Autonomous AP as Repeater with WPA2

In this post we will learn how to configure a repeater to extend our wireless coverage.

To extend or increase the range of our WLAN, we can add a repeater AP to the network. This repeater AP will not physically connected to the WLAN, but is instead added to radio range of the wired connected Access Point and the clients that access the WLAN.

***AP has two radios, only one can be used as a repeater. We must configure the other as a root radio.

***Repeater only can connect to root AP in Autonomous mode.

Here is my test lab setup:

Client………..Repeater-AP…………Root-AP——–Switch

Repeater_setup

When we configure an AP as a repeater, the access point’s Ethernet port does not forward traffic.

*** After our AP is configured as a repeater, it shuts down its Ethernet connection. Any devices connected to the Ethernet port are disconnected from the AP.

Of-course we can configure multiple APs as repeaters, but throughput decreases as additional APs are added to the chain, because each repeater must receive/retransmit the packet on the same channel. Because of this, throughput is cut in half for each repeater added.

A repeater AP connects to the root AP which has the best connectivity. But we can specify the AP to which the repeater associates. Setting up a static, specific association between a repeater and a root access point improves repeater performance.

Remembering Points:

  • It’s best to use repeaters to serve clients that do not require high throughput.
  • Cisco AP repeaters work best when clients are Cisco devices. Problems occur when third-party devices try to associate with repeater APs.
  • Ensure the data rates configured on the repeater AP match the data rates of the parent AP.
  • We can’t configure multiple VLANs on repeater access points. Repeater access points support only native VLAN.
  • If Repeater is connected to root AP, which has many BSSIDs and we are adding/deleting SSID on root AP that might change the parent mac address. So if we are making some changes on root AP then we must again check the connectivity between root AP and repeater after modification.

Steps to Configure the AP as Repeater:

  1. Enable Aironet extensions on both the parent and repeater APs. By default, these extensions are enabled. (Aironet extensions, which are enabled by default, improve the access point’s ability to understand the capabilities of Cisco Aironet client devices associated with the access point.)
  2. Setup the SSID under specific Radio {0 or 1}
  3. Assigns the SSID as an infrastructure SSID. This is the SSID the repeater uses to associate to the root AP.

The infrastructure SSID must be assigned to the native VLAN. If more than one VLAN is created on an AP, an infrastructure SSID cannot be assigned to a non-native VLAN. The following message appears when the infrastructure SSID is configured on non-native VLAN:

ap(config-ssid)#infrastructure-ssid optional
 Dot11Radio0: SSID Test must be configured as native-vlan before enabling infrastructure-ssid
ap(config-ssid)#

*** The ”optional” argument allows regular clients to associate as well.

  1. Establishes this AP’s role as a repeater.

By using this command: station-role repeater

  1. We can enter MAC addresses for up to four parents. If the repeater fails to associate to the first parent, it moves to the next on the list. We can enter a timeout, which establishes how long the repeater tries to associate to a parent before it moves to the next.

 

Root AP/Repeater Configuration with WPA2 encryption.

On Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 104D000A061843595F
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache

Repeater-AP:

hostname Repeater-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no p route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache

Once completion of configuration, we will these logs:

*Oct 6 09:23:28.003: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Repeater-AP 2894.0fa8.a594 Associated KEY_MGMT[WPAv2 PSK]

Now let’s connect a client to repeater AP and see its Status:

Root-AP#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address   IP address     Device       Name           Parent         State
 2894.0fa8.a594 10.35.80.111   ap1240-Rptr   Repeater-AP     self           Assoc
 5426.963e.4bee 10.35.80.108   Rptr-client   -               2894.0fa8.a594 Assoc
Root-AP#

If we want fix the repeater to associate to specific root Aps, we can use “Parent <1-4>mac-address [timeout]” command under radio interface of repeater. Maximum 4 parent’s mac addresses are allowed. In our case we have only one Root-AP.

Also we can enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list. Timeout value varies from 0 to 65535 seconds.

Here is the command:

Repeater-AP#Conf t
Repeater-AP(config)#Parent 1 mac 003a.9914.1370

In next post we will see the Repeater authentication via LEAP.

2 thoughts on “Autonomous AP as Repeater with WPA2

  1. Pingback: Autonomous AP as Repeater with LEAP | Towards CCIE Wireless
  2. Pingback: Autonomous AP as Repeater with EAP-FAST | Towards CCIE Wireless

Leave a comment