Autonomous AP as Wireless Bridge with Multiple VLAN

In last post we learned about how to setup a root and non-root bridge. In this post we will see the configuration for multiple VLAN on Root, Non-Root Bridge for wireless clients.

Topology is same as it was in last post: Autonomous AP as Wireless Bridge

Again here I will use WPA2-PSK to authenticate both WLAN. One WLAN for Root-AP to Wireless-Bridge communication and other WLAN for clients to authenticate.

We will not waste our much time on theory, let’s directly jump to configuration:

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii 7 094F471A1A0A464058
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 14141B180F0B7B7977
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

That’s all for configuration. Now we are ready to test a client for VLAN 81.

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.81.157    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations  003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 58 seconds
 Signal to Noise   : 82  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 25049              Packets Output   : 6732
 Bytes Input       : 4102567            Bytes Output     : 1025396
 Duplicates Rcvd   : 0                  Data Retries     : 1185
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 
Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.81.157       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
  
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 81
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

Redundant WDS devices

How to configure AP as WDS device, check this link: Configure WDS via CLI

It’s the same procedure what we did in last post to configure the Infra AP to make as backup WDS device.

Steps:

  1. First we have to add the WDS-Client AP as a NAS on the primary AP’s radius server so it can request for authentication.
  2. Configure Radius and infrastructure server configure (Same as previous post).

Let’s start:

Only one line is needed on WDS-AP:

WDS-AP(config-radsrv)#nas 10.35.80.111 key cisco123

Then we have to configure Radius and wlccp parameters on WDS-Client AP.

aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 1511021F07257A767B
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp wds priority 250 interface BVI1

This WDS configured with a lower priority of 250 because we have other AP (WDS-AP) with 254.  Now let’s take a look at the results.

Now check the WDS status on both AP:

WDS-AP:

WDS-AP#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
WDS-AP#
WDS-AP#sh wlccp wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 2   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
WDS-Client                       2894.0fa8.a594  10.35.80.111    REGISTERED
WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#

 

WDS-Client AP:

WDS-Client#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds
 MAC: 2894.0fa8.a594, IP-ADDR: 10.35.80.111   , Priority: 250
 Interface BVI1, State: BACKUP
 Currently ACTIVE WDS - MAC: 588d.0903.e31c, Priority: 254, IP-ADDR: 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
 WDS-Client#

Now we will configure both AP to provide service to clients.

WDS-AP Configuration:

hostname WDS-AP
 !
 aaa new-model
 !
 aaa group server radius Infra
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_infra group Infra
 aaa authentication login method_client group Client
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 10.35.80.110 key 7 13061E010803557878
 nas 10.35.80.111 key 7 1511021F07257A767B
 user wds nthash 7 09196D5149553143582D57090E7C7E1611704653462725027C0F00075F2641370B
 user test nthash 7 0251537E5D502D021B1C2D4C5042445C5D56780E017D676374325E4E2552050D0A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744
 !
 wlccp ap username wds password 7 05080F1C2243
 wlccp authentication-server infrastructure method_infra
 wlccp authentication-server client any method_client
 ssid RSCCIEW
 wlccp wds priority 254 interface BVI1

WDS-Client Configuration:

hostname WDS-Client
 !
 aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client1
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 aaa authentication login method_client1 group Client1
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client1
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 121A0C0411045D5679 
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp authentication-server client any Client1
 ssid RSCCIEW
 wlccp wds priority 250 interface BVI1

This is all we have to configure; now we can setup connection with client and test it.

See the client status: Client will authenticate from Primary WDS Device.

WDS-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 ac7b.a1d1.c289 10.35.80.106    ccx-client    WDS-AP          self           EAP-Assoc
WDS-AP#
WDS-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : WDS-AP
 IP Address        : 10.35.80.106       Interface        : Dot11Radio 0
 Device            : ccx-client         Software Version : NONE
 CCX Version       : 4                  Client MFP       : Off
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 0
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 0                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -45  dBm           Connected for    : 14 seconds
 Signal to Noise   : 44  dB            Activity Timeout : 50 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : BK BE VI VO
 Packets Input     : 164                Packets Output   : 45
 Bytes Input       : 32680              Bytes Output     : 9901
 Duplicates Rcvd   : 0                  Data Retries     : 0
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 PMKIDs:
 ED7B7F68446E643F622718DD96A73643
 Session timeout   : 0 seconds
 Reauthenticate in : never
WDS-AP#

WGB with multiple VLAN in UWNS

In this post we will see how to configure a WGB for multiple VLAN in unified wireless environment. This is useful when we want to have wired client behind WGB in different VLAN.

WGB connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The WGB provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the WGB as a wireless client.

Remembering Points:

  • The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8) JEB or greater (on 16-MB access points).
  • On the wireless LAN controller, we should have software version 4.1.185.0 or later. The WGB mode is not supported on the controller on any of the earlier versions.
  • We do not need to configure anything on the controller to enable the WGB to communicate with the lightweight access point. However, to ensure proper communication, we should create a WLAN on the controller that matches the SSID and security method that was configured on the WGB.
  • LAP is acting as root AP for WGB.
  • We can only configure one radio for WGB mode to connect to LAP.
  • By default, access points treat workgroup bridges as client device.
  • WGB can support maximum 20 clients.
  • These lightweight features are supported for use with a workgroup bridge:
    • Guest N+1 redundancy
    • Local EAP
  • These lightweight features are not supported for use with a workgroup bridge:
  • Cisco Centralized Key Management (CCKM)
    • Hybrid REAP
    • Idle timeout
    • Web authentication
  • These features are not supported for wired clients connected to a workgroup bridge:
    • MAC filtering
    • Link tests
    • Idle timeout

My topology for this LAB:

Core Switch——-WLC——-LAP~~~~~~~~~~WGB———–Switch——Client

  • The Dynamic Host Configuration Protocol (DHCP) is configured for VLAN 80(On Core Switch) and 81(On WLC).
  • The WLC has the dynamic interfaces created for VLAN 80 and 81.
  • The WGB has sub-interfaces for required VLANs — 80 and 81.
  • The switch behind the WGB has required VLANs — 80 and 81.
  • WLC is connected with trunk port to Core switch and AP001 (LAP) is connected with access port.
  • WLC1 is configured with 2 dynamic interfaces: 80(Test) and 81(Coding)
  • Created a SSID”Test” with WPA2/AES – PSK as shown below.

WGB_MuVLAN1

Config. on Core Switch:

First we have to create DHCP pool and SVI interface for the management VLAN so that LAP and WGB can get the IP address. Here I created DHCP Pool “WGB” for VLAN 80 and configured the WLC and AP port with right configuration as shown below.

ip dhcp excluded-address 10.35.80.1 10.35.80.100
ip dhcp excluded-address 10.35.80.120 10.35.80.254
 !
 ip dhcp pool WGB
 network 10.35.80.0 255.255.255.0
 default-router 10.35.80.254
 option 43 ip 10.35.80.1
 lease 3
 !
 vlan 80
 name Management
 !
 vlan 81
 name coding
 !
 interface FastEthernet1/24
 description LAP - AP001
 switchport access vlan 80
 switchport mode access
 !
 interface FastEthernet0/25
 description *** WLC1  ***
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 80,81
 switchport mode trunk
 !
 interface Vlan80
 ip address 10.35.80.245 255.255.255.0

Configuration on WLC:

WLAN Configuration:

Step1: As shown in pic, I created a SSID Test with WPA2-PSK security policy and management interface assigned to it.

WGB_MuVLAN2

Step2: DHCP Scope for VLAN 81:

Wired client behind the WGB will get the IP from VLAN 81 so we have to create a DHCP scope for them in WLC.

WGB_MuVLAN3

Step3: Also enable the WGB by WLC CLI:

(WLC1) >config wgb vlan enable

By default its disabled and we must enable it to get WGB VLAN client connectivity.

Config of WGB:

  1. I am using the WGB to configured for the 2.4-GHz and that is 802.11b radio is 0. (We can only configure one radio for WGB mode to connect to LAP).
  2. To support multiple VLAN on WGB we have to use VLAN tagging feature which enables segregation of VLAN traffic based on the VLAN numbers for Unified WGB solution. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB.

WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.

In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC.

In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.

To enable VLAN tagging, we have to use this command:

(WLC1) > workgroup-bridge unified-vlan-client
  1. If you faced this kind of problem while testing: When wired client got connection to WGB but after sometime it automatically removed because of extended of time(specially the connected switch to WGB was losing IP address). To stop this we have to configure aging time on WGB. By using this command:
(WLC1) > bridge brige-group-number aging-time 65535

So here is the complete config for WGB:

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 105A0C0A114640585851
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge --> To define the role of this AP as WGB
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 no ip route-cache
 bridge-group 81
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 no ip route-cache
 bridge-group 81
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 !
 workgroup-bridge unified-vlan-client --> To support multiple VLAN on WGB

Verification:

On WGB:

WGB#sh bridge
 Total of 300 station blocks, 293 free
 Codes: P - permanent, S - self
 Bridge Group 1:
 Address       Action   Interface       Age   RX count   TX count
 0022.bd98.3a30   forward   Vi0.80            2          3          0
 381c.1a89.f4c1   forward   Fa0.80            2         12          2
 381c.1a89.f481   forward   Fa0.80            0        654          0
 001e.4a81.4c96   forward   Vi0.80            0        386          4
 Bridge Group 81:
 381c.1a89.f4c2   forward   Fa0.81            3          1          0
 c434.6b25.80c8   forward   Fa0.81            0       2352          0
 381c.1a89.f481   forward   Fa0.81            0        316          0
WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a32 10.35.80.1      LWAPP-Parent AP001           -              Assoc
WGB#sh dot11 associations  0022.bd98.3a32
 Address           : 0022.bd98.3a32     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 0
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -46  dBm           Connected for    : 989 seconds
 Signal to Noise   : 43  dB            Activity Timeout : 15 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 672848             Packets Output   : 66093
 Bytes Input       : 128614720          Bytes Output     : 6258031
 Duplicates Rcvd   : 0                  Data Retries     : 3361
 Decrypt Failed    : 0                  RTS Retries      : 425
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
  

ON WLC:

Via GUI:

WGB_MuVLAN4

WGB_MuVLAN5

WGB_MuVLAN6

Client got the IP in VLAN 81 ,which is connected with Switch.

WGB_MuVLAN7

Via CLI:

(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11g            2
(WLC1) >show wgb detail 58:8d:09:03:e3:1c
 Number of wired client(s): 2
 MAC Address        IP Address      AP Name            Mobility   WLAN Auth
 -----------------  --------------- -----------------  ---------- ---- ----
 c4:34:6b:25:80:c8  10.35.81.32     AP001              Local      3    Yes
 38:1c:1a:89:f4:c1  10.35.80.108    AP001              Local      3    Yes
(WLC1) >show client  summary
 Number of Clients................................ 3
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 38:1c:1a:89:f4:c1 AP001             Associated    3              Yes  N/A              1    N/A
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11g          1    N/A
 c4:34:6b:25:80:c8 AP001             Associated    3              Yes  N/A              1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c --> My WGB
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 2 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 900 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
 ............................................. 12.0,18.0,24.0,36.0,48.0,
 ............................................. 54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80
(WLC1) >show client detail 38:1c:1a:89:f4:c1 --> Switch in vlan 80
 Client MAC Address............................... 38:1c:1a:89:f4:c1
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 909 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.80.108
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Disabled
 Power Save....................................... OFF
 Supported Rates..................................
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... N/A
 Encryption Cipher................................ None
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 0
 (WLC1) >show client detail c4:34:6b:25:80:c8 --> Client in VLAN 81
 Client MAC Address............................... c4:34:6b:25:80:c8
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 919 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.81.32
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Disabled
 Power Save....................................... OFF
 Supported Rates..................................
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... N/A
 Encryption Cipher................................ None
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ coding
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81

***Configuring a specific Client VLAN

If wired devices connected to the WGBs Ethernet port should all be assigned to a specific VLAN then we can configure a VLAN for the connected devices. By using this command on the WGB:

WGB(config)# workgroup-bridge client-vlan vlan-id

All the devices connected to the Workgroup Bridge’s Ethernet port are assigned to that VLAN.

That’s all for today 🙂

 

WGB with EAP-FAST in UWNS

In this post we will see how to configure the WGB with WPA2-Dot1x EAP-FAST in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

Fast1

WLC Configuration:

First we have to configure a WLAN “Test” with WPA2 policy and 802.1x authentication key management.

Fast2

Fast3

Now we have to create an EAP Profile “WGB_TEST” and assign it to WLAN for EAP-FAST authentication.

Fast4

Fast5

We must assign the order of authentication for local EAP.

Fast6

End of WLC configuration, we should create a username and password to authenticate with WGB and assign this user to specific WLAN.

Fast7

WGB Configuration:

Here is the configuration of WGB with EAP-FAST.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open eap eap_FAST
 authentication network-eap eap_FAST
 authentication key-management wpa version 2
 dot1x credentials WGB_FAST
 dot1x eap profile WGB_TEST
 !
 eap profile WGB_TEST
 method fast
 !
 dot1x credentials WGB_FAST
 username testuser
 password 7 15060E1F107B79777C66
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

 *Jul 24 01:53:14.255: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [EAP-FAST WPAv2]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              EAP-Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 36.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -75  dBm           Connected for    : 221 seconds
 Signal to Noise   : 22  dB            Activity Timeout : 13 seconds
 Power-save        : Off                Last Activity    : 2 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 20799              Packets Output   : 1663
 Bytes Input       : 3847215            Bytes Output     : 180188
 Duplicates Rcvd   : 0                  Data Retries     : 812
 Decrypt Failed    : 0                  RTS Retries      : 18
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. testuser
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 308 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 Re-Authentication Timeout........................ 86111
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... 802.1x
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... EAP-FAST
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

 

WGB with LEAP in UWNS

In this post we will see how to configure the WGB with WPA2-Dot1x LEAP authentication security in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

Leap1

WLC Configuration:

First we have to configure a WLAN “Test” with WPA2 policy and 802.1x authentication key management.

Leap2

Leap3

Now we have to create an EAP Profile “WGB_TEST” and assign it to WLAN for LEAP authentication.

Leap4

Leap5

We must assign the order of authentication for local EAP.

Leap6

End of WLC configuration, we should create a username and password to authenticate with WGB and assign this user to specific WLAN.

Leap7

WGB Configuration:

Here is the configuration for Work Group Bridge.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open eap eap_Leap
 authentication network-eap eap_Leap
 authentication key-management wpa version 2
 dot1x credentials WGB_LEAP
 dot1x eap profile WGB_TEST
 !
 eap profile WGB_TEST
 method leap
 !
 dot1x credentials WGB_LEAP
 username sandeep
 password 7 105A0C0A114640585851
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

*Jul 24 01:25:59.817: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [LEAP WPAv2]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              EAP-Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -75  dBm           Connected for    : 296 seconds
 Signal to Noise   : 23  dB            Activity Timeout : 15 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 5097               Packets Output   : 266
 Bytes Input       : 944287             Bytes Output     : 26379
 Duplicates Rcvd   : 0                  Data Retries     : 121
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. sandeep
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 445 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 Re-Authentication Timeout........................ 85947
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... 802.1x
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... LEAP
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

In the next post we will see how to configure WGB with EAP-FAST in UWNS 🙂

WGB with WPA2-PSK in UWNS

In this post we will see how to configure the WGB with WPA2-PSK authentication security in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

WPA2-WGB1

WLC Configuration:

First we have to configure a WLAN “Test” with WPA2 policy and PSK authentication key management.

WPA2-WGB2

WGB Configuration:

Here is the basic configuration of WGB with WPA2-PSK security Policy.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii 7 131112011F5D56797F71
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

*Jul 24 00:06:04.573: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [None WPAv2 PSK]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 36.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -75  dBm           Connected for    : 293 seconds
 Signal to Noise   : 21  dB            Activity Timeout : 13 seconds
 Power-save        : Off                Last Activity    : 2 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 3048               Packets Output   : 200
 Bytes Input       : 566366             Bytes Output     : 16546
 Duplicates Rcvd   : 0                  Data Retries     : 142
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 455 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

In next post we will see the configuration of WGB with LEAP authentication.

WGB with Open Auth. in UWNS

In this post we will see how to configure the WGB with WPA2-PSK authentication security in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

Openauth1

WLC Configuration:

First we have to configure a WLAN “Test” with Open authentication menas Security policy should be NONE:

Openauth2

WGB Configuration:

Here is the basic configuration of WGB without any security.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

*Jul 24 00:06:04.573: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [None]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : Off
 State             : Assoc              Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : NONE               Encryption       : Off
 Current Rate      : 54.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -73  dBm           Connected for    : 66 seconds
 Signal to Noise   : 21  dB            Activity Timeout : 11 seconds
 Power-save        : Off                Last Activity    : 4 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 650                Packets Output   : 6
 Bytes Input       : 112110             Bytes Output     : 256
 Duplicates Rcvd   : 0                  Data Retries     : 3
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 188 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... N/A
 Encryption Cipher................................ None
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

In the next post we will see the WGB configuration with WPA2-PSK in UWNS.

Access Point Conversion (LAP to AAP and vice versa)

First of all we must know about Access Point images 🙂

Remember some facts/clue about images:
Autonomous image: k9w7
Lightweight image: k9w8
To know more about AP images, please visit my post: Understanding AP images.

Make sure the autonomous access points must be running Cisco IOS Release 12.3(7) JA or later to perform the lightweight mode conversion. If necessary, upgrade the access point to Cisco IOS Release 12.3(7)JA or later.

Now we will see how to convert from LAP to AAP

Lightweight to Autonomous Conversion:

Step1: Download the software from cisco.com
Here is the screenshot:

Download AAP

Start TFTP server and put the IOS image (k9w7) in TFTP root directory.

I have this image: c1240-k9w7-mx.124-25d.JA2
Step2: Connect PC and AP with an Ethernet cable. Make sure that both AP and PC should be in same subnet.
Step3: Run this commands on AP:

 AP588d.0903.e31c # debug lwapp console cli or debug capwap console cli » this command is necessary to enter in config mode.
 AP588d.0903.e31c # config t
 AP588d.0903.e31c (confg)# int fa 0
 AP588d.0903.e31c (confg-if)# ip addr 10.0.0.5 (same subnet as that of the PC)
 AP588d.0903.e31c (confg-if)# end

My PC IP address is 10.0.0.1/24
Try to ping from AP to PC.

 AP588d.0903.e31c#ping 10.0.0.1
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
 !!!!!
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
 AP588d.0903.e31c#

Then run this command:

 AP588d.0903.e31c# archive download-sw /force-reload /overwrite tftp://10.0.0.1/ c1240-k9w7-mx.124-25d.JA2.tar
 examining image...
 Loading c1240-k9w7-tar.124-25d.JA2.tar from 10.0.0.1 (via FastEthernet0): !
 extracting info (286 bytes)
 Image info:
 Version Suffix: k9w7-.124-25d.JA2
 Image Name: c1240-k9w7-mx.124-25d.JA2
 Version Directory: c1240-k9w7-mx.124-25d.JA2
 Ios Image Size: 5007872
 Total Image Size: 5755392
 Image Feature: WIRELESS LAN
 Image Family: C1240
 Wireless Switch Management Version: 7.0.94.21
 Extracting files...

To verify image on AP, run this command:

 AP# sh version
 Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(25d)JA2, RELEASE
 SOFTWARE (fc1)
 Technical Support: http://www.cisco.com/techsupport
 Copyright (c) 1986-2012 by Cisco Systems, Inc.
 Compiled Wed 12-Sep-12 01:52 by prod_rel_team
 ROM: Bootstrap program is C1240 boot loader
 BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE
 (fc2)
 ap uptime is 2 minutes
 System returned to ROM by power-on
 System image file is "flash:/c1240-k9w7-mx.124-25d.JA2/c1240-k9w7-mx.124-25d.JA2"

Autonomous to Lightweight Conversion

Step1: Download the software from cisco.com
First off all, we need to obtain the recovery image for a given access point. This is obtained through cisco.com > Download and then we can enter the AP number.
Choose to download Lightweight AP IOS Software.
Example for1240AP, I already have a recovery image “1240-rcvk9w8-tar.123-11JX1.tar”
You can download it from here, check this pic:

Download LAP

Step2: If there is enough space then Move the software image file to access Point via TFTP By using this command:

 AP# copy tftp://10.0.0.1/1240-rcvk9w8-tar.123-11JX1.tar flash:/

Step3: Install the image on AP
*** Be aware, in this case we will loose the configuration of AP so don’t forget to backup the config before applying new Image.

Or if we have the image on TFTP root directory then From the Access Point CLI runs the command

 AP# archive download-sw /overwrite /reload tftp ://10.0.0.1/c1240-rcvk9w8-tar.123-11JX1.tar
 examining image...
 Loading c1240-rcvk9w8-tar.123-11JX1.tar from 10.0.0.1 (via BVI1): !
 extracting info (273 bytes)
 Image info:
 Version Suffix: rcvk9w8-
 Image Name: c1240-rcvk9w8-mx
 Version Directory: c1240-rcvk9w8-mx
 Ios Image Size: 1874432
 Total Image Size: 1874432
 Image Feature: WIRELESS LAN|LWAPP|RECOVERY
 Image Family: C1240
 Wireless Switch Management Version: 3.0.51.0
 Extracting files...
 c1240-rcvk9w8-mx/ (directory) 0 (bytes)
 extracting c1240-rcvk9w8-mx/c1240-rcvk9w8-mx (1865438 bytes)!!!!!!!
 extracting c1240-rcvk9w8-mx/info (273 bytes)
 extracting info.ver (273 bytes)
 [OK - 1873920 bytes]
 Deleting current version: flash:/c1240-k9w7-mx.124-25d.JA2...done.
 New software image installed in flash:/c1240-rcvk9w8-mx
 Configuring system to use new image...done.
 Requested system reload skipped due to unsaved config changes.
 archive download: takes 32 seconds

Issue the command and wait for reboot

The Access Point will download the file and overwrite the existing image file (/overwrite) in the flash and then reboot (/reload) into LWAPP mode. If the reload does not happen, enter the reload command manually.

ap#reload
 System configuration has been modified. Save? [yes/no]: no
 Proceed with reload? [confirm]
 *Mar 1 02:19:31.529: %SYS-5-RELOAD: Reload requested by console. Reload Reason:
 Reload Command.Xmodem file system is available.
 flashfs[0]: 8 files, 4 directories
 flashfs[0]: 0 orphaned files, 0 orphaned directories
 flashfs[0]: Total bytes: 15998976
 flashfs[0]: Bytes used: 6974464
 flashfs[0]: Bytes available: 9024512
 flashfs[0]: flashfs fsck took 29 seconds.
 Base ethernet MAC Address: 58:8d:09:03:e3:1c
 Initializing ethernet port 0...
 Reset ethernet port 0...
 Reset done!
 ethernet link up, 100 mbps, full-duplex
 Ethernet port 0 initialized: link is up
 Loading "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx"...###########################
 ################################################################################
 ##################################################################
 File "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx" uncompressed and installed, entr
 y point: 0x3000
 executing...

Do the verification:

AP588d.0903.e31c#sh version
 Cisco IOS Software, C1240 Software (C1240-RCVK9W8-M), Version 12.3(11)JX1, RELEA
 SE SOFTWARE (fc1)
 Technical Support: http://www.cisco.com/techsupport
 Copyright (c) 1986-2006 by Cisco Systems, Inc.
 Compiled Mon 17-Jul-06 11:44 by alnguyen
 ROM: Bootstrap program is C1240 boot loader
 BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE
 (fc2)
 AP588d.0903.e31c uptime is 1 minute
 System returned to ROM by reload
 System image file is "flash:/c1240-rcvk9w8-mx/c1240-rcvk9w8-mx"