In this post we will learn how to configure an autonomous AP as WGB with Multiple VLAN.
How to setup Root AP and WGB: Check this post
***I don’t have extra switch so I will force WGB to connect to clicnet in vlan 12.
***In my post WGB and Root AP both are on vlan 11(Native) and Client will get the IP in vlan 12.
*** Link between RootAP and switch is trunk.
Switch Config:
Int fa0/24 Switchport trunk encapsulation dot1q Switchport trunk native vlan 11 Switchport trunk allowed vlan 11,12 Switchport mode trunk
Remembering Points:
- The AP to which a WGB associates can treat the WGB as an infrastructure device or as a normal client. By default, AP treats WGB as client devices.
- If WGB is an infrastructure client, it can associate to an infrastructure SSID. Infrastructure SSIDs are used to authenticate Bridges, Repeaters…Etc. A WGB in by default is a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.
Use of Infrastructure-Client Command:
- Used for Reliable Multicast
- To make WGB as Infrastructure-Client so that WGB can associate to Infrastructure-SSID.
In my example WGB is connected root AP via RSCCIEW WLAN interface.
WGB authentication with LEAP-WPA2.
Here is the complete configuration:
Root AP:
RootAP#sh run ! hostname RootAP ! aaa new-model ! aaa group server radius rad_eap server 192.168.11.35 auth-port 1112 acct-port 1113 ! aaa authentication login eap_method group rad_eap ! dot11 ssid RSCCIEW vlan 11 authentication open eap eap_method authentication network-eap eap_method authentication key-management wpa version 2 infrastructure-ssid ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 11 mode ciphers aes-ccm ! ssid RSCCIEW ! station-role root infrastructure-client ! interface Dot11Radio0.11 encapsulation dot1Q 11 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.12 encapsulation dot1Q 12 no ip route-cache bridge-group 12 bridge-group 12 subscriber-loop-control bridge-group 12 block-unknown-source no bridge-group 12 source-learning no bridge-group 12 unicast-flooding bridge-group 12 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 ip address dhcp no ip route-cache speed 100 full-duplex ! interface FastEthernet0.11 encapsulation dot1Q 11 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.12 encapsulation dot1Q 12 no ip route-cache bridge-group 12 no bridge-group 12 source-learning bridge-group 12 spanning-disabled ! interface BVI1 ip address 192.168.11.35 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.11.254 radius-server local no authentication eapfast no authentication mac nas 192.168.11.35 key 7 13261E010803557878 user WGB nthash 7 124C264F425B2A55790A770B166D743623445655067D7C077159504B477C017601 ! radius-server host 192.168.11.35 auth-port 1112 acct-port 1113 key 7 02250D4808095E731F bridge 1 route ip ! end
WGB:
WGB#sh run ! hostname WGB ! no aaa new-model ! dot11 ssid RSCCIEW vlan 11 authentication open eap test authentication network-eap test authentication key-management wpa version 2 dot1x credentials wgbuser dot1x eap profile leap infrastructure-ssid ! eap profile leap method leap ! dot1x credentials wgbuser username WGB password 7 060506324F41 ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 11 mode ciphers aes-ccm ! ssid RSCCIEW ! station-role workgroup-bridge ! interface Dot11Radio0.11 encapsulation dot1Q 11 native no ip route-cache bridge-group 1 ! interface Dot11Radio0.12 encapsulation dot1Q 12 no ip route-cache bridge-group 12 ! interface Dot11Radio1 no ip address no ip route-cache shutdown no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.11 encapsulation dot1Q 11 native no ip route-cache bridge-group 1 ! interface FastEthernet0.12 encapsulation dot1Q 12 no ip route-cache bridge-group 12 ! interface BVI1 ip address dhcp no ip route-cache ! bridge 1 route ip bridge 1 address c434.6b27.0c11 forward FastEthernet0.12 --> To make permanent Entry in WGB bridge TABLE ! workgroup-bridge client-vlan 12 end
Verification:
On Root AP:
RootAP#sh dot11 ass 802.11 Client Stations on Dot11Radio0: SSID [RSCCIEW] : MAC Address IP address Device Name Parent State 001d.7096.3404 192.168.11.36 WGB WGB self EAP-Assoc c434.6b27.0c11 192.168.12.31 WGB-client - 001d.7096.3404 Assoc
RootAP#sh dot11 ass 001d.7096.3404 Address : 001d.7096.3404 Name : WGB IP Address : 192.168.11.36 Interface : Dot11Radio 0 Device : WGB Software Version : 12.4 CCX Version : 5 Client MFP : On State : EAP-Assoc Parent : self SSID : RSCCIEW VLAN : 11 Hops to Infra : 1 Association Id : 1 Clients Associated: 1 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : WPAv2 Encryption : AES-CCMP Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -22 dBm Connected for : 55931 seconds Signal to Noise : 73 dB Activity Timeout : 30 seconds Power-save : Off Last Activity : 1 seconds ago Apsd DE AC(s) : NONE Packets Input : 9399 Packets Output : 30671 Bytes Input : 1597644 Bytes Output : 4718946 Duplicates Rcvd : 0 Data Retries : 1325 Decrypt Failed : 2 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0 Session timeout : 0 seconds Reauthenticate in : never
RootAP#sh dot11 ass c434.6b27.0c11 Address : c434.6b27.0c11 Name : NONE IP Address : 192.168.12.31 Interface : Dot11Radio 0 Device : WGB-client Software Version : NONE CCX Version : NONE Client MFP : Off State : Assoc Parent : 001d.7096.3404 SSID : RSCCIEW VLAN : 12 Hops to Infra : 0 Clients Associated: 0 Repeaters associated: 0
On WGB:
WGB#sh dot11 ass 802.11 Client Stations on Dot11Radio0: SSID [RSCCIEW] : MAC Address IP address Device Name Parent State 003a.9a3e.a380 192.168.11.35 ap1240-Parent RootAP - EAP-Assoc
WGB#sh dot11 ass 003a.9a3e.a380 Address : 003a.9a3e.a380 Name : RootAP IP Address : 192.168.11.35 Interface : Dot11Radio 0 Device : ap1240-Parent Software Version : 12.4 CCX Version : 5 Client MFP : On State : EAP-Assoc Parent : - SSID : RSCCIEW VLAN : 11 Hops to Infra : 0 Association Id : 1 Tunnel Address : 0.0.0.0 Key Mgmt type : WPAv2 Encryption : AES-CCMP Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -24 dBm Connected for : 55975 seconds Signal to Noise : 69 dB Activity Timeout : 14 seconds Power-save : Off Last Activity : 1 seconds ago Apsd DE AC(s) : NONE Packets Input : 586784 Packets Output : 9346 Bytes Input : 102345033 Bytes Output : 1669240 Duplicates Rcvd : 0 Data Retries : 12 Decrypt Failed : 114 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0
Normally its not recommended by cisco to use multiple vlan on WGB 🙂
Another Wireless Blog 