AAA Override

In this post we will learn about the AAA override feature which is used with ACS (Radius Server).

This AAA Override function used to configure for identity networking. It allows us to configure VLAN tagging, QoS and ACL for specific clients.

Basic Info:

By using this feature we can reduce or minimize WLANs and can provide or segregate network segmentation within the network.

IN this post we take an example especially for dynamic VLAN assignment. This feature allows a single SSID to serve multiple users as per their roles (as per their VLANs).

How it works:

  1. Wireless client associates to the AP on specific WLAN.
  2. Wireless Client start RADIUS authentication process.
  3. When the wireless client authenticates successfully, the RADIUS server assign this client to a specific VLAN (as we configured on RADIUS server), regardless of the VLAN assigned to SSID the client is using on the AP. If the RADIUS server does not return any VLAN attribute for the wireless client, the client is assigned to the VLAN specified by the SSID mapped locally on the AP.

Limitation:

  • To apply an ACL we must disable & then enable the WLAN so that client must re-authenticate again otherwise ACL does not take effect.
  • If we don’t have ACL on WLC or put the wrong name, then the clients are not allowed to be authenticated.
  • In HREAP/Flexconnect local switching, Multicast is forwarded only for the VLAN that the SSID is mapped to and not to any overridden VLANs.
  • When the interface group is mapped to a WLAN and clients connect to the WLAN, the client does not get the IP address in a round robin fashion. The AAA override with interface group is supported.
  • AAA override is done at the RADIUS server.
  • On WLC, enable AAA Override parameter using the GUI or CLI. Enabling this parameter allows the controller to accept the attributes returned by the RADIUS server. The controller then applies these attributes to its clients.

Enable this feature on WLAN:

Via GUI:

AAAoverride2

Via CLI:

WLC > config wlan aaa-override enable <wlan-id>

In next post we will see how this function can be used with an example.

Advertisements

Foreign Mapping/ Auto Anchor Mobility

In this post we will learn about how to configure the foreign mapping between 2 controllers.

Auto-Anchor mobility, also known as Foreign Mapping, allows us to configure users that are on different foreign controllers from different physical location to obtain IP addresses from a subnet or group of subnets based on their physical location.

  1. First of all Both controller must have added each other in its mobility list.
  2. Auto anchoring must have conifgured.

How to Configure Mobility

How to Configure Auto Anchoring

Steps to conifgure Foreign Maping on Anchor ControllerL

***Make sure that it is only configured on Anchor Controller or where we want to terminate the client to get IP address.

Step1: Select the WLANs tab.

Step2: Click the Blue drop down arrow for the WLAN(iN my case RSCCIEW) and choose Foreign-Maps.

Step3: The foreign mappings page appears. This page also lists the MAC addresses of the foreign controllers that are in the mobility group and interfaces which are created on Anchor WLC.

Step4: Select the desired foreign controller MAC(WLC2 in my case) and the interface(rscciew) to which it must be mapped and click on Add Mapping.

Anchor WLC configuration:

Foreignmap1

Foreignmap2

Foreignmap3

Foreignmap4

Verification:

Anchor WLC:

(WLC1) >show client  summary
 Number of Clients................................ 2
 GLAN/
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6  Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------- ----------------
 48:43:7c:8b:c3:92 192.168.10.3         N/A Associated     3    Yes  Mobile           13   No    No      Export Anchor
(WLC1) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 00:00:00:00:00:00
 AP Name.......................................... N/A
 AP radio slot Id................................. N/A
 Client State..................................... Associated
 Client User Group................................
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 3
 Wireless LAN Network Name (SSID)................. RSCCIEW
 Wireless LAN Profile Name........................ RSCCIEW
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 00:00:00:00:00:ff
 Connected For ................................... 133 secs
 Channel.......................................... N/A
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. 192.168.82.254
 Netmask.......................................... 255.255.255.0
 IPv6 Address..................................... fe80::
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Disabled
 Supported Rates..................................
 Mobility State................................... Export Anchor
 Mobility Foreign IP Address...................... 192.168.10.3
 Mobility Move Count.............................. 1
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500100000085546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... N/A
 Encryption Cipher................................ None
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ rscciew
 VLAN............................................. 82
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 82
 Local Bridging VLAN.............................. 10
 .
 .
 (WLC1) >

Foreign WLC:

(WLC2) >show client summary
 Number of Clients................................ 1
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6 Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------ ----------------
 48:43:7c:8b:c3:92 AP002             1   Associated     5    Yes  802.11n(5 GHz)   1    N/A   No     Export foreign
(WLC2) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 84:80:2d:c3:6c:d0
 AP Name.......................................... AP002
 AP radio slot Id................................. 1
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 5
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 84:80:2d:c3:6c:db
 Connected For ................................... 123 secs
 Channel.......................................... 64
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. Unknown
 Netmask.......................................... Unknown
 IPv6 Address..................................... fe80::
 Association Id................................... 2
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Enabled
 APSD ACs.......................................  BK  BE  VI  VO
 Power Save....................................... ON
 Current Rate..................................... m7
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Export Foreign
 Mobility Anchor IP Address....................... 192.168.10.1
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500300000073546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 10
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 10
 .
 .
 (WLC2) >

That’s all about Foreign Mapping 🙂

Office Extend AP

In this post we will learn how to setup an Office extend AP. In my example I am using the normal AP (2600 series).

Basic Info:

As its name indicates, it “extends” our wireless network to a remote home office. It provides to remote home workers with the same type of enterprise access they’d get within the corporate office.

Cisco has specific APs for this use and that’s oEAP600:

The Aironet 600 is a simultaneous dual-band access point providing both 2.4 and 5 Ghz radios. Hooks noted that by having a simultaneous radio, one can be used for personal use, while the other can be dedicated for corporate access, using separate SSIDs.

Cisco has released special Access Point series (OEAP 600 series) have 4 LAN ports. One port is for Remote-LAN, other 3 ports are for local LAN connectivity. For the corporate WLAN extended, max of 3 WLAN can be extended & max of 15 clients can be joined. Configuration wise OEAP is only requires WLC IP to be pre-configured.

OEAP tunnels back to a Cisco WLC with an IPsec VPN tunnel. One more interesting is it keeps enterprise access and authentication extended across the VPN without the need for any addition configuration.  OfficeExtend AP requires an internal Cisco Wireless LAN Controller.

As per Cisco best practices and proper security we need 2 WLCs (DMZ & Internal). 2nd WLC is normally placed into DMZ and must have a NAT address assigned to it with ports UDP 5246 and 5247 open to it.

We just need to prepare the AP with the public address set on the WLC and connect to our Fritzbox or DSL router. Once the AP comes up then we can use our corporate networks with all of their security requirements, without any VPN connection.

Remembering Points:

  1. Before connection to Frtiz box or DSL router it must be primed with WLC IP.
  2. Then connect the AP to Fritz box / DSL router and gets an IP address, joins to primed controller and it creates encrypted DTLS tunnel. Then we can use the all SSID which we normally used in our Office.
  3. We must enable the NAT on our WLC with correct IP address by using this command:
config network ap-discovery nat-ip-only enable

OEAP1

Configuration Guide:

I am using the 2600 series AP (At the moment CCIE LAB don’t have OEAP600 series)

In my case first I joined the AP to WLC as local mode. Once it’s connected we must have to change to Flexconnect/HREAP mode.

Wireless > All APs, select specific AP which we want to convert then go under General tab, select FlexConnect mode, click Apply. After that it will reboot.

OEAP2

Once it will come up as Flexconnect mode, we can see that there is one more tab “FlexConnect”.

Now to convert it to OEAP mode we must check Enable OfficeExtend AP box.

OEAP3

Just after selecting the box we can see that there are two prompts:

  1. Do you want to enable encryption –> Select OK
  1. Do you want to disable Rouge Detection –> Select OK

***If we choose the encryption enable then all traffic will be encrypted. (DTLS)

In my case I don’t have right license for DTLS so can’t encrypt this Tunnel.

Then click on Apply.

Now try to reach OEAP over web access: https://<ip address of AP>

It will ask about the username and password. After successful authentication of user, this page will appear:

OEAP4

Click on Enter

OEAP5

We can also create a Personal SSID. Traffic from this SSID will not go through DTLS tunnel.

Configuration > Check the Personal SSID box, enter the details and click Apply.

OEAP6

If want then we can also broadcast the specific WLANs from HQ to this by creating AP groups otherwise by default it will be default-group.

Other Info:

By default, the WLC will only respond with the NAT IP address during AP Discovery when NAT is enabled. If APs exist on the inside and outside of the NAT gateway, issue this command in order to set the WLC to respond with both the NAT IP address and Non-NAT (inside) Management IP address:

config network ap-discovery nat-ip-only disable

More info then please visit: OEAP Conifg Guide

Wired Guest Access with two WLC

In this post we will learn how to implement wired guest access with only two WLC.

DMZ and Internal WLC Scenario:

Here is my Topology:

WiredGuest2wlc1

Foreign WLC Configuration:

  1. Configure a dynamic interface (in my case: wiredguestin) for wired guest user access on foreign WLC.
  2. Create a WLAN and assign the Ingess interface to wiredguestin(created in last step) and egress interface to management.
  3. Assign Mobility anchor to WLAN.

Foreign WLC:

Step1: Create a wired interface on WLC2:

WiredGuest2wlc2

Step2: WLAN creation on WLC2:

WiredGuest2wlc3

Step3: Assign the mobility anchor for right WLAN:

WiredGuest2wlc4

 

Anchor WLC Configuration:

  1. Configure a normal dynamic interface(In my cast it is guest) in which we want to assign to have IP for guest.( already created )
  2. Create a wired LAN for guest user access.
  3. Assign the mobility anchor to self(Means local)
  4. Create a test users locally on WLC
  5. Verification

Anchor WLC (WLC1):

I have already created a guest interface on my WLC to have internet access.

Step1: Skip

Step2: Create a WLAN (Same as we did on WLC2-Foreign WLC). Make sure that here we assign the interface in which we want to put clients (In my case its guest)

Assign Ingress interface as None and Egress as guest

WiredGuest2wlc5

Step3: Assign Mobility anchor to self (Means local 🙂

WiredGuest2wlc6

Step4: Local guest user creation

WiredGuest2wlc7

Verification:

Foreign WLC (WLC2):

WiredGuest2wlc8

Anchor WLC (WLC1):

WiredGuest2wlc9

WiredGuest2wlc10

 

 

Wired Guest Access Solution with Single WLC

In this post we will learn how to implement wired guest access with only one WLC.

A single WLAN controller (VLAN Translation mode) – the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.

Here is my Topology:

WiredGuest1

To provide the wired guest access, the ports in the Layer 2 access layer switch must be configured on the guest VLAN. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller.

Switch Configuration:

Switch#
interface FastEthernet0/10
description *** Wired Guest Access *** --> PC connected here
switchport
switchport access vlan 999
switchport mode access
end
Switch#
interface range GigabitEthernet1/5-6
description *** WLC1 ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,17,999
switchport mode trunk
Channel-group 1 mode on

So let’s see the complete process. Mainly we need 5 steps to Configuring Wired Guest Access:

  1. Configure a dynamic interface (VLAN) for wired guest user access.(Ingress)
  2. Configure a normal dynamic interface in which we want to assign IP to guest.(Egress)
  3. Create a wired LAN for guest user access.
  4. Create a test users locally on WLC
  5. Verification

Step1: Configure a dynamic interface for wired Guest user access (Ingress)

We don’t need any IP and gateway for this VLAN on switch or anywhere.

On WLC1, create a dynamic interface VLAN999.

Go to Controller > Interfaces

In the interface configuration page, check the “Guest LAN” box. As soon as we check this box, fields such as IP address or gateway disappear. The only thing your WLC needs to know about this interface is that “there will be client traffic coming from VLAN 999.

WiredGuest2

Step2: Configure a normal dynamic interface in which we want to assign IP to guest. (Egress)

Create another dynamic interface where the wired guest clients receive an IP address.

In this example we have VLAN 17 for clients to get IP address named as guest.

WiredGuest3

Step3: Create a wired LAN for guest user access.

Add a new WLAN: Type must be “Guest LAN

WLAN > WLANs, and then Create New WLAN.

Enable the WLAN; map the ingress interface to the “vlan999” created in Step 1, and the egress interface to guest interface created in Step 2.

WiredGuest4

 

WiredGuest5

***Remember that Layer2 security is not supported in Wired LANs.

WiredGuest6

Then we will select layer 3 web authentications.

WiredGuest7

Here I am using Customized web auth.

Step 4: Create a local test user to testing.

Security > AAA > Local Net Users

WiredGuest8

That’s it for the configuration.

Step 5: Verification

Testing time:

Now we should connect a Laptop/PC to port Fa0/10 which is in VLAN 999 and see what happens there. I got the IP in VLAN17 (Guest interface): 192.168.17.5

If you have correct DNS resolution then a pop webpage will appear otherwise we have to manually open our WLC virtual interface (https://1.1.1.1/login.html). There we have to use the credential created in Step 4.

WiredGuest9

WiredGuest10

 

WLC Admin Access by TACAS+ Server

In this post we will learn how to provide or control WLC management user’s access via TACAS+ server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC (Only allow one tab”WLAN” as admin access) – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as TACAS+ server
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign shell profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as TACAS+ server

Go to WLC GUI, click Security > AAA > TACAS+ > Authentication. Enter the parameters specific to the server. Also put Accounting& Authorization server info as well.

TACAS1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select TACAS+ check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign shell profiles to Users

Here we will create shell profile and assign the custom attributes to users.

Admin Users: role1 as ALL
Read-Only User: role1 as WLAN
Lobby Users: role1 as MONITOR

TACAS2

TACAS3

TACAS4

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

TACAS5

Assign the Priority order for management access

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

TACAS6

Verification

To verify each account, we must login with different users and check it.

Verification Logs from ACS about users attempts:

TACAS7

That’s all 🙂

In the next post we will learn the AAA override /Dynamic VLAN Assignment feature.

WLC Admin Access by Radius Server

In this post we will learn how to provide or control WLC management users access via external radius server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as Radius server (Check this post: Configure RADIUS server on WLC
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign roles or Authorization profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as Radius server

Go to WLC GUI, click Security > AAA > RADIUS > Authentication. Enter the parameters specific to the RADIUS server. If we need to put accounting server info then enters the info as well.

*** Don’t forget to Check Management box.

WLC-Admin-RAdius1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select RADIUS check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign roles or Authorization profiles to Users

Here we will Create Authorization profile and assign the Service-Type Attribute to users to get access.

Admin Users: Administrative
Read-Only User: NAS Prompt
Lobby Users: Callback Administrative

WLC-Admin-RAdius5

WLC-Admin-RAdius6

WLC-Admin-RAdius7

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

WLC-Admin-RAdius8

Assign the Priority order for management access

If WLC is configured with management users both locally & RADIUS server with the Management check box enabled. In this case, by default, when a user tries to login to the WLC, the WLC behaves in this manner:

First looks at the local management users. If the user exists in its local list, then it allows authentication for this user. If this user does not appear locally, then it looks to the RADIUS server.

Means WLC always takes precedence when compared to the RADIUS server.

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

WLC-Admin-RAdius9

*** If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS) is unreachable.

Verification

To verify each account, we must login with different users and check it.

If we login with user (sandeeprw) then we will have full administrative access to the WLC.

Example: If we login with read only user (sandeepro) and want to modify something on WLC then this will appear:

WLC-Admin-RAdius10

Verification Logs from ACS about users attempts:

WLC-Admin-RAdius11

That’s all 🙂

Calling & Called station ID

In this post we will learn / see how there format looks like with an example. It’s very important to know these because in exam we may need to create a policy using this.

My topology:

Client~~~~~~~~~~~AP—————–Switch——————–WLC

Call1

AP Details:

Call2

Default Format:

Called-Station-ID: Normally Contains (1) the MAC address of the Access Point and (2) the SSID on which the wireless device is connecting. These 2 fields are separated by a colon.  Example: “AA-BB-CC-DD-EE-FF:SSID_NAME”.

Calling-Station-ID: Contains the MAC address of the wireless device.  Example: “AA-BB-CC-DD-EE-FF”.

Local mode AP:

Let’s see the log:

***I removed the middle part

Call3

Here our Called-Station ID is: 38-1c-1a-c5-66-20:RSCCIEW

And

Calling Station-ID: F8:16:54:20:F4:C2 (this is from ISE), Normally ACS 5.2 shows like this (F8-16-54-20-F4-C2)

HREAP Connected Mode

*** In HREAP Connected mode it’s the same as in Local mode.

Called-Station ID is: 38-1c-1a-c5-66-20:RSCCIEW

Calling Station-ID: F8-16-54-20-F4-C2

HREAP Standalone Mode

***In HREAP standalone mode its bit different:

Called-Station-ID: 381c.1ac5.6621

*** Its BSSID(We can also find it via command line: show ap wlan 802.11a/b <AP name>)

Calling Station-ID: F816.5420.F4C2

(Not mentioned SSID name in called station-id and also the last number is 21 because its add the WLAN id to its mac address)

*** My wlan id is 2.

ACS Policies based on SSID

If we need to Create Policy in ACL which needs to be include SSID then either we must use the End Station Filters or we need to create a custom profile(Policy Elements > Session Conditions > Custom)

End Station filter:

Policy > Network Conditions > End Station Filters

Create a new and enter the *SSID_Name(example – *RSCCIEW) unders CLI/DNIS.

Call4

Note: *RSCCIEW must be under DNIS but here in ACS it shows under CLI (This is due to bug-CSCtk16271).To resolve this we must click submit again to swap these entry.

Custom Profile:

Then click on Create, give the name to this custom profile.

Under Condition Tab:

We must use Dictionary: Radius-IETF

Attribute: Called-Station-ID

Policy Elements > Session Conditions > Custom

Call5

That’s all about Calling and Called Station ID 🙂 don’t have much time otherwise would love to go more in to details.

WGB Roaming

In this post we will try to understand how WGB scan the parent channels or try to roam from one parent to other. It is really important to implement roaming commands on WGB to keep the session alive.

Basic Info:

  • WGB is mobile device
  • Normally Companies uses WGB in Production and it’s mounted on forklift or on a cart with their device. Roaming is very critical part of it and it must be smooth otherwise it disconnects frequently and try to reconnect to other AP.
  • As roaming needs a change from the current AP to the next, there is a resultant disconnection or time without service. This disconnection can be small.
  • Roaming is needed WGB find an AP which has better signal then the current one, and it can continue to access the network infrastructure properly.
  • Too many roams can cause disconnections (it’s not acceptable in especially in production or may be in hospital), which affects access.
  • It is really important for a WGB, to have a good roaming algorithm with enough configuration capabilities to adapt to different RF environments and data needs.

Configure Roaming:

***By default it acts a normal client and it scans another parent after continuous 8 beacon loss.

But in case of WGB we have few other methods on top of this default setting.

Let’s see these in details:

Mobile station:

This commands mark the unit as Mobile to speed up roaming

WGB# conf t
WGB(config-if)#mobile station

When we enable this WGB scans for a new parent when the RSSI to its AP gets too poor or when it has too many retransmits. This makes that the WGB will roam. When the mobile station setting is disabled (the default setting) the workgroup bridge does not search for a new AP until it loses its current association.

Scanning Channels:

WGB(config-if)#mobile station scan 1 6 11

mobile station scan <set of channels> command  is used to invoke scanning to specified channels.

By default there is no limitation of channels that can be configured. When we run this command, the WGB only scans these channels.

In our case, we configured our WGB to only scan these channels, instead of scanning all channels.

***Mobile station only shows up when using the WGB role on the radio.

*** Make sure our WGB scan list matches our infrastructure channel list. If not, the WGB will not find our available APs.

RSSI Monitoring:

WGB(config-if)#mobile station period 4 threshold 70

WGB can have a pro-active signal scan for the current parent and start a new roaming process when the signal falls below an expected level.

This has two parameters:

  • A timer, which wakes up the check process every X seconds
  • RSSI level, which is used to start a roaming process if the current signal is bellow it.

Minimum Data Rate:

WGB(config-if)#mobile station minimum-rate 18.0

This command states that WGB must trigger a new roaming event, if the current data rate to parent is bellow a given value.

*** This is too aggressive, and normally, the only solution was to configure a single data rate both in WGB and on parent APs.

By using this command, the new roaming process is only starts when the current rate is lower than the 18Mb/s. This reduces unnecessary roaming.

CCX Neighbors:

WGB(config-if)#mobile station ignore neighbor-list

Normally when WGB scan the channels, it prepares the list of available APs. This is a CCX mechanism by which the WGB can transmit to its AP the details of the others APs the WGB heard. But if we configured WGB for only specific channels scanning then it does not need to process the CCX reports to update its known channel list.

*** We use the mobile station ignore neighbor-list command to disable processing of CCX neighbor list reports

Packet retries:

WGB(config-if)#packet retries 128

By default, the WGB re-transmits a frame 64 times. (1- 128 range can be configured)

If it is not acknowledged by a parent AP then it starts roaming process.

Drop-Packet:

If after 128 tries WGB don’t find any ACK from parent AP then WGB starts a roaming. But when parent is present, the WGB does not start new roaming and uses other triggers, such as beacon loss and signal.

So the complete command is:

WGB(config-if)#packet retries 128 drop-packet

*** This command must be configured on both side(on WGB as well as on Parent AP under radio interface).

WGB(config-if)#mobile ?
 station  Mark the unit as mobile to speed up roaming
WGB(config-if)#mobile station ?
 ignore        ignore CCX reports
 minimum-rate  Minimum rate below which the AP is rejected
 period        Minimum time between scans when the connection deteriorates
 scan          Scan the following channels only
 <cr>
WGB(config)#int d0
WGB(config-if)#packet retries 128 drop-packet
RootAP#debug dot11 dot11radio 0 trace print uplink
RootAP#debug dot11 dot11radio 0 trace print rates
WGB(config-if)#
 *Mar  1 19:27:56.501: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
 *Mar  1 19:27:56.502: FAD9916A-0 Uplink: Stop
 *Mar  1 19:27:56.502: FAD991BA-0 Interface down
 *Mar  1 19:27:56.521: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
 *Mar  1 19:27:56.522: FAD9E7DA-0 Interface up
 *Mar  1 19:27:56.523: FAD9E82B-0 Uplink: Wait for driver to stop
 *Mar  1 19:27:56.523: FAD9E8A4-0 Uplink: Enabling active scan
 *Mar  1 19:27:56.523: FAD9E8B7-0 Uplink: Not busy, scan all channels
 *Mar  1 19:27:56.523: FAD9E8C7-0 Uplink: Scanning
 *Mar  1 19:27:56.584: FADAE016-0 Uplink: Rcvd response from 003a.9a3e.a380 channel 11 10283
 *Mar  1 19:27:56.589: FADAF3F1-0 Uplink: dot11_uplink_scan_done: rsnie_accept returns 0x0 key_mgmt 0xFAC01 encrypt_type 0x200
 *Mar  1 19:27:56.589: FADAF42C-0 Uplink: ssid RSCCIEW auth leap
 *Mar  1 19:27:56.589: FADAF43F-0 Uplink: try 003a.9a3e.a380, enc 200 key 3, priv 1, eap 11
 *Mar  1 19:27:56.590: FADAF45E-0 Uplink: Authenticating
 *Mar  1 19:27:56.599: FADB19F9-0 Uplink: Associating
 *Mar  1 19:27:56.608: FADB2EBC-0 3EA380 - Set rate:    54.0  54 Mbps ( 6C), Rssi 24 dBm
 *Mar  1 19:27:56.609: FADB3018-0 Uplink: EAP authenticating
 *Mar  1 19:27:56.668: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP RootAP 003a.9a3e.a380 [LEAP WPAv2]
 *Mar  1 19:27:56.670: FADC277E-0 Uplink: Done

These are the other timers on WGB:

WGB(config)#workgroup-bridge timeouts ?
 assoc-response  Association Response time-out value
 auth-response   Authentication Response time-out value
 client-add      client-add time-out value
 eap-timeout     EAP Timeout value
 iapp-refresh    IAPP Refresh time-out value

Autonomous AP as WGB (Multiple VLAN)

In this post we will learn how to configure an autonomous AP as WGB with Multiple VLAN.

How to setup Root AP and WGB: Check this post

***I don’t have extra switch so I will force WGB to connect to clicnet in vlan 12.

***In my post WGB and Root AP both are on vlan 11(Native) and Client will get the IP in vlan 12.

*** Link between RootAP and switch is trunk.

Switch Config:

 Int fa0/24
 Switchport trunk encapsulation dot1q
 Switchport trunk native vlan 11
 Switchport trunk allowed vlan 11,12
 Switchport mode trunk

 WGB_2vlan

Remembering Points:

  1. The AP to which a WGB associates can treat the WGB as an infrastructure device or as a normal client. By default, AP treats WGB as client devices.
  1. If WGB is an infrastructure client, it can associate to an infrastructure SSID. Infrastructure SSIDs are used to authenticate Bridges, Repeaters…Etc. A WGB in by default is a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.

Use of Infrastructure-Client Command:

  1. Used for Reliable Multicast
  2. To make WGB as Infrastructure-Client so that WGB can associate to Infrastructure-SSID.

In my example WGB is connected root AP via RSCCIEW WLAN interface.

WGB authentication with LEAP-WPA2.

Here is the complete configuration:

Root AP:

RootAP#sh run
 !
 hostname RootAP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 192.168.11.35 auth-port 1112 acct-port 1113
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 infrastructure-client
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 bridge-group 12 subscriber-loop-control
 bridge-group 12 block-unknown-source
 no bridge-group 12 source-learning
 no bridge-group 12 unicast-flooding
 bridge-group 12 spanning-disabled
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 ip address dhcp
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 no bridge-group 12 source-learning
 bridge-group 12 spanning-disabled
 !
 interface BVI1
 ip address 192.168.11.35 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 192.168.11.254
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 192.168.11.35 key 7 13261E010803557878
 user WGB nthash 7 124C264F425B2A55790A770B166D743623445655067D7C077159504B477C017601
 !
 radius-server host 192.168.11.35 auth-port 1112 acct-port 1113 key 7 02250D4808095E731F
 bridge 1 route ip
 !
 end

WGB:

WGB#sh run
 !
 hostname WGB
 !
 no aaa new-model
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap test
 authentication network-eap test
 authentication key-management wpa version 2
 dot1x credentials wgbuser
 dot1x eap profile leap
 infrastructure-ssid
 !
 eap profile leap
 method leap
 !
 dot1x credentials wgbuser
 username WGB
 password 7 060506324F41
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 !
 interface Dot11Radio0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 bridge 1 route ip
 bridge 1 address c434.6b27.0c11 forward FastEthernet0.12 --> To make permanent Entry in WGB bridge TABLE
 !
 workgroup-bridge client-vlan 12
 end

Verification:

On Root AP:

 RootAP#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 001d.7096.3404 192.168.11.36     WGB           WGB             self           EAP-Assoc
 c434.6b27.0c11 192.168.12.31     WGB-client    -               001d.7096.3404 Assoc
RootAP#sh dot11 ass 001d.7096.3404
 Address           : 001d.7096.3404     Name             : WGB
 IP Address        : 192.168.11.36        Interface        : Dot11Radio 0
 Device            : WGB                Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -22  dBm           Connected for    : 55931 seconds
 Signal to Noise   : 73  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 9399               Packets Output   : 30671
 Bytes Input       : 1597644            Bytes Output     : 4718946
 Duplicates Rcvd   : 0                  Data Retries     : 1325
 Decrypt Failed    : 2                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
RootAP#sh dot11 ass c434.6b27.0c11
 Address           : c434.6b27.0c11     Name             : NONE
 IP Address        : 192.168.12.31        Interface        : Dot11Radio 0
 Device            : WGB-client         Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 001d.7096.3404
 SSID              : RSCCIEW
 VLAN              : 12
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

On WGB:

WGB#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 192.168.11.35     ap1240-Parent RootAP          -              EAP-Assoc
WGB#sh dot11 ass 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : RootAP
 IP Address        : 192.168.11.35        Interface        : Dot11Radio 0
 Device            : ap1240-Parent      Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -24  dBm           Connected for    : 55975 seconds
 Signal to Noise   : 69  dB            Activity Timeout : 14 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 586784             Packets Output   : 9346
 Bytes Input       : 102345033          Bytes Output     : 1669240
 Duplicates Rcvd   : 0                  Data Retries     : 12
 Decrypt Failed    : 114                RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0

Normally its not recommended by cisco to use multiple vlan on WGB 🙂