every ARP requests.

The passive client feature enables the ARP requests and responses to be exchanged between wired and wireless clients. This feature, when enabled, allows the controller to pass ARP requests from wired to wireless clients until the desired wireless client gets to the RUN state.

How to configure:

  • Enable multicast-multicast mode
  • Enable the global multicast mode
  • Enabling the Passive Client Feature

Via GUI:

Enable Multicast-Multicast mode:

Controller > General, Select AP multicast mode and put the Multicast Group IP address and then Apply.

Passive1

Enable the Global Multicast Mode:

Choose Controller > Multicast, select both the boxes and then Apply

Passive2

Enable the Passive Client Feature:

Choose WLANs > WLANs > WLAN ID to open the WLANs > Edit page

Go to Advanced tab, Select the Passive Client box and then Apply

Passive3

Via CLI:

Enable multicast-multicast mode:

(WLC1) >config network multicast ?
 global         Enter mode.
 igmp           Igmp paratemers set
 l2mcast        Configuration of L2 Multicast
 mode           Configure WLC to AP Multicast/Broadcast traffic forwarding mode.
(WLC1) >config network multicast mode ?
 multicast      Mcast/Bcast Packets are encapsulated in multicast CAPWAP tunnel to APs
(WLC1) >config network multicast mode multicast ?
 <IP addr>      Mcast/Bcast Packets are encapsulated in multicast CAPWAP tunnel to APs
(WLC1) >config network multicast mode multicast 239.239.35.1

Enable the global multicast mode:

(WLC1) >config network multicast global ?
 enable         Enables this setting.
 disable        Disables this setting.
(WLC1) >config network multicast global enable
(WLC1) >config network multicast igmp ?
 query          Igmp Query paratemers set
 snooping       Igmp snooping configuration
 timeout        Igmp timeout set
(WLC1) >config network multicast igmp snooping ?
 enable         Enable Igmp snooping
 disable        Disable Igmp snooping
(WLC1) >config network multicast igmp snooping enable

Enabling the Passive Client Feature:

(WLC1) >config wlan passive-client enable ?
 <WLAN id>      Enter WLAN Identifier between 1 and 16.
(WLC1) >config wlan disable 8
(WLC1) >config wlan passive-client ?
 disable        Disable passive-client feature on a WLAN.
 enable         Enable passive-client feature on a WLAN.
(WLC1) >config wlan passive-client enable 8

Verification:

(WLC1) >show wlan 8
 .
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. test
 .
 .
 .
 IPv6 Support..................................... Disabled
 Passive Client Feature........................... Enabled
 Peer-to-Peer Blocking Action..................... Disabled
(WLC1) >

That’s all, now my Passive device is working 🙂

Advertisements

Customized Webauth Page Error

In this post we will learn about how to tar the webauth bundle and which software we need to use it to compress.

Today I spent almost 3 hours to upload webauth bundle to WLC.

I tried to archive tar file by using these software.
1. Power Archiver
2. 7 Zip
3. Winzip

But that always give me this error:

Cuwebauth1

I tried with both above mentioned software but that couldn’t work. It shows that’s there is something wrong with the tar file.

There are some limitations with custom webauth that vary with versions and bugs. Things to watch for include:

***The .tar file size (no more than 1Mb)
***The number of files in the .tar(I did not find a single document which shows the max number of files in .tar file)
***The filename length of the files (should be no more than 30 characters)

I have these files in my .tar:

Cuwebauth2

***I was having Evaluation PicoZip software earlier and it worked for me but now it’s expired. (So if you have it I think it will/should work, at-least it worked for me)

But frankly speaking I don’t believe that any windows based software will work.

I have already told that today I wasted almost 3 hours to get it work.
The magic software through which I Finally got it working is: CYGWIN (It worked for me like a charm)

From here we can download: https://cygwin.com/install.html

How to use this:
I am not good at linux but what I used here is very basic commands.

1. Make a directory

RSCCIEW ~
 $ mkdir webauth

2. Put the all files under this directory

Cuwebauth3

3. Then jump to this directory

RSCCIEW ~
 $ cd webauth

Check which files are under this directory?

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html yourlogo.jpg

4. Now start archiving into .tar format

RSCCIEW ~/webauth
 $ tar -cvf testwebauth.tar *
 aup.html
 failed.html
 login.html
 logout.html
 yourlogo.jpg

5. Verify .tar file under the directory

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html testwebauth.tar yourlogo.jpg
RSCCIEW ~/webauth
 $

That’s it.

Now let’s go to WLC and try to upload this file (testwebauth.tar ).

***Don’t forget to put this file in the root directory for TFTP server

Cuwebauth4

Cuwebauth5

Cuwebauth6

That must/should be successful.

Cisco Load Balancing Feature

In this post we will learn about Load Balancing feature on WLC.

Normally this feature is called as Aggressive Load Balancing. This feature mainly does the Wireless clients load-balance across APs.

As per my opinion, it’s a very cool feature be able to balance client distribution on the wireless network.

Must Remembering Points:

***Note: Clients are load balanced between access points on the same controller. Load balancing does not occur between access points on different controllers.

***Note: It works at the association phase.

How it works:

When a Client tries to associate to a LAP, association response packets are sent to the client with an 802.11 response packet including status code 17. The code 17 indicates that the AP is busy (Means no more can associate to me, so please find other AP) .

The AP responds with an association response bearing ‘success’ if the AP threshold is not met, and with code 17 (AP busy) if the AP utilization threshold is reached or exceeded and another less busy AP heard the client request.

Now here arises a problem: If AP discarded or sends a status code 17 to Client then client have to decide to ignore it or still use the same AP. Some of client driver uses the same AP for connection once again but most of the other type of clients tries to find other AP for connection. (So this process depends on vendor drivers, you cannot force them to use specific AP).

Globally configuration:

Via GUI:

Wireless > Advanced > Load Balancing

Load-Balance1

 Via CLI:

(WLAN1) >config load-balancing ?
 denial         Configures Aggressive Load Balancing denial count.
 window         Configures Aggressive Load Balancing client window.
(WLAN1) >config load-balancing window ?
 <client count> Number of denials <0 to 20>.
(WLAN1) >config load-balancing denial ?
 <denial count> Number of denials <1-10>.
(WLAN1) >config load-balancing denial 3

Client Window Size:  The client size window and client on least loaded AP determine the load-balance threshold value.

Before configure the load balancing intelligence, remember the formula. An AP is considered busy once it has a number of associated clients equal to the Client Window Size plus the number of clients on the least loaded AP in the area.

Load-balancing threshold = Client window size + number of clients on the least loaded AP

Example: Suppose I have 3 AP.

AP1: 9 Clients
AP2: 7 Clients
AP3: 4 Clients

As per last screenshot I have Client Window Size is 5.

As per the formula, Load balance Threshold is = 5+4 = 9

Means if any new client wants to Join AP1 then client will get the status 17 (Busy) message or in other words this AP (AP1) considered to be busy.

The Maximum Denial Count parameter allows the user to configure the number of times the client associations will be rejected for a particular AP. The Maximum Denial Count can have a value between 0 and 10.

Configuration Per WLAN Basis:

Via GUI:

WLAN > Advanced > Client Load Balancing

Load-Balance2

Via CLI:

(WLAN1) >config wlan load-balance ?
 allow          Allow|Disallow Load Balance on a WLAN.
 (WLAN1) >config wlan load-balance allow  ?
 enable         Allow Load Balance on a WLAN.
 disable        Disallow Load Balance on a WLAN.
(WLAN1) >config wlan load-balance allow  enable 8
 WARNING: Allowing load balance on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
(WLAN1) >

Verification:

(WLAN1) >show load-balancing
 Aggressive Load Balancing........................ per WLAN enabling
 Aggressive Load Balancing Window................. 5 clients
 Aggressive Load Balancing Denial Count........... 3
 Statistics
 Total Denied Count............................... 0 clients
 Total Denial Sent................................ 0 messages
 Exceeded Denial Max Limit Count.................. 0 times
 None 5G Candidate Count.......................... 0 times
 None 2.4G Candidate Count........................ 0 times
(WLAN1) >show wlan 8
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. Test
 .
 .
 Band Select...................................... Enabled
 Load Balancing................................... Enabled
(WLAN1) >

That’s all about this feature 🙂

Cisco Band-Select Feature

In this post we will learn about this feature. Today I faced a problem while a client was continuously trying to connect to 2.4 GHz even though the traffic was full congested/fully loaded/Full with interferences. Then I thought, is it a way to force dual band clients (Which support both frequency range 2.4GHz and 5 GHz) to connect with 5 GHz radio and tried to find out cisco docs or tech-notes and finally came out with this feature.

So let’s discuss this feature in detail:

This feature provides option for the dual band clients to join the 5 GHz radio compared to the 2.4 GHz range. As we all know that clients on this band (2.4GHz) typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other APs because of the limit of three non-overlapping channels.

We can use this feature to improve overall network performance. Band direction enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point.

Must Remember Points:

***Note: Band Select is configurable only when Radio Policy is set to ‘All‘.

***Note: Band select on supported on all types APs

***Note: This Feature only works when a client first associates to AP.

***Note: This feature will not start when the AP notices a high client count or high channel utilization.

***Note: This feature only goes in one direction (2.4GHz à 5GHz) not the other way (5GHz à 2.4GHz).Means it will not load balance clients on AP.

How it works:

The Cisco accomplishes  this is by delaying/suppressing the first few 802.11b/g probe frames so that client will accept  the 802.11a probes because it will appear to have a quicker response time.

Configuration:

By default it’s disabled.

We can configure this feature globally: Wireless > Advanced > Band Select, and also can be enabled on per WLAN Basis: WLAN > Advanced > Client Band Select. This is useful if we want to disable band selection for a specific WLAN or specific client which is running time sensitive applications (Like:  Voice).

Enable Globally:

Via GUI:

Wireless > Advanced > Band Select

Bandselect1

When configuring the global Band Select features:

  • The cycle count is the number of times a client is denied before being allowed on 2.4 GHz.
  • The cycle period is how much time needs to pass for the next associating attempt to be considered a unique attempt.
  • Age Out Suppression: When the clients will be declared as “new” and may have their probe frames delayed/ignored again.
  • Age Out Dual Band: The AP will not respond to a 2.4 G-Hz probe until a (dual-band) client is no longer marked as dual-band (default is 60 seconds). This is to prevent clients associated on 5 G-Hz radio from switching back to 2.4 G-Hz radio.
  • And the Acceptable Client RSSI is how well a 2.4 GHz client needs to be heard before trying to push them to the 5 GHz band.

Via CLI:

(WLAN1) >config band-select ?
 client-rssi    Sets the client RSSI threshold.
 cycle-count    Sets the Band Select probe cycle count.
 cycle-threshold Sets the time threshold for a new scanning cycle.
 expire         Sets the entry expire.

Enable this feature on per WLAN Basis:

Via GUI:

WLAN > Advanced > Client Band Select

Bandselect2

Via CLI:

(WLAN1) >config wlan  band-select ?
 allow          Allow|Disallow Band Select on a WLAN.
(WLAN1) >config wlan  band-select allow ?
 enable         Allow Band Select on a WLAN.
 disable        Disallow Band Select on a WLAN.
(WLAN1) >config wlan  band-select allow enable  ?
 <WLAN id>      Enter WLAN Identifier between 1 and 16.
(WLAN1) >config wlan  band-select allow enable  8
 WARNING: Allow Band Select on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
(WLAN1) >

Verification:

(WLAN1) >show band-select
 Band Select Probe Response....................... per WLAN enabling
 Cycle Count................................... 2 cycles
 Cycle Threshold............................... 200 milliseconds
 Age Out Suppression........................... 20 seconds
 Age Out Dual Band............................. 60 seconds
 Client RSSI................................... -80 dBm
 (WLAN1) >
 (WLAN1) >show wlan 8
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. Test
 .
 .
 Band Select...................................... Enabled
 Load Balancing................................... Disabled
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------
 (WLAN1) >

That’s all about this feature.

Autonomous AP as Wireless Bridge with Multiple VLAN

In last post we learned about how to setup a root and non-root bridge. In this post we will see the configuration for multiple VLAN on Root, Non-Root Bridge for wireless clients.

Topology is same as it was in last post: Autonomous AP as Wireless Bridge

Again here I will use WPA2-PSK to authenticate both WLAN. One WLAN for Root-AP to Wireless-Bridge communication and other WLAN for clients to authenticate.

We will not waste our much time on theory, let’s directly jump to configuration:

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii 7 094F471A1A0A464058
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 14141B180F0B7B7977
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

That’s all for configuration. Now we are ready to test a client for VLAN 81.

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.81.157    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations  003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 58 seconds
 Signal to Noise   : 82  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 25049              Packets Output   : 6732
 Bytes Input       : 4102567            Bytes Output     : 1025396
 Duplicates Rcvd   : 0                  Data Retries     : 1185
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 
Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.81.157       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
  
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 81
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

Autonomous AP as Wireless Bridge

In this post we will learn how to configure AP as wireless bridge. I tried to find the documents on cisco but they are very limited.

Let’s learn something about Wireless Bridges.

Here is my Topology:

Wirelessbridge1

I have two 1240 model APs.

Root-AP: 10.35.80.110

Wireless-Bridge: 10.35.80.111

A wireless bridge is a Layer 2 device; it connects two or more LANs, which can be in different buildings, through the wireless interface. Wireless bridges provide higher data rates and superior throughput for data-intensive and line of sight applications. Wireless bridges eliminate the need for expensive leased lines and fiber-optic cables and mostly used to connect two sites where either WAN line is not available or available but expensive.

In this post I will create a WLAN “RSCCIEW” to connect Root-AP & Wireless-Bridge.

Remembering Points:

  • It will always connect to Root-AP via Native VLAN.
  • It can support multiple VLAN. (Not like Repeater).

Let’s start with configuration:

Basic Root-AP/Wireless-Bridge Configuration with WPA2 encryption/single SSID.

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Once completion of configuration, we will these logs:

*Dec 17 12:44:24.301: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [None WPAv2 PSK]
Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
  
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -13  dBm           Connected for    : 267 seconds
 Signal to Noise   : 75  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 5988               Packets Output   : 3377
 Bytes Input       : 883945             Bytes Output     : 513196
 Duplicates Rcvd   : 0                  Data Retries     : 233
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#

Now let’s connect a client to Wireless-Bridge and see its status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.80.109    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 127 seconds
 Signal to Noise   : 81  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 26129              Packets Output   : 6816
 Bytes Input       : 4276916            Bytes Output     : 1048109
 Duplicates Rcvd   : 0                  Data Retries     : 1204
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

*** If we want to authenticate Wireless-Bridge with LEAP(How to Authenticate with LEAP) or EAP-FAST(How to Authenticate with LEAP) then we have to use the same method as we did for Repeaters. Check my old post to use EAPFAST or LEAP to authenticate Repeater, Wireless Bridge, WGB, and Universal WGB.

Autonomous AP as Repeater with EAP-FAST

In the last post we learnt about the LEAP authentication of a Repeater. For more therortical conectps or musr remeber point please check this link: 

Autonomous AP as Repeater with WPA2

Lets see the configuration of EAP-FAST authentication.

*** In the same way we can authentication Bridge, WGB.

Here are the configurations.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 eapfast authority id 01234567890123456789012345678901
 eapfast authority info CCIEW
 eapfast server-key primary 7 52B537935F17B2359E1DCA5291705E3E76
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials FAST
 dot1x eap profile FAST
 guest-mode
 infrastructure-ssid
 !
 eap profile FAST
 method fast
 !
 dot1x credentials FAST
 username sandeep
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication of a repeater:

*Dec 17 10:43:53.122: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [EAP-FAST WPAv2]

Client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

That is all about Repeaters 🙂

Autonomous AP as Repeater with LEAP

In the last post we learnt about Repeater configuration and authenticaion via WPA2-PSK. Here is the link : Autonomous AP as Repeater with WPA2

In last post we also learned the basic concept and theoretical knowledge of repeater and there usage.

In this post we will directly conifgure the Root AP/Repeater AP with LEAP Authentication.

Here is the configuration of Root and Repeater AP.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method --> also need to add the open EAP for clients which may associate with Repeater AP.
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials LEAP
 dot1x eap profile LEAP
 guest-mode
 infrastructure-ssid
 !
 eap profile LEAP
 method leap
 !
 dot1x credentials LEAP
 username repeater
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication:

 *Dec 17 10:40:02.500: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [LEAP WPAv2]

Here is the client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 ass
 Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

In the next post we will learn how to Authenticate Repeater via EAP-FAST.

Autonomous AP as Repeater with WPA2

In this post we will learn how to configure a repeater to extend our wireless coverage.

To extend or increase the range of our WLAN, we can add a repeater AP to the network. This repeater AP will not physically connected to the WLAN, but is instead added to radio range of the wired connected Access Point and the clients that access the WLAN.

***AP has two radios, only one can be used as a repeater. We must configure the other as a root radio.

***Repeater only can connect to root AP in Autonomous mode.

Here is my test lab setup:

Client………..Repeater-AP…………Root-AP——–Switch

Repeater_setup

When we configure an AP as a repeater, the access point’s Ethernet port does not forward traffic.

*** After our AP is configured as a repeater, it shuts down its Ethernet connection. Any devices connected to the Ethernet port are disconnected from the AP.

Of-course we can configure multiple APs as repeaters, but throughput decreases as additional APs are added to the chain, because each repeater must receive/retransmit the packet on the same channel. Because of this, throughput is cut in half for each repeater added.

A repeater AP connects to the root AP which has the best connectivity. But we can specify the AP to which the repeater associates. Setting up a static, specific association between a repeater and a root access point improves repeater performance.

Remembering Points:

  • It’s best to use repeaters to serve clients that do not require high throughput.
  • Cisco AP repeaters work best when clients are Cisco devices. Problems occur when third-party devices try to associate with repeater APs.
  • Ensure the data rates configured on the repeater AP match the data rates of the parent AP.
  • We can’t configure multiple VLANs on repeater access points. Repeater access points support only native VLAN.
  • If Repeater is connected to root AP, which has many BSSIDs and we are adding/deleting SSID on root AP that might change the parent mac address. So if we are making some changes on root AP then we must again check the connectivity between root AP and repeater after modification.

Steps to Configure the AP as Repeater:

  1. Enable Aironet extensions on both the parent and repeater APs. By default, these extensions are enabled. (Aironet extensions, which are enabled by default, improve the access point’s ability to understand the capabilities of Cisco Aironet client devices associated with the access point.)
  2. Setup the SSID under specific Radio {0 or 1}
  3. Assigns the SSID as an infrastructure SSID. This is the SSID the repeater uses to associate to the root AP.

The infrastructure SSID must be assigned to the native VLAN. If more than one VLAN is created on an AP, an infrastructure SSID cannot be assigned to a non-native VLAN. The following message appears when the infrastructure SSID is configured on non-native VLAN:

ap(config-ssid)#infrastructure-ssid optional
 Dot11Radio0: SSID Test must be configured as native-vlan before enabling infrastructure-ssid
ap(config-ssid)#

*** The ”optional” argument allows regular clients to associate as well.

  1. Establishes this AP’s role as a repeater.

By using this command: station-role repeater

  1. We can enter MAC addresses for up to four parents. If the repeater fails to associate to the first parent, it moves to the next on the list. We can enter a timeout, which establishes how long the repeater tries to associate to a parent before it moves to the next.

 

Root AP/Repeater Configuration with WPA2 encryption.

On Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 104D000A061843595F
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache

Repeater-AP:

hostname Repeater-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no p route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache

Once completion of configuration, we will these logs:

*Oct 6 09:23:28.003: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Repeater-AP 2894.0fa8.a594 Associated KEY_MGMT[WPAv2 PSK]

Now let’s connect a client to repeater AP and see its Status:

Root-AP#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address   IP address     Device       Name           Parent         State
 2894.0fa8.a594 10.35.80.111   ap1240-Rptr   Repeater-AP     self           Assoc
 5426.963e.4bee 10.35.80.108   Rptr-client   -               2894.0fa8.a594 Assoc
Root-AP#

If we want fix the repeater to associate to specific root Aps, we can use “Parent <1-4>mac-address [timeout]” command under radio interface of repeater. Maximum 4 parent’s mac addresses are allowed. In our case we have only one Root-AP.

Also we can enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list. Timeout value varies from 0 to 65535 seconds.

Here is the command:

Repeater-AP#Conf t
Repeater-AP(config)#Parent 1 mac 003a.9914.1370

In next post we will see the Repeater authentication via LEAP.

Redundant WDS devices

How to configure AP as WDS device, check this link: Configure WDS via CLI

It’s the same procedure what we did in last post to configure the Infra AP to make as backup WDS device.

Steps:

  1. First we have to add the WDS-Client AP as a NAS on the primary AP’s radius server so it can request for authentication.
  2. Configure Radius and infrastructure server configure (Same as previous post).

Let’s start:

Only one line is needed on WDS-AP:

WDS-AP(config-radsrv)#nas 10.35.80.111 key cisco123

Then we have to configure Radius and wlccp parameters on WDS-Client AP.

aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 1511021F07257A767B
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp wds priority 250 interface BVI1

This WDS configured with a lower priority of 250 because we have other AP (WDS-AP) with 254.  Now let’s take a look at the results.

Now check the WDS status on both AP:

WDS-AP:

WDS-AP#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
WDS-AP#
WDS-AP#sh wlccp wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 2   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
WDS-Client                       2894.0fa8.a594  10.35.80.111    REGISTERED
WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#

 

WDS-Client AP:

WDS-Client#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds
 MAC: 2894.0fa8.a594, IP-ADDR: 10.35.80.111   , Priority: 250
 Interface BVI1, State: BACKUP
 Currently ACTIVE WDS - MAC: 588d.0903.e31c, Priority: 254, IP-ADDR: 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
 WDS-Client#

Now we will configure both AP to provide service to clients.

WDS-AP Configuration:

hostname WDS-AP
 !
 aaa new-model
 !
 aaa group server radius Infra
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_infra group Infra
 aaa authentication login method_client group Client
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 10.35.80.110 key 7 13061E010803557878
 nas 10.35.80.111 key 7 1511021F07257A767B
 user wds nthash 7 09196D5149553143582D57090E7C7E1611704653462725027C0F00075F2641370B
 user test nthash 7 0251537E5D502D021B1C2D4C5042445C5D56780E017D676374325E4E2552050D0A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744
 !
 wlccp ap username wds password 7 05080F1C2243
 wlccp authentication-server infrastructure method_infra
 wlccp authentication-server client any method_client
 ssid RSCCIEW
 wlccp wds priority 254 interface BVI1

WDS-Client Configuration:

hostname WDS-Client
 !
 aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client1
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 aaa authentication login method_client1 group Client1
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client1
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 121A0C0411045D5679 
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp authentication-server client any Client1
 ssid RSCCIEW
 wlccp wds priority 250 interface BVI1

This is all we have to configure; now we can setup connection with client and test it.

See the client status: Client will authenticate from Primary WDS Device.

WDS-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 ac7b.a1d1.c289 10.35.80.106    ccx-client    WDS-AP          self           EAP-Assoc
WDS-AP#
WDS-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : WDS-AP
 IP Address        : 10.35.80.106       Interface        : Dot11Radio 0
 Device            : ccx-client         Software Version : NONE
 CCX Version       : 4                  Client MFP       : Off
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 0
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 0                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -45  dBm           Connected for    : 14 seconds
 Signal to Noise   : 44  dB            Activity Timeout : 50 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : BK BE VI VO
 Packets Input     : 164                Packets Output   : 45
 Bytes Input       : 32680              Bytes Output     : 9901
 Duplicates Rcvd   : 0                  Data Retries     : 0
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 PMKIDs:
 ED7B7F68446E643F622718DD96A73643
 Session timeout   : 0 seconds
 Reauthenticate in : never
WDS-AP#