WGB Roaming

In this post we will try to understand how WGB scan the parent channels or try to roam from one parent to other. It is really important to implement roaming commands on WGB to keep the session alive.

Basic Info:

  • WGB is mobile device
  • Normally Companies uses WGB in Production and it’s mounted on forklift or on a cart with their device. Roaming is very critical part of it and it must be smooth otherwise it disconnects frequently and try to reconnect to other AP.
  • As roaming needs a change from the current AP to the next, there is a resultant disconnection or time without service. This disconnection can be small.
  • Roaming is needed WGB find an AP which has better signal then the current one, and it can continue to access the network infrastructure properly.
  • Too many roams can cause disconnections (it’s not acceptable in especially in production or may be in hospital), which affects access.
  • It is really important for a WGB, to have a good roaming algorithm with enough configuration capabilities to adapt to different RF environments and data needs.

Configure Roaming:

***By default it acts a normal client and it scans another parent after continuous 8 beacon loss.

But in case of WGB we have few other methods on top of this default setting.

Let’s see these in details:

Mobile station:

This commands mark the unit as Mobile to speed up roaming

WGB# conf t
WGB(config-if)#mobile station

When we enable this WGB scans for a new parent when the RSSI to its AP gets too poor or when it has too many retransmits. This makes that the WGB will roam. When the mobile station setting is disabled (the default setting) the workgroup bridge does not search for a new AP until it loses its current association.

Scanning Channels:

WGB(config-if)#mobile station scan 1 6 11

mobile station scan <set of channels> command  is used to invoke scanning to specified channels.

By default there is no limitation of channels that can be configured. When we run this command, the WGB only scans these channels.

In our case, we configured our WGB to only scan these channels, instead of scanning all channels.

***Mobile station only shows up when using the WGB role on the radio.

*** Make sure our WGB scan list matches our infrastructure channel list. If not, the WGB will not find our available APs.

RSSI Monitoring:

WGB(config-if)#mobile station period 4 threshold 70

WGB can have a pro-active signal scan for the current parent and start a new roaming process when the signal falls below an expected level.

This has two parameters:

  • A timer, which wakes up the check process every X seconds
  • RSSI level, which is used to start a roaming process if the current signal is bellow it.

Minimum Data Rate:

WGB(config-if)#mobile station minimum-rate 18.0

This command states that WGB must trigger a new roaming event, if the current data rate to parent is bellow a given value.

*** This is too aggressive, and normally, the only solution was to configure a single data rate both in WGB and on parent APs.

By using this command, the new roaming process is only starts when the current rate is lower than the 18Mb/s. This reduces unnecessary roaming.

CCX Neighbors:

WGB(config-if)#mobile station ignore neighbor-list

Normally when WGB scan the channels, it prepares the list of available APs. This is a CCX mechanism by which the WGB can transmit to its AP the details of the others APs the WGB heard. But if we configured WGB for only specific channels scanning then it does not need to process the CCX reports to update its known channel list.

*** We use the mobile station ignore neighbor-list command to disable processing of CCX neighbor list reports

Packet retries:

WGB(config-if)#packet retries 128

By default, the WGB re-transmits a frame 64 times. (1- 128 range can be configured)

If it is not acknowledged by a parent AP then it starts roaming process.

Drop-Packet:

If after 128 tries WGB don’t find any ACK from parent AP then WGB starts a roaming. But when parent is present, the WGB does not start new roaming and uses other triggers, such as beacon loss and signal.

So the complete command is:

WGB(config-if)#packet retries 128 drop-packet

*** This command must be configured on both side(on WGB as well as on Parent AP under radio interface).

WGB(config-if)#mobile ?
 station  Mark the unit as mobile to speed up roaming
WGB(config-if)#mobile station ?
 ignore        ignore CCX reports
 minimum-rate  Minimum rate below which the AP is rejected
 period        Minimum time between scans when the connection deteriorates
 scan          Scan the following channels only
 <cr>
WGB(config)#int d0
WGB(config-if)#packet retries 128 drop-packet
RootAP#debug dot11 dot11radio 0 trace print uplink
RootAP#debug dot11 dot11radio 0 trace print rates
WGB(config-if)#
 *Mar  1 19:27:56.501: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
 *Mar  1 19:27:56.502: FAD9916A-0 Uplink: Stop
 *Mar  1 19:27:56.502: FAD991BA-0 Interface down
 *Mar  1 19:27:56.521: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
 *Mar  1 19:27:56.522: FAD9E7DA-0 Interface up
 *Mar  1 19:27:56.523: FAD9E82B-0 Uplink: Wait for driver to stop
 *Mar  1 19:27:56.523: FAD9E8A4-0 Uplink: Enabling active scan
 *Mar  1 19:27:56.523: FAD9E8B7-0 Uplink: Not busy, scan all channels
 *Mar  1 19:27:56.523: FAD9E8C7-0 Uplink: Scanning
 *Mar  1 19:27:56.584: FADAE016-0 Uplink: Rcvd response from 003a.9a3e.a380 channel 11 10283
 *Mar  1 19:27:56.589: FADAF3F1-0 Uplink: dot11_uplink_scan_done: rsnie_accept returns 0x0 key_mgmt 0xFAC01 encrypt_type 0x200
 *Mar  1 19:27:56.589: FADAF42C-0 Uplink: ssid RSCCIEW auth leap
 *Mar  1 19:27:56.589: FADAF43F-0 Uplink: try 003a.9a3e.a380, enc 200 key 3, priv 1, eap 11
 *Mar  1 19:27:56.590: FADAF45E-0 Uplink: Authenticating
 *Mar  1 19:27:56.599: FADB19F9-0 Uplink: Associating
 *Mar  1 19:27:56.608: FADB2EBC-0 3EA380 - Set rate:    54.0  54 Mbps ( 6C), Rssi 24 dBm
 *Mar  1 19:27:56.609: FADB3018-0 Uplink: EAP authenticating
 *Mar  1 19:27:56.668: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP RootAP 003a.9a3e.a380 [LEAP WPAv2]
 *Mar  1 19:27:56.670: FADC277E-0 Uplink: Done

These are the other timers on WGB:

WGB(config)#workgroup-bridge timeouts ?
 assoc-response  Association Response time-out value
 auth-response   Authentication Response time-out value
 client-add      client-add time-out value
 eap-timeout     EAP Timeout value
 iapp-refresh    IAPP Refresh time-out value
Advertisements

Autonomous AP as WGB (Multiple VLAN)

In this post we will learn how to configure an autonomous AP as WGB with Multiple VLAN.

How to setup Root AP and WGB: Check this post

***I don’t have extra switch so I will force WGB to connect to clicnet in vlan 12.

***In my post WGB and Root AP both are on vlan 11(Native) and Client will get the IP in vlan 12.

*** Link between RootAP and switch is trunk.

Switch Config:

 Int fa0/24
 Switchport trunk encapsulation dot1q
 Switchport trunk native vlan 11
 Switchport trunk allowed vlan 11,12
 Switchport mode trunk

 WGB_2vlan

Remembering Points:

  1. The AP to which a WGB associates can treat the WGB as an infrastructure device or as a normal client. By default, AP treats WGB as client devices.
  1. If WGB is an infrastructure client, it can associate to an infrastructure SSID. Infrastructure SSIDs are used to authenticate Bridges, Repeaters…Etc. A WGB in by default is a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.

Use of Infrastructure-Client Command:

  1. Used for Reliable Multicast
  2. To make WGB as Infrastructure-Client so that WGB can associate to Infrastructure-SSID.

In my example WGB is connected root AP via RSCCIEW WLAN interface.

WGB authentication with LEAP-WPA2.

Here is the complete configuration:

Root AP:

RootAP#sh run
 !
 hostname RootAP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 192.168.11.35 auth-port 1112 acct-port 1113
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 infrastructure-client
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 bridge-group 12 subscriber-loop-control
 bridge-group 12 block-unknown-source
 no bridge-group 12 source-learning
 no bridge-group 12 unicast-flooding
 bridge-group 12 spanning-disabled
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 ip address dhcp
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 no bridge-group 12 source-learning
 bridge-group 12 spanning-disabled
 !
 interface BVI1
 ip address 192.168.11.35 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 192.168.11.254
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 192.168.11.35 key 7 13261E010803557878
 user WGB nthash 7 124C264F425B2A55790A770B166D743623445655067D7C077159504B477C017601
 !
 radius-server host 192.168.11.35 auth-port 1112 acct-port 1113 key 7 02250D4808095E731F
 bridge 1 route ip
 !
 end

WGB:

WGB#sh run
 !
 hostname WGB
 !
 no aaa new-model
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap test
 authentication network-eap test
 authentication key-management wpa version 2
 dot1x credentials wgbuser
 dot1x eap profile leap
 infrastructure-ssid
 !
 eap profile leap
 method leap
 !
 dot1x credentials wgbuser
 username WGB
 password 7 060506324F41
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 !
 interface Dot11Radio0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 bridge 1 route ip
 bridge 1 address c434.6b27.0c11 forward FastEthernet0.12 --> To make permanent Entry in WGB bridge TABLE
 !
 workgroup-bridge client-vlan 12
 end

Verification:

On Root AP:

 RootAP#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 001d.7096.3404 192.168.11.36     WGB           WGB             self           EAP-Assoc
 c434.6b27.0c11 192.168.12.31     WGB-client    -               001d.7096.3404 Assoc
RootAP#sh dot11 ass 001d.7096.3404
 Address           : 001d.7096.3404     Name             : WGB
 IP Address        : 192.168.11.36        Interface        : Dot11Radio 0
 Device            : WGB                Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -22  dBm           Connected for    : 55931 seconds
 Signal to Noise   : 73  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 9399               Packets Output   : 30671
 Bytes Input       : 1597644            Bytes Output     : 4718946
 Duplicates Rcvd   : 0                  Data Retries     : 1325
 Decrypt Failed    : 2                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
RootAP#sh dot11 ass c434.6b27.0c11
 Address           : c434.6b27.0c11     Name             : NONE
 IP Address        : 192.168.12.31        Interface        : Dot11Radio 0
 Device            : WGB-client         Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 001d.7096.3404
 SSID              : RSCCIEW
 VLAN              : 12
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

On WGB:

WGB#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 192.168.11.35     ap1240-Parent RootAP          -              EAP-Assoc
WGB#sh dot11 ass 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : RootAP
 IP Address        : 192.168.11.35        Interface        : Dot11Radio 0
 Device            : ap1240-Parent      Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -24  dBm           Connected for    : 55975 seconds
 Signal to Noise   : 69  dB            Activity Timeout : 14 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 586784             Packets Output   : 9346
 Bytes Input       : 102345033          Bytes Output     : 1669240
 Duplicates Rcvd   : 0                  Data Retries     : 12
 Decrypt Failed    : 114                RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0

Normally its not recommended by cisco to use multiple vlan on WGB 🙂

Autonomous AP as WGB (Single VLAN)

In this post we will learn how to configure an autonomous AP as WGB.

WGB can provide the wired connection to the devices which don’t have wireless adaptor so that device can directly connect to WGB Ethernet port to access the wireless network.

It can provide wireless connectivity to wired clients that are connected by Ethernet to the work-group bridge access point.00

WGB connect to root AP as a client through the wireless interface.

Basic Info:

  • Infrastructure SSID configuration not required
  • By default when the WGB associates with the root bridge, all the wired clients + the WGB are shown as normal clients.
  • A WGB can only pass one VLAN between the WGB and the root bridge(As Cisco recommend but it can also pass multiple)
  • Always use bridge-group 1 for the link between the root and WGB.
  • But if we use WGB multicast infrastructure mode on the WGB, we need to add infrastructure-client on the root AP side.
  • A WGB in standard mode is by default a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.
  • WGB is a mobile
  • Root AP can allow max 20WGB.(This must be test out)

 My Topology:

WGB_Vlan1

Remembering Points:

  1. The AP to which a WGB associates can treat the WGB as an infrastructure device or as a normal client. By default, AP treats WGB as client devices.
  1. If WGB is an infrastructure client, it can associate to an infrastructure SSID. Infrastructure SSIDs are used to authenticate Bridges, Repeaters…Etc. A WGB in by default is a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.

Use of Infrastructure-Client Command:

  1. Used for Reliable Multicast
  2. To make WGB as Infrastructure-Client so that WGB can associate to Infrastructure-SSID.

In my example WGB is connected root AP via RSCCIEW WLAN interface.

WGB authentication with LEAP-WPA2.

Here is the configuration:

Root AP:

RootAP#sh run
 !
 hostname RootAP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 192.168.11.35 auth-port 1112 acct-port 1113
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 ip address dhcp
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 192.168.11.35 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 192.168.11.254
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 192.168.11.35 key 7 13261E010803557878
 user WGB nthash 7 124C264F425B2A55790A770B166D743623445655067D7C077159504B477C017601
 !
 radius-server host 192.168.11.35 auth-port 1112 acct-port 1113 key 7 02250D4808095E731F
 bridge 1 route ip
 !
 end

WGB:

WGB#sh run
 !
 hostname WGB
 !
 no aaa new-model
 !
 dot11 ssid RSCCIEW
 authentication open eap test
 authentication network-eap test
 authentication key-management wpa version 2
 dot1x credentials wgbuser
 dot1x eap profile leap
 !
 eap profile leap
 method leap
 !
 dot1x credentials wgbuser
 username WGB
 password 7 060506324F41
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role workgroup-bridge
 bridge-group 1
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 bridge 1 route ip
 bridge 1 address c434.6b27.0c11 forward FastEthernet0.11
 !
 end

Verification:

On Root AP

RootAP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 001d.7096.3404 192.168.11.36     WGB           WGB             self           EAP-Assoc
 c434.6b27.0c11 192.168.11.37     WGB-client    -               001d.7096.3404 Assoc
RootAP#sh dot11 associations 001d.7096.3404
 Address           : 001d.7096.3404     Name             : WGB
 IP Address        : 192.168.11.36        Interface        : Dot11Radio 0
 Device            : WGB                Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -24  dBm           Connected for    : 102 seconds
 Signal to Noise   : 71  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 213                Packets Output   : 29
 Bytes Input       : 47472              Bytes Output     : 3382
 Duplicates Rcvd   : 0                  Data Retries     : 3
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
RootAP#sh dot11 associations c434.6b27.0c11
 Address           : c434.6b27.0c11     Name             : NONE
 IP Address        : 192.168.11.37        Interface        : Dot11Radio 0
 Device            : WGB-client         Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 001d.7096.3404
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

On WGB:

 *Mar  1 02:06:37.718: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP RootAP 003a.9a3e.a380 [LEAP WPAv2]
  
  
 WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 192.168.11.35     ap1240-Parent RootAP          -              EAP-Assoc
  
 WGB#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : RootAP
 IP Address        : 192.168.11.35        Interface        : Dot11Radio 0
 Device            : ap1240-Parent      Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : RSCCIEW
 VLAN              : 0
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -28  dBm           Connected for    : 177 seconds
 Signal to Noise   : 66  dB            Activity Timeout : 11 seconds
 Power-save        : Off                Last Activity    : 4 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 2475               Packets Output   : 732
 Bytes Input       : 402607             Bytes Output     : 316070
 Duplicates Rcvd   : 0                  Data Retries     : 4
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0

Passive Client Feature

In this post we will learn about the passive client feature.

My Real Problem Scenario:

From last 2 weeks I am facing problem with a device connected behind a WGB. This device has static IP address.

I tried before 2 weeks and it was working but now it’s not. I don’t know what was wrong.

So on one hand it is working (At one place) – Did not enable passive client , still working

On other hand it’s not working (on another location) – Enable passive client and its working

So let’s deep drive in to this topic:

What is passive client?

Passive clients are wireless devices, such as printers, machine that are configured with a static IP address. These types of clients do not transmit any IP information when they associate with an AP. As a result, the WLC never knows the IP address unless they use the DHCP.

Must Remembering Points:

  • This feature is not supported with the AP groups and HREAP (Flex-Connect) centrally switched WLANs
  • This feature works in multicast-multicast and multicast-unicast The controller sources the multicast packets using its management IP address.
  • Earlier it was only supported on Cisco 5500 and Cisco 2100 Series Controllers but now 2504 WLC also supported.

WLCs act as a proxy for ARP requests. Upon receiving an ARP request, the controller responds with an ARP response instead of passing the request directly to the client. This scenario has two advantages:

  • The upstream device that sends out the ARP request to the client will not know where the client is located.
  • Power for battery-operated devices such as mobile phones and printers is preserved because they do not have to respond to every ARP requests.

The passive client feature enables the ARP requests and responses to be exchanged between wired and wireless clients. This feature, when enabled, allows the controller to pass ARP requests from wired to wireless clients until the desired wireless client gets to the RUN state.

How to configure:

  • Enable multicast-multicast mode
  • Enable the global multicast mode
  • Enabling the Passive Client Feature

Via GUI:

Enable Multicast-Multicast mode:

Controller > General, Select AP multicast mode and put the Multicast Group IP address and then Apply.

Passive1

Enable the Global Multicast Mode:

Choose Controller > Multicast, select both the boxes and then Apply

Passive2

Enable the Passive Client Feature:

Choose WLANs > WLANs > WLAN ID to open the WLANs > Edit page

Go to Advanced tab, Select the Passive Client box and then Apply

Passive3

Via CLI:

Enable multicast-multicast mode:

(WLC1) >config network multicast ?
 global         Enter mode.
 igmp           Igmp paratemers set
 l2mcast        Configuration of L2 Multicast
 mode           Configure WLC to AP Multicast/Broadcast traffic forwarding mode.
(WLC1) >config network multicast mode ?
 multicast      Mcast/Bcast Packets are encapsulated in multicast CAPWAP tunnel to APs
(WLC1) >config network multicast mode multicast ?
 <IP addr>      Mcast/Bcast Packets are encapsulated in multicast CAPWAP tunnel to APs
(WLC1) >config network multicast mode multicast 239.239.35.1

Enable the global multicast mode:

(WLC1) >config network multicast global ?
 enable         Enables this setting.
 disable        Disables this setting.
(WLC1) >config network multicast global enable
(WLC1) >config network multicast igmp ?
 query          Igmp Query paratemers set
 snooping       Igmp snooping configuration
 timeout        Igmp timeout set
(WLC1) >config network multicast igmp snooping ?
 enable         Enable Igmp snooping
 disable        Disable Igmp snooping
(WLC1) >config network multicast igmp snooping enable

Enabling the Passive Client Feature:

(WLC1) >config wlan passive-client enable ?
 <WLAN id>      Enter WLAN Identifier between 1 and 16.
(WLC1) >config wlan disable 8
(WLC1) >config wlan passive-client ?
 disable        Disable passive-client feature on a WLAN.
 enable         Enable passive-client feature on a WLAN.
(WLC1) >config wlan passive-client enable 8

Verification:

(WLC1) >show wlan 8
 .
 WLAN Identifier.................................. 8
 Profile Name..................................... Test
 Network Name (SSID).............................. test
 .
 .
 .
 IPv6 Support..................................... Disabled
 Passive Client Feature........................... Enabled
 Peer-to-Peer Blocking Action..................... Disabled
(WLC1) >

That’s all, now my Passive device is working 🙂

WGB with multiple VLAN in UWNS

In this post we will see how to configure a WGB for multiple VLAN in unified wireless environment. This is useful when we want to have wired client behind WGB in different VLAN.

WGB connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The WGB provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the WGB as a wireless client.

Remembering Points:

  • The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8) JEB or greater (on 16-MB access points).
  • On the wireless LAN controller, we should have software version 4.1.185.0 or later. The WGB mode is not supported on the controller on any of the earlier versions.
  • We do not need to configure anything on the controller to enable the WGB to communicate with the lightweight access point. However, to ensure proper communication, we should create a WLAN on the controller that matches the SSID and security method that was configured on the WGB.
  • LAP is acting as root AP for WGB.
  • We can only configure one radio for WGB mode to connect to LAP.
  • By default, access points treat workgroup bridges as client device.
  • WGB can support maximum 20 clients.
  • These lightweight features are supported for use with a workgroup bridge:
    • Guest N+1 redundancy
    • Local EAP
  • These lightweight features are not supported for use with a workgroup bridge:
  • Cisco Centralized Key Management (CCKM)
    • Hybrid REAP
    • Idle timeout
    • Web authentication
  • These features are not supported for wired clients connected to a workgroup bridge:
    • MAC filtering
    • Link tests
    • Idle timeout

My topology for this LAB:

Core Switch——-WLC——-LAP~~~~~~~~~~WGB———–Switch——Client

  • The Dynamic Host Configuration Protocol (DHCP) is configured for VLAN 80(On Core Switch) and 81(On WLC).
  • The WLC has the dynamic interfaces created for VLAN 80 and 81.
  • The WGB has sub-interfaces for required VLANs — 80 and 81.
  • The switch behind the WGB has required VLANs — 80 and 81.
  • WLC is connected with trunk port to Core switch and AP001 (LAP) is connected with access port.
  • WLC1 is configured with 2 dynamic interfaces: 80(Test) and 81(Coding)
  • Created a SSID”Test” with WPA2/AES – PSK as shown below.

WGB_MuVLAN1

Config. on Core Switch:

First we have to create DHCP pool and SVI interface for the management VLAN so that LAP and WGB can get the IP address. Here I created DHCP Pool “WGB” for VLAN 80 and configured the WLC and AP port with right configuration as shown below.

ip dhcp excluded-address 10.35.80.1 10.35.80.100
ip dhcp excluded-address 10.35.80.120 10.35.80.254
 !
 ip dhcp pool WGB
 network 10.35.80.0 255.255.255.0
 default-router 10.35.80.254
 option 43 ip 10.35.80.1
 lease 3
 !
 vlan 80
 name Management
 !
 vlan 81
 name coding
 !
 interface FastEthernet1/24
 description LAP - AP001
 switchport access vlan 80
 switchport mode access
 !
 interface FastEthernet0/25
 description *** WLC1  ***
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 80,81
 switchport mode trunk
 !
 interface Vlan80
 ip address 10.35.80.245 255.255.255.0

Configuration on WLC:

WLAN Configuration:

Step1: As shown in pic, I created a SSID Test with WPA2-PSK security policy and management interface assigned to it.

WGB_MuVLAN2

Step2: DHCP Scope for VLAN 81:

Wired client behind the WGB will get the IP from VLAN 81 so we have to create a DHCP scope for them in WLC.

WGB_MuVLAN3

Step3: Also enable the WGB by WLC CLI:

(WLC1) >config wgb vlan enable

By default its disabled and we must enable it to get WGB VLAN client connectivity.

Config of WGB:

  1. I am using the WGB to configured for the 2.4-GHz and that is 802.11b radio is 0. (We can only configure one radio for WGB mode to connect to LAP).
  2. To support multiple VLAN on WGB we have to use VLAN tagging feature which enables segregation of VLAN traffic based on the VLAN numbers for Unified WGB solution. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB.

WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.

In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC.

In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.

To enable VLAN tagging, we have to use this command:

(WLC1) > workgroup-bridge unified-vlan-client
  1. If you faced this kind of problem while testing: When wired client got connection to WGB but after sometime it automatically removed because of extended of time(specially the connected switch to WGB was losing IP address). To stop this we have to configure aging time on WGB. By using this command:
(WLC1) > bridge brige-group-number aging-time 65535

So here is the complete config for WGB:

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 105A0C0A114640585851
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge --> To define the role of this AP as WGB
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 no ip route-cache
 bridge-group 81
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 no ip route-cache
 bridge-group 81
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 !
 workgroup-bridge unified-vlan-client --> To support multiple VLAN on WGB

Verification:

On WGB:

WGB#sh bridge
 Total of 300 station blocks, 293 free
 Codes: P - permanent, S - self
 Bridge Group 1:
 Address       Action   Interface       Age   RX count   TX count
 0022.bd98.3a30   forward   Vi0.80            2          3          0
 381c.1a89.f4c1   forward   Fa0.80            2         12          2
 381c.1a89.f481   forward   Fa0.80            0        654          0
 001e.4a81.4c96   forward   Vi0.80            0        386          4
 Bridge Group 81:
 381c.1a89.f4c2   forward   Fa0.81            3          1          0
 c434.6b25.80c8   forward   Fa0.81            0       2352          0
 381c.1a89.f481   forward   Fa0.81            0        316          0
WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a32 10.35.80.1      LWAPP-Parent AP001           -              Assoc
WGB#sh dot11 associations  0022.bd98.3a32
 Address           : 0022.bd98.3a32     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 0
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -46  dBm           Connected for    : 989 seconds
 Signal to Noise   : 43  dB            Activity Timeout : 15 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 672848             Packets Output   : 66093
 Bytes Input       : 128614720          Bytes Output     : 6258031
 Duplicates Rcvd   : 0                  Data Retries     : 3361
 Decrypt Failed    : 0                  RTS Retries      : 425
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
  

ON WLC:

Via GUI:

WGB_MuVLAN4

WGB_MuVLAN5

WGB_MuVLAN6

Client got the IP in VLAN 81 ,which is connected with Switch.

WGB_MuVLAN7

Via CLI:

(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11g            2
(WLC1) >show wgb detail 58:8d:09:03:e3:1c
 Number of wired client(s): 2
 MAC Address        IP Address      AP Name            Mobility   WLAN Auth
 -----------------  --------------- -----------------  ---------- ---- ----
 c4:34:6b:25:80:c8  10.35.81.32     AP001              Local      3    Yes
 38:1c:1a:89:f4:c1  10.35.80.108    AP001              Local      3    Yes
(WLC1) >show client  summary
 Number of Clients................................ 3
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 38:1c:1a:89:f4:c1 AP001             Associated    3              Yes  N/A              1    N/A
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11g          1    N/A
 c4:34:6b:25:80:c8 AP001             Associated    3              Yes  N/A              1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c --> My WGB
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 2 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 900 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
 ............................................. 12.0,18.0,24.0,36.0,48.0,
 ............................................. 54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80
(WLC1) >show client detail 38:1c:1a:89:f4:c1 --> Switch in vlan 80
 Client MAC Address............................... 38:1c:1a:89:f4:c1
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 909 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.80.108
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Disabled
 Power Save....................................... OFF
 Supported Rates..................................
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... N/A
 Encryption Cipher................................ None
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 0
 (WLC1) >show client detail c4:34:6b:25:80:c8 --> Client in VLAN 81
 Client MAC Address............................... c4:34:6b:25:80:c8
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 919 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.81.32
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Disabled
 Power Save....................................... OFF
 Supported Rates..................................
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... N/A
 Encryption Cipher................................ None
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ coding
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81

***Configuring a specific Client VLAN

If wired devices connected to the WGBs Ethernet port should all be assigned to a specific VLAN then we can configure a VLAN for the connected devices. By using this command on the WGB:

WGB(config)# workgroup-bridge client-vlan vlan-id

All the devices connected to the Workgroup Bridge’s Ethernet port are assigned to that VLAN.

That’s all for today 🙂

 

WGB with EAP-FAST in UWNS

In this post we will see how to configure the WGB with WPA2-Dot1x EAP-FAST in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

Fast1

WLC Configuration:

First we have to configure a WLAN “Test” with WPA2 policy and 802.1x authentication key management.

Fast2

Fast3

Now we have to create an EAP Profile “WGB_TEST” and assign it to WLAN for EAP-FAST authentication.

Fast4

Fast5

We must assign the order of authentication for local EAP.

Fast6

End of WLC configuration, we should create a username and password to authenticate with WGB and assign this user to specific WLAN.

Fast7

WGB Configuration:

Here is the configuration of WGB with EAP-FAST.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open eap eap_FAST
 authentication network-eap eap_FAST
 authentication key-management wpa version 2
 dot1x credentials WGB_FAST
 dot1x eap profile WGB_TEST
 !
 eap profile WGB_TEST
 method fast
 !
 dot1x credentials WGB_FAST
 username testuser
 password 7 15060E1F107B79777C66
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

 *Jul 24 01:53:14.255: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [EAP-FAST WPAv2]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              EAP-Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 36.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -75  dBm           Connected for    : 221 seconds
 Signal to Noise   : 22  dB            Activity Timeout : 13 seconds
 Power-save        : Off                Last Activity    : 2 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 20799              Packets Output   : 1663
 Bytes Input       : 3847215            Bytes Output     : 180188
 Duplicates Rcvd   : 0                  Data Retries     : 812
 Decrypt Failed    : 0                  RTS Retries      : 18
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. testuser
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 308 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 Re-Authentication Timeout........................ 86111
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... 802.1x
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... EAP-FAST
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

 

WGB with LEAP in UWNS

In this post we will see how to configure the WGB with WPA2-Dot1x LEAP authentication security in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

Leap1

WLC Configuration:

First we have to configure a WLAN “Test” with WPA2 policy and 802.1x authentication key management.

Leap2

Leap3

Now we have to create an EAP Profile “WGB_TEST” and assign it to WLAN for LEAP authentication.

Leap4

Leap5

We must assign the order of authentication for local EAP.

Leap6

End of WLC configuration, we should create a username and password to authenticate with WGB and assign this user to specific WLAN.

Leap7

WGB Configuration:

Here is the configuration for Work Group Bridge.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open eap eap_Leap
 authentication network-eap eap_Leap
 authentication key-management wpa version 2
 dot1x credentials WGB_LEAP
 dot1x eap profile WGB_TEST
 !
 eap profile WGB_TEST
 method leap
 !
 dot1x credentials WGB_LEAP
 username sandeep
 password 7 105A0C0A114640585851
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

*Jul 24 01:25:59.817: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [LEAP WPAv2]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              EAP-Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -75  dBm           Connected for    : 296 seconds
 Signal to Noise   : 23  dB            Activity Timeout : 15 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 5097               Packets Output   : 266
 Bytes Input       : 944287             Bytes Output     : 26379
 Duplicates Rcvd   : 0                  Data Retries     : 121
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. sandeep
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 445 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 Re-Authentication Timeout........................ 85947
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... 802.1x
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... LEAP
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

In the next post we will see how to configure WGB with EAP-FAST in UWNS 🙂