Passive Client Feature

In this post we will learn about the passive client feature.

My Real Problem Scenario:

From last 2 weeks I am facing problem with a device connected behind a WGB. This device has static IP address.

I tried before 2 weeks and it was working but now it’s not. I don’t know what was wrong.

So on one hand it is working (At one place) – Did not enable passive client , still working

On other hand it’s not working (on another location) – Enable passive client and its working

So let’s deep drive in to this topic:

What is passive client?

Passive clients are wireless devices, such as printers, machine that are configured with a static IP address. These types of clients do not transmit any IP information when they associate with an AP. As a result, the WLC never knows the IP address unless they use the DHCP.

Must Remembering Points:

  • This feature is not supported with the AP groups and HREAP (Flex-Connect) centrally switched WLANs
  • This feature works in multicast-multicast and multicast-unicast The controller sources the multicast packets using its management IP address.
  • Earlier it was only supported on Cisco 5500 and Cisco 2100 Series Controllers but now 2504 WLC also supported.

WLCs act as a proxy for ARP requests. Upon receiving an ARP request, the controller responds with an ARP response instead of passing the request directly to the client. This scenario has two advantages:

  • The upstream device that sends out the ARP request to the client will not know where the client is located.
  • Power for battery-operated devices such as mobile phones and printers is preserved because they do not have to respond to every ARP requests.

The passive client feature enables the ARP requests and responses to be exchanged between wired and wireless clients. This feature, when enabled, allows the controller to pass ARP requests from wired to wireless clients until the desired wireless client gets to the RUN state.

How to configure:

  • Enable multicast-multicast mode
  • Enable the global multicast mode
  • Enabling the Passive Client Feature

Via GUI:

Enable Multicast-Multicast mode:

Controller > General, Select AP multicast mode and put the Multicast Group IP address and then Apply.

Passive1

Enable the Global Multicast Mode:

Choose Controller > Multicast, select both the boxes and then Apply

Passive2

Enable the Passive Client Feature:

Choose WLANs > WLANs > WLAN ID to open the WLANs > Edit page

Go to Advanced tab, Select the Passive Client box and then Apply

Passive3

Via CLI:

Enable multicast-multicast mode:

(WLC1) >config network multicast ?
 global         Enter mode.
 igmp           Igmp paratemers set
 l2mcast        Configuration of L2 Multicast
 mode           Configure WLC to AP Multicast/Broadcast traffic forwarding mode.
(WLC1) >config network multicast mode ?
 multicast      Mcast/Bcast Packets are encapsulated in multicast CAPWAP tunnel to APs
(WLC1) >config network multicast mode multicast ?
 <IP addr>      Mcast/Bcast Packets are encapsulated in multicast CAPWAP tunnel to APs
(WLC1) >config network multicast mode multicast 239.239.35.1

Enable the global multicast mode:

(WLC1) >config network multicast global ?
 enable         Enables this setting.
 disable        Disables this setting.
(WLC1) >config network multicast global enable
(WLC1) >config network multicast igmp ?
 query          Igmp Query paratemers set
 snooping       Igmp snooping configuration
 timeout        Igmp timeout set
(WLC1) >config network multicast igmp snooping ?
 enable         Enable Igmp snooping
 disable        Disable Igmp snooping
(WLC1) >config network multicast igmp snooping enable

Enabling the Passive Client Feature:

(WLC1) >config wlan passive-client enable ?
 <WLAN id>      Enter WLAN Identifier between 1 and 16.
(WLC1) >config wlan disable 8
(WLC1) >config wlan passive-client ?
 disable        Disable passive-client feature on a WLAN.
 enable         Enable passive-client feature on a WLAN.
(WLC1) >config wlan passive-client enable 8

Verification:

(WLC1) >show wlan 8
 .
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. test
 .
 .
 .
 IPv6 Support..................................... Disabled
 Passive Client Feature........................... Enabled
 Peer-to-Peer Blocking Action..................... Disabled
(WLC1) >

That’s all, now my Passive device is working 🙂

Customized Webauth Page Error

In this post we will learn about how to tar the webauth bundle and which software we need to use it to compress.

Today I spent almost 3 hours to upload webauth bundle to WLC.

I tried to archive tar file by using these software.
1. Power Archiver
2. 7 Zip
3. Winzip

But that always give me this error:

Cuwebauth1

I tried with both above mentioned software but that couldn’t work. It shows that’s there is something wrong with the tar file.

There are some limitations with custom webauth that vary with versions and bugs. Things to watch for include:

***The .tar file size (no more than 1Mb)
***The number of files in the .tar(I did not find a single document which shows the max number of files in .tar file)
***The filename length of the files (should be no more than 30 characters)

I have these files in my .tar:

Cuwebauth2

***I was having Evaluation PicoZip software earlier and it worked for me but now it’s expired. (So if you have it I think it will/should work, at-least it worked for me)

But frankly speaking I don’t believe that any windows based software will work.

I have already told that today I wasted almost 3 hours to get it work.
The magic software through which I Finally got it working is: CYGWIN (It worked for me like a charm)

From here we can download: https://cygwin.com/install.html

How to use this:
I am not good at linux but what I used here is very basic commands.

1. Make a directory

RSCCIEW ~
 $ mkdir webauth

2. Put the all files under this directory

Cuwebauth3

3. Then jump to this directory

RSCCIEW ~
 $ cd webauth

Check which files are under this directory?

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html yourlogo.jpg

4. Now start archiving into .tar format

RSCCIEW ~/webauth
 $ tar -cvf testwebauth.tar *
 aup.html
 failed.html
 login.html
 logout.html
 yourlogo.jpg

5. Verify .tar file under the directory

RSCCIEW ~/webauth
 $ ls
 aup.html failed.html login.html logout.html testwebauth.tar yourlogo.jpg
RSCCIEW ~/webauth
 $

That’s it.

Now let’s go to WLC and try to upload this file (testwebauth.tar ).

***Don’t forget to put this file in the root directory for TFTP server

Cuwebauth4

Cuwebauth5

Cuwebauth6

That must/should be successful.

Cisco Load Balancing Feature

In this post we will learn about Load Balancing feature on WLC.

Normally this feature is called as Aggressive Load Balancing. This feature mainly does the Wireless clients load-balance across APs.

As per my opinion, it’s a very cool feature be able to balance client distribution on the wireless network.

Must Remembering Points:

***Note: Clients are load balanced between access points on the same controller. Load balancing does not occur between access points on different controllers.

***Note: It works at the association phase.

How it works:

When a Client tries to associate to a LAP, association response packets are sent to the client with an 802.11 response packet including status code 17. The code 17 indicates that the AP is busy (Means no more can associate to me, so please find other AP) .

The AP responds with an association response bearing ‘success’ if the AP threshold is not met, and with code 17 (AP busy) if the AP utilization threshold is reached or exceeded and another less busy AP heard the client request.

Now here arises a problem: If AP discarded or sends a status code 17 to Client then client have to decide to ignore it or still use the same AP. Some of client driver uses the same AP for connection once again but most of the other type of clients tries to find other AP for connection. (So this process depends on vendor drivers, you cannot force them to use specific AP).

Globally configuration:

Via GUI:

Wireless > Advanced > Load Balancing

Load-Balance1

 Via CLI:

(WLAN1) >config load-balancing ?
 denial         Configures Aggressive Load Balancing denial count.
 window         Configures Aggressive Load Balancing client window.
(WLAN1) >config load-balancing window ?
 <client count> Number of denials <0 to 20>.
(WLAN1) >config load-balancing denial ?
 <denial count> Number of denials <1-10>.
(WLAN1) >config load-balancing denial 3

Client Window Size:  The client size window and client on least loaded AP determine the load-balance threshold value.

Before configure the load balancing intelligence, remember the formula. An AP is considered busy once it has a number of associated clients equal to the Client Window Size plus the number of clients on the least loaded AP in the area.

Load-balancing threshold = Client window size + number of clients on the least loaded AP

Example: Suppose I have 3 AP.

AP1: 9 Clients
AP2: 7 Clients
AP3: 4 Clients

As per last screenshot I have Client Window Size is 5.

As per the formula, Load balance Threshold is = 5+4 = 9

Means if any new client wants to Join AP1 then client will get the status 17 (Busy) message or in other words this AP (AP1) considered to be busy.

The Maximum Denial Count parameter allows the user to configure the number of times the client associations will be rejected for a particular AP. The Maximum Denial Count can have a value between 0 and 10.

Configuration Per WLAN Basis:

Via GUI:

WLAN > Advanced > Client Load Balancing

Load-Balance2

Via CLI:

(WLAN1) >config wlan load-balance ?
 allow          Allow|Disallow Load Balance on a WLAN.
 (WLAN1) >config wlan load-balance allow  ?
 enable         Allow Load Balance on a WLAN.
 disable        Disallow Load Balance on a WLAN.
(WLAN1) >config wlan load-balance allow  enable 8
 WARNING: Allowing load balance on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
(WLAN1) >

Verification:

(WLAN1) >show load-balancing
 Aggressive Load Balancing........................ per WLAN enabling
 Aggressive Load Balancing Window................. 5 clients
 Aggressive Load Balancing Denial Count........... 3
 Statistics
 Total Denied Count............................... 0 clients
 Total Denial Sent................................ 0 messages
 Exceeded Denial Max Limit Count.................. 0 times
 None 5G Candidate Count.......................... 0 times
 None 2.4G Candidate Count........................ 0 times
(WLAN1) >show wlan 8
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. Test
 .
 .
 Band Select...................................... Enabled
 Load Balancing................................... Enabled
(WLAN1) >

That’s all about this feature 🙂

Cisco Band-Select Feature

In this post we will learn about this feature. Today I faced a problem while a client was continuously trying to connect to 2.4 GHz even though the traffic was full congested/fully loaded/Full with interferences. Then I thought, is it a way to force dual band clients (Which support both frequency range 2.4GHz and 5 GHz) to connect with 5 GHz radio and tried to find out cisco docs or tech-notes and finally came out with this feature.

So let’s discuss this feature in detail:

This feature provides option for the dual band clients to join the 5 GHz radio compared to the 2.4 GHz range. As we all know that clients on this band (2.4GHz) typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other APs because of the limit of three non-overlapping channels.

We can use this feature to improve overall network performance. Band direction enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point.

Must Remember Points:

***Note: Band Select is configurable only when Radio Policy is set to ‘All‘.

***Note: Band select on supported on all types APs

***Note: This Feature only works when a client first associates to AP.

***Note: This feature will not start when the AP notices a high client count or high channel utilization.

***Note: This feature only goes in one direction (2.4GHz à 5GHz) not the other way (5GHz à 2.4GHz).Means it will not load balance clients on AP.

How it works:

The Cisco accomplishes  this is by delaying/suppressing the first few 802.11b/g probe frames so that client will accept  the 802.11a probes because it will appear to have a quicker response time.

Configuration:

By default it’s disabled.

We can configure this feature globally: Wireless > Advanced > Band Select, and also can be enabled on per WLAN Basis: WLAN > Advanced > Client Band Select. This is useful if we want to disable band selection for a specific WLAN or specific client which is running time sensitive applications (Like:  Voice).

Enable Globally:

Via GUI:

Wireless > Advanced > Band Select

Bandselect1

When configuring the global Band Select features:

  • The cycle count is the number of times a client is denied before being allowed on 2.4 GHz.
  • The cycle period is how much time needs to pass for the next associating attempt to be considered a unique attempt.
  • Age Out Suppression: When the clients will be declared as “new” and may have their probe frames delayed/ignored again.
  • Age Out Dual Band: The AP will not respond to a 2.4 G-Hz probe until a (dual-band) client is no longer marked as dual-band (default is 60 seconds). This is to prevent clients associated on 5 G-Hz radio from switching back to 2.4 G-Hz radio.
  • And the Acceptable Client RSSI is how well a 2.4 GHz client needs to be heard before trying to push them to the 5 GHz band.

Via CLI:

(WLAN1) >config band-select ?
 client-rssi    Sets the client RSSI threshold.
 cycle-count    Sets the Band Select probe cycle count.
 cycle-threshold Sets the time threshold for a new scanning cycle.
 expire         Sets the entry expire.

Enable this feature on per WLAN Basis:

Via GUI:

WLAN > Advanced > Client Band Select

Bandselect2

Via CLI:

(WLAN1) >config wlan  band-select ?
 allow          Allow|Disallow Band Select on a WLAN.
(WLAN1) >config wlan  band-select allow ?
 enable         Allow Band Select on a WLAN.
 disable        Disallow Band Select on a WLAN.
(WLAN1) >config wlan  band-select allow enable  ?
 <WLAN id>      Enter WLAN Identifier between 1 and 16.
(WLAN1) >config wlan  band-select allow enable  8
 WARNING: Allow Band Select on this WLAN may impact time sensitive application like VOICE. Continue? (y/N)y
(WLAN1) >

Verification:

(WLAN1) >show band-select
 Band Select Probe Response....................... per WLAN enabling
 Cycle Count................................... 2 cycles
 Cycle Threshold............................... 200 milliseconds
 Age Out Suppression........................... 20 seconds
 Age Out Dual Band............................. 60 seconds
 Client RSSI................................... -80 dBm
 (WLAN1) >
 (WLAN1) >show wlan 8
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. Test
 .
 .
 Band Select...................................... Enabled
 Load Balancing................................... Disabled
 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------
 (WLAN1) >

That’s all about this feature.

Autonomous AP as Wireless Bridge with Multiple VLAN

In last post we learned about how to setup a root and non-root bridge. In this post we will see the configuration for multiple VLAN on Root, Non-Root Bridge for wireless clients.

Topology is same as it was in last post: Autonomous AP as Wireless Bridge

Again here I will use WPA2-PSK to authenticate both WLAN. One WLAN for Root-AP to Wireless-Bridge communication and other WLAN for clients to authenticate.

We will not waste our much time on theory, let’s directly jump to configuration:

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii 7 094F471A1A0A464058
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 14141B180F0B7B7977
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

That’s all for configuration. Now we are ready to test a client for VLAN 81.

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.81.157    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations  003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 58 seconds
 Signal to Noise   : 82  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 25049              Packets Output   : 6732
 Bytes Input       : 4102567            Bytes Output     : 1025396
 Duplicates Rcvd   : 0                  Data Retries     : 1185
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 
Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.81.157       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
  
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 81
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

Autonomous AP as Wireless Bridge

In this post we will learn how to configure AP as wireless bridge. I tried to find the documents on cisco but they are very limited.

Let’s learn something about Wireless Bridges.

Here is my Topology:

Wirelessbridge1

I have two 1240 model APs.

Root-AP: 10.35.80.110

Wireless-Bridge: 10.35.80.111

A wireless bridge is a Layer 2 device; it connects two or more LANs, which can be in different buildings, through the wireless interface. Wireless bridges provide higher data rates and superior throughput for data-intensive and line of sight applications. Wireless bridges eliminate the need for expensive leased lines and fiber-optic cables and mostly used to connect two sites where either WAN line is not available or available but expensive.

In this post I will create a WLAN “RSCCIEW” to connect Root-AP & Wireless-Bridge.

Remembering Points:

  • It will always connect to Root-AP via Native VLAN.
  • It can support multiple VLAN. (Not like Repeater).

Let’s start with configuration:

Basic Root-AP/Wireless-Bridge Configuration with WPA2 encryption/single SSID.

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Once completion of configuration, we will these logs:

*Dec 17 12:44:24.301: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [None WPAv2 PSK]
Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
  
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -13  dBm           Connected for    : 267 seconds
 Signal to Noise   : 75  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 5988               Packets Output   : 3377
 Bytes Input       : 883945             Bytes Output     : 513196
 Duplicates Rcvd   : 0                  Data Retries     : 233
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#

Now let’s connect a client to Wireless-Bridge and see its status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.80.109    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 127 seconds
 Signal to Noise   : 81  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 26129              Packets Output   : 6816
 Bytes Input       : 4276916            Bytes Output     : 1048109
 Duplicates Rcvd   : 0                  Data Retries     : 1204
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

*** If we want to authenticate Wireless-Bridge with LEAP(How to Authenticate with LEAP) or EAP-FAST(How to Authenticate with LEAP) then we have to use the same method as we did for Repeaters. Check my old post to use EAPFAST or LEAP to authenticate Repeater, Wireless Bridge, WGB, and Universal WGB.

Autonomous AP as Repeater with EAP-FAST

In the last post we learnt about the LEAP authentication of a Repeater. For more therortical conectps or musr remeber point please check this link: 

Autonomous AP as Repeater with WPA2

Lets see the configuration of EAP-FAST authentication.

*** In the same way we can authentication Bridge, WGB.

Here are the configurations.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 eapfast authority id 01234567890123456789012345678901
 eapfast authority info CCIEW
 eapfast server-key primary 7 52B537935F17B2359E1DCA5291705E3E76
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials FAST
 dot1x eap profile FAST
 guest-mode
 infrastructure-ssid
 !
 eap profile FAST
 method fast
 !
 dot1x credentials FAST
 username sandeep
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication of a repeater:

*Dec 17 10:43:53.122: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [EAP-FAST WPAv2]

Client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

That is all about Repeaters 🙂