Tag: Autonomous AP

Autonomous AP as WGB (Multiple VLAN)

In this post we will learn how to configure an autonomous AP as WGB with Multiple VLAN.

How to setup Root AP and WGB: Check this post

***I don’t have extra switch so I will force WGB to connect to clicnet in vlan 12.

***In my post WGB and Root AP both are on vlan 11(Native) and Client will get the IP in vlan 12.

*** Link between RootAP and switch is trunk.

Switch Config:

 Int fa0/24
 Switchport trunk encapsulation dot1q
 Switchport trunk native vlan 11
 Switchport trunk allowed vlan 11,12
 Switchport mode trunk

 WGB_2vlan

Remembering Points:

  1. The AP to which a WGB associates can treat the WGB as an infrastructure device or as a normal client. By default, AP treats WGB as client devices.
  1. If WGB is an infrastructure client, it can associate to an infrastructure SSID. Infrastructure SSIDs are used to authenticate Bridges, Repeaters…Etc. A WGB in by default is a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.

Use of Infrastructure-Client Command:

  1. Used for Reliable Multicast
  2. To make WGB as Infrastructure-Client so that WGB can associate to Infrastructure-SSID.

In my example WGB is connected root AP via RSCCIEW WLAN interface.

WGB authentication with LEAP-WPA2.

Here is the complete configuration:

Root AP:

RootAP#sh run
 !
 hostname RootAP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 192.168.11.35 auth-port 1112 acct-port 1113
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 infrastructure-client
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 bridge-group 12 subscriber-loop-control
 bridge-group 12 block-unknown-source
 no bridge-group 12 source-learning
 no bridge-group 12 unicast-flooding
 bridge-group 12 spanning-disabled
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 ip address dhcp
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 no bridge-group 12 source-learning
 bridge-group 12 spanning-disabled
 !
 interface BVI1
 ip address 192.168.11.35 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 192.168.11.254
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 192.168.11.35 key 7 13261E010803557878
 user WGB nthash 7 124C264F425B2A55790A770B166D743623445655067D7C077159504B477C017601
 !
 radius-server host 192.168.11.35 auth-port 1112 acct-port 1113 key 7 02250D4808095E731F
 bridge 1 route ip
 !
 end

WGB:

WGB#sh run
 !
 hostname WGB
 !
 no aaa new-model
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap test
 authentication network-eap test
 authentication key-management wpa version 2
 dot1x credentials wgbuser
 dot1x eap profile leap
 infrastructure-ssid
 !
 eap profile leap
 method leap
 !
 dot1x credentials wgbuser
 username WGB
 password 7 060506324F41
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 !
 interface Dot11Radio0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 bridge 1 route ip
 bridge 1 address c434.6b27.0c11 forward FastEthernet0.12 --> To make permanent Entry in WGB bridge TABLE
 !
 workgroup-bridge client-vlan 12
 end

Verification:

On Root AP:

 RootAP#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 001d.7096.3404 192.168.11.36     WGB           WGB             self           EAP-Assoc
 c434.6b27.0c11 192.168.12.31     WGB-client    -               001d.7096.3404 Assoc
RootAP#sh dot11 ass 001d.7096.3404
 Address           : 001d.7096.3404     Name             : WGB
 IP Address        : 192.168.11.36        Interface        : Dot11Radio 0
 Device            : WGB                Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -22  dBm           Connected for    : 55931 seconds
 Signal to Noise   : 73  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 9399               Packets Output   : 30671
 Bytes Input       : 1597644            Bytes Output     : 4718946
 Duplicates Rcvd   : 0                  Data Retries     : 1325
 Decrypt Failed    : 2                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
RootAP#sh dot11 ass c434.6b27.0c11
 Address           : c434.6b27.0c11     Name             : NONE
 IP Address        : 192.168.12.31        Interface        : Dot11Radio 0
 Device            : WGB-client         Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 001d.7096.3404
 SSID              : RSCCIEW
 VLAN              : 12
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

On WGB:

WGB#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 192.168.11.35     ap1240-Parent RootAP          -              EAP-Assoc
WGB#sh dot11 ass 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : RootAP
 IP Address        : 192.168.11.35        Interface        : Dot11Radio 0
 Device            : ap1240-Parent      Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -24  dBm           Connected for    : 55975 seconds
 Signal to Noise   : 69  dB            Activity Timeout : 14 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 586784             Packets Output   : 9346
 Bytes Input       : 102345033          Bytes Output     : 1669240
 Duplicates Rcvd   : 0                  Data Retries     : 12
 Decrypt Failed    : 114                RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0

Normally its not recommended by cisco to use multiple vlan on WGB 🙂

Advertisements

Autonomous AP as WGB (Single VLAN)

In this post we will learn how to configure an autonomous AP as WGB.

WGB can provide the wired connection to the devices which don’t have wireless adaptor so that device can directly connect to WGB Ethernet port to access the wireless network.

It can provide wireless connectivity to wired clients that are connected by Ethernet to the work-group bridge access point.00

WGB connect to root AP as a client through the wireless interface.

Basic Info:

  • Infrastructure SSID configuration not required
  • By default when the WGB associates with the root bridge, all the wired clients + the WGB are shown as normal clients.
  • A WGB can only pass one VLAN between the WGB and the root bridge(As Cisco recommend but it can also pass multiple)
  • Always use bridge-group 1 for the link between the root and WGB.
  • But if we use WGB multicast infrastructure mode on the WGB, we need to add infrastructure-client on the root AP side.
  • A WGB in standard mode is by default a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.
  • WGB is a mobile
  • Root AP can allow max 20WGB.(This must be test out)

 My Topology:

WGB_Vlan1

Remembering Points:

  1. The AP to which a WGB associates can treat the WGB as an infrastructure device or as a normal client. By default, AP treats WGB as client devices.
  1. If WGB is an infrastructure client, it can associate to an infrastructure SSID. Infrastructure SSIDs are used to authenticate Bridges, Repeaters…Etc. A WGB in by default is a “client”, not an “infrastructure client” and therefore cannot associate to an infrastructure SSID.

Use of Infrastructure-Client Command:

  1. Used for Reliable Multicast
  2. To make WGB as Infrastructure-Client so that WGB can associate to Infrastructure-SSID.

In my example WGB is connected root AP via RSCCIEW WLAN interface.

WGB authentication with LEAP-WPA2.

Here is the configuration:

Root AP:

RootAP#sh run
 !
 hostname RootAP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 192.168.11.35 auth-port 1112 acct-port 1113
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 11
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 11 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 ip address dhcp
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.11
 encapsulation dot1Q 11 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 192.168.11.35 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 192.168.11.254
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 192.168.11.35 key 7 13261E010803557878
 user WGB nthash 7 124C264F425B2A55790A770B166D743623445655067D7C077159504B477C017601
 !
 radius-server host 192.168.11.35 auth-port 1112 acct-port 1113 key 7 02250D4808095E731F
 bridge 1 route ip
 !
 end

WGB:

WGB#sh run
 !
 hostname WGB
 !
 no aaa new-model
 !
 dot11 ssid RSCCIEW
 authentication open eap test
 authentication network-eap test
 authentication key-management wpa version 2
 dot1x credentials wgbuser
 dot1x eap profile leap
 !
 eap profile leap
 method leap
 !
 dot1x credentials wgbuser
 username WGB
 password 7 060506324F41
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role workgroup-bridge
 bridge-group 1
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 bridge 1 route ip
 bridge 1 address c434.6b27.0c11 forward FastEthernet0.11
 !
 end

Verification:

On Root AP

RootAP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 001d.7096.3404 192.168.11.36     WGB           WGB             self           EAP-Assoc
 c434.6b27.0c11 192.168.11.37     WGB-client    -               001d.7096.3404 Assoc
RootAP#sh dot11 associations 001d.7096.3404
 Address           : 001d.7096.3404     Name             : WGB
 IP Address        : 192.168.11.36        Interface        : Dot11Radio 0
 Device            : WGB                Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -24  dBm           Connected for    : 102 seconds
 Signal to Noise   : 71  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 213                Packets Output   : 29
 Bytes Input       : 47472              Bytes Output     : 3382
 Duplicates Rcvd   : 0                  Data Retries     : 3
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
RootAP#sh dot11 associations c434.6b27.0c11
 Address           : c434.6b27.0c11     Name             : NONE
 IP Address        : 192.168.11.37        Interface        : Dot11Radio 0
 Device            : WGB-client         Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 001d.7096.3404
 SSID              : RSCCIEW
 VLAN              : 11
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

On WGB:

 *Mar  1 02:06:37.718: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP RootAP 003a.9a3e.a380 [LEAP WPAv2]
  
  
 WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 192.168.11.35     ap1240-Parent RootAP          -              EAP-Assoc
  
 WGB#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : RootAP
 IP Address        : 192.168.11.35        Interface        : Dot11Radio 0
 Device            : ap1240-Parent      Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : RSCCIEW
 VLAN              : 0
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -28  dBm           Connected for    : 177 seconds
 Signal to Noise   : 66  dB            Activity Timeout : 11 seconds
 Power-save        : Off                Last Activity    : 4 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 2475               Packets Output   : 732
 Bytes Input       : 402607             Bytes Output     : 316070
 Duplicates Rcvd   : 0                  Data Retries     : 4
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0

Autonomous AP as Wireless Bridge with Multiple VLAN

In last post we learned about how to setup a root and non-root bridge. In this post we will see the configuration for multiple VLAN on Root, Non-Root Bridge for wireless clients.

Topology is same as it was in last post: Autonomous AP as Wireless Bridge

Again here I will use WPA2-PSK to authenticate both WLAN. One WLAN for Root-AP to Wireless-Bridge communication and other WLAN for clients to authenticate.

We will not waste our much time on theory, let’s directly jump to configuration:

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii 7 094F471A1A0A464058
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 14141B180F0B7B7977
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

That’s all for configuration. Now we are ready to test a client for VLAN 81.

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.81.157    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations  003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 58 seconds
 Signal to Noise   : 82  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 25049              Packets Output   : 6732
 Bytes Input       : 4102567            Bytes Output     : 1025396
 Duplicates Rcvd   : 0                  Data Retries     : 1185
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 
Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.81.157       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
  
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 81
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

Autonomous AP as Wireless Bridge

In this post we will learn how to configure AP as wireless bridge. I tried to find the documents on cisco but they are very limited.

Let’s learn something about Wireless Bridges.

Here is my Topology:

Wirelessbridge1

I have two 1240 model APs.

Root-AP: 10.35.80.110

Wireless-Bridge: 10.35.80.111

A wireless bridge is a Layer 2 device; it connects two or more LANs, which can be in different buildings, through the wireless interface. Wireless bridges provide higher data rates and superior throughput for data-intensive and line of sight applications. Wireless bridges eliminate the need for expensive leased lines and fiber-optic cables and mostly used to connect two sites where either WAN line is not available or available but expensive.

In this post I will create a WLAN “RSCCIEW” to connect Root-AP & Wireless-Bridge.

Remembering Points:

  • It will always connect to Root-AP via Native VLAN.
  • It can support multiple VLAN. (Not like Repeater).

Let’s start with configuration:

Basic Root-AP/Wireless-Bridge Configuration with WPA2 encryption/single SSID.

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Once completion of configuration, we will these logs:

*Dec 17 12:44:24.301: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [None WPAv2 PSK]
Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
  
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -13  dBm           Connected for    : 267 seconds
 Signal to Noise   : 75  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 5988               Packets Output   : 3377
 Bytes Input       : 883945             Bytes Output     : 513196
 Duplicates Rcvd   : 0                  Data Retries     : 233
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#

Now let’s connect a client to Wireless-Bridge and see its status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.80.109    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 127 seconds
 Signal to Noise   : 81  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 26129              Packets Output   : 6816
 Bytes Input       : 4276916            Bytes Output     : 1048109
 Duplicates Rcvd   : 0                  Data Retries     : 1204
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

*** If we want to authenticate Wireless-Bridge with LEAP(How to Authenticate with LEAP) or EAP-FAST(How to Authenticate with LEAP) then we have to use the same method as we did for Repeaters. Check my old post to use EAPFAST or LEAP to authenticate Repeater, Wireless Bridge, WGB, and Universal WGB.

Autonomous AP as Repeater with EAP-FAST

In the last post we learnt about the LEAP authentication of a Repeater. For more therortical conectps or musr remeber point please check this link: 

Autonomous AP as Repeater with WPA2

Lets see the configuration of EAP-FAST authentication.

*** In the same way we can authentication Bridge, WGB.

Here are the configurations.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 eapfast authority id 01234567890123456789012345678901
 eapfast authority info CCIEW
 eapfast server-key primary 7 52B537935F17B2359E1DCA5291705E3E76
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials FAST
 dot1x eap profile FAST
 guest-mode
 infrastructure-ssid
 !
 eap profile FAST
 method fast
 !
 dot1x credentials FAST
 username sandeep
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication of a repeater:

*Dec 17 10:43:53.122: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [EAP-FAST WPAv2]

Client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

That is all about Repeaters 🙂

Autonomous AP as Repeater with LEAP

In the last post we learnt about Repeater configuration and authenticaion via WPA2-PSK. Here is the link : Autonomous AP as Repeater with WPA2

In last post we also learned the basic concept and theoretical knowledge of repeater and there usage.

In this post we will directly conifgure the Root AP/Repeater AP with LEAP Authentication.

Here is the configuration of Root and Repeater AP.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method --> also need to add the open EAP for clients which may associate with Repeater AP.
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials LEAP
 dot1x eap profile LEAP
 guest-mode
 infrastructure-ssid
 !
 eap profile LEAP
 method leap
 !
 dot1x credentials LEAP
 username repeater
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication:

 *Dec 17 10:40:02.500: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [LEAP WPAv2]

Here is the client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 ass
 Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

In the next post we will learn how to Authenticate Repeater via EAP-FAST.

Autonomous AP as Repeater with WPA2

In this post we will learn how to configure a repeater to extend our wireless coverage.

To extend or increase the range of our WLAN, we can add a repeater AP to the network. This repeater AP will not physically connected to the WLAN, but is instead added to radio range of the wired connected Access Point and the clients that access the WLAN.

***AP has two radios, only one can be used as a repeater. We must configure the other as a root radio.

***Repeater only can connect to root AP in Autonomous mode.

Here is my test lab setup:

Client………..Repeater-AP…………Root-AP——–Switch

Repeater_setup

When we configure an AP as a repeater, the access point’s Ethernet port does not forward traffic.

*** After our AP is configured as a repeater, it shuts down its Ethernet connection. Any devices connected to the Ethernet port are disconnected from the AP.

Of-course we can configure multiple APs as repeaters, but throughput decreases as additional APs are added to the chain, because each repeater must receive/retransmit the packet on the same channel. Because of this, throughput is cut in half for each repeater added.

A repeater AP connects to the root AP which has the best connectivity. But we can specify the AP to which the repeater associates. Setting up a static, specific association between a repeater and a root access point improves repeater performance.

Remembering Points:

  • It’s best to use repeaters to serve clients that do not require high throughput.
  • Cisco AP repeaters work best when clients are Cisco devices. Problems occur when third-party devices try to associate with repeater APs.
  • Ensure the data rates configured on the repeater AP match the data rates of the parent AP.
  • We can’t configure multiple VLANs on repeater access points. Repeater access points support only native VLAN.
  • If Repeater is connected to root AP, which has many BSSIDs and we are adding/deleting SSID on root AP that might change the parent mac address. So if we are making some changes on root AP then we must again check the connectivity between root AP and repeater after modification.

Steps to Configure the AP as Repeater:

  1. Enable Aironet extensions on both the parent and repeater APs. By default, these extensions are enabled. (Aironet extensions, which are enabled by default, improve the access point’s ability to understand the capabilities of Cisco Aironet client devices associated with the access point.)
  2. Setup the SSID under specific Radio {0 or 1}
  3. Assigns the SSID as an infrastructure SSID. This is the SSID the repeater uses to associate to the root AP.

The infrastructure SSID must be assigned to the native VLAN. If more than one VLAN is created on an AP, an infrastructure SSID cannot be assigned to a non-native VLAN. The following message appears when the infrastructure SSID is configured on non-native VLAN:

ap(config-ssid)#infrastructure-ssid optional
 Dot11Radio0: SSID Test must be configured as native-vlan before enabling infrastructure-ssid
ap(config-ssid)#

*** The ”optional” argument allows regular clients to associate as well.

  1. Establishes this AP’s role as a repeater.

By using this command: station-role repeater

  1. We can enter MAC addresses for up to four parents. If the repeater fails to associate to the first parent, it moves to the next on the list. We can enter a timeout, which establishes how long the repeater tries to associate to a parent before it moves to the next.

 

Root AP/Repeater Configuration with WPA2 encryption.

On Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 104D000A061843595F
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache

Repeater-AP:

hostname Repeater-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no p route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache

Once completion of configuration, we will these logs:

*Oct 6 09:23:28.003: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Repeater-AP 2894.0fa8.a594 Associated KEY_MGMT[WPAv2 PSK]

Now let’s connect a client to repeater AP and see its Status:

Root-AP#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address   IP address     Device       Name           Parent         State
 2894.0fa8.a594 10.35.80.111   ap1240-Rptr   Repeater-AP     self           Assoc
 5426.963e.4bee 10.35.80.108   Rptr-client   -               2894.0fa8.a594 Assoc
Root-AP#

If we want fix the repeater to associate to specific root Aps, we can use “Parent <1-4>mac-address [timeout]” command under radio interface of repeater. Maximum 4 parent’s mac addresses are allowed. In our case we have only one Root-AP.

Also we can enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list. Timeout value varies from 0 to 65535 seconds.

Here is the command:

Repeater-AP#Conf t
Repeater-AP(config)#Parent 1 mac 003a.9914.1370

In next post we will see the Repeater authentication via LEAP.

Configuring WDS via CLI

In this post we will learn how to setup an AP as WDS device with AAA server locally.

My Topology:

I have two cisco AP models 1142.

AAP1:  AS WDS device: 10.35.80.110
AAP2: AS Infrastructure AP: 10.35.80.111

***I will only use 2.4 Ghz (Dot11radio 0 Interface) for this post. You can use both or any one.

Steps to proceed:

  1. We will setup main AP (WDS-AP) as WDS device.
  2. WDS device will also participate as iNfrastructure AP.
  3. Configure the other Infrastructure AP(WDS-Client) to connect to WDS device.

 

Setup main AP (WDS-AP) as WDS device
Configure the AP to point the radius server:
aaa new-model
aaa group server radius Infra
  server 10.35.80.110 auth-port 1812 acct-port 1813
aaa authentication login method_infra group Infra

radius-server local
<Configure AP for local radius server>
<Here we can use three type of authentication, eapfast, leap and mac authentication, by default its leap>

nas 10.35.80.110 key cisco123
<Define AP as AAA client>

no authentication mac
<Disable mac authentication>

no authentication eapfast
<Disable eapfast authentication>

User wds password cisco –> This will be used for other AP to join WDS

User test password rscciew123 –> This is for clients to authenticate

Radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key test12345
<Define the radius server to AP itself>

Enable the WDS on AP:

Wlccp wds priority 254 interface BVI1
<This sets the WDS priority. Between 1 and 255 where higher numbers are more likely to become WDS.>

Wlccp authentication-server infrastructure method_infra
<Enable Infrastructure authentication.>

WDS device will also participate as iNfrastructure AP

To join this AP as infra AP to itself, we will see this message:

WDS-AP(config)#wlccp ap username wds password cisco
WDS-AP(config)#
 *Oct  2 12:50:32.274: %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated

Check the WDS status:

WDS-AP#sh wlccp wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 1   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#
WDS-AP#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
 WDS-AP#

Our First AP is ready to act as WDS device and this AP is also participating as infrastructure device in it.

Other Infrastructure AP(WDS-Client) to connect to WDS device

On this AP we just need to configure the username and password to participate in WDS:

WDS-Client(config)#wlccp ap username wds password cisco

*** Configuring WDS suggest that the other AP (WDS-Client) in same subnet will be authenticated  through the first AP. In this case, the authentication occurs over the cable(Not through any inter-AP wireless Link.)

Now check the status on WDS AP again:

WDS-AP#sh wlccp  wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 2   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp  wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
 WDS-Client                       2894.0fa8.a594  10.35.80.111    REGISTERED
 WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#
WDS-AP#sh wlccp  ap
WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
WDS-AP#

Here is the complete configuration:

WDS Device Configuration:

hostname WDS-AP
 !
 aaa new-model
 !
 aaa group server radius Infra
  server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_infra group Infra
 !
 radius-server local
   no authentication eapfast
   no authentication mac
   nas 10.35.80.110 key 7 13061E010803557878
   user wds nthash 7 09196D5149553143582D57090E7C7E1611704653462725027C0F00075F2641370B
   user test nthash 7 0251537E5D502D021B1C2D4C5042445C5D56780E017D676374325E4E2552050D0A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744
 !
 wlccp ap username wds password 7 05080F1C2243
 wlccp authentication-server infrastructure method_infra
 wlccp wds priority 254 interface BVI1

Infrastructure AP Configuration (WDS-Client):

hostname WDS-Client
wlccp ap username wds password 7 05080F1C2243

In next post we will configure the 2nd AP (WDS-Client) to also act as redundant WDS device in case of primary fails.

WDS(Wireless Domain Service) Overview

In this post we will learn how to use AP as WDS device and what are the benefits of using WDS in autonomous environment.

In the next post we will learn how to configure the AP with WDS as local AAA server.

WDS is a part of the Cisco Structured Wireless Aware Network (SWAN). WDS is cisco IOS Software features that enhance WLAN client mobility, and simplify WLAN deployment and management. This is very useful when we don’t have Controller in our campus and still want to use RRM and roaming then it’s the best choice. WDS offer these features:

  • Fast secure roaming(CCKM)

CCKM (Cisco Centralized Key Management) enables clients and access points to cache and re-use keying material derived from a full 802.1x/EAP authentication. This enables clients to roam between access points faster without the need to perform a full re-authentication.

The WDS device maintains a cache of credentials for CCKM-capable client devices on our wireless LAN. When a CCKM-capable client roams from one AP to another, the client sends a re-association request to the new AP, and the new AP relays the request to the WDS device. The WDS device forwards the client’s credentials to the new AP, and the new access point sends the re-association response to the client. Only two packets pass between the client and the new AP, greatly reducing the re-association time. The client also uses the re-association response to generate the unicast key.

  • Radio management

APs forward radio management information such as rogue Aps, client associations and Signal Strength to the WDS device. The WDS device aggregates this information and forwards it to the Wireless LAN Solution Engine (WLSE) network management device for centralized logging and alerting. WDS also enables 802.11w management frame protection capability by providing a central point for key distribution and management across autonomous access points.

Requirements for WDS and Fast Secure Roaming

We must have these items:

  • At least one AP configure as the WDS device
  • An authentication server or an AP configured as a local authenticator.
  • Rest of other AP must configure as iNfrastructure device to use WDS.

Remembering Points:

  • If we are using AP as WDS then either disable the radio interfaces or use an access point that does not serve a large number of client devices. If client devices associate to the WDS access point when it starts up, the clients might wait up to 10 minutes to be authenticated.
  • A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disabled supports up to 60 participating access points.
  • Repeater AP does not support WDS. Do not configure a repeater access point as a WDS candidate, and do not configure a WDS access point to return (fall back) to repeater mode in case of Ethernet failure.

Communication and Tasks:

The WDS and the infrastructure APs communicate over a multicast protocol WLCCP. These multicast messages cannot be routed. Therefore, a WDS and the associated infrastructure APs must be in the same IP subnetwork and on the same LAN segment.

The WDS AP performs these tasks:

  • Advertises WDS capability and participates in an election of the best WDS device for our WLAN.
  • When we configure our WLAN for WDS, we set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes offline, one of the backup WDS devices takes the place of the main device.
  • Authenticates all APs in the subnetwork and establishes a secure communication channel with each of the APs.
  • Registers all client devices in the subnetwork, establishes session keys for the client devices, and caches the client security credentials.
  • When a client roams to another AP, the WDS device forwards the client security credentials to the new AP.
  • Main task of WDS is to cache the user credentials as soon as the authentication server authenticates the client for the first time. On subsequent attempts, WDS authenticates the client on the basis of the cached information.

Note: A single WDS AP can support a maximum of 60 infrastructure APs when the radio interface is disabled. The number drops to 30 if the AP that acts as the WDS AP also accepts client associations.

Note: A Wireless LAN Services Module (WLSM)-equipped switch supports up to 300 APs.

Note: WDS can perform authentication but not accounting.

Note: We cannot configure a 350 series AP as a WDS device but, we can configure 350 series AP to use the WDS device.

Note: Make sure that the AP and the WDS are located at the same subnet otherwise it’s not possible to have it working. (In case of Local AP as WDS).

Note: If we are using WLSM then we can install our AP at any location in plant for layer 3 mobility.(I don’t have WLSM in my test lab so can’t say more about this)

Make sure:

  • Backup WDS devices must exist in case of primary fails.
  • WDS clients authenticate to the WDS Primary using LEAP. Therefore, LEAP must be enabled in the AAA server performing authentication for WDS devices.
  • All wireless client authentications are performed by the WDS Primary when active.
  • WDS clients will revert to standalone mode if the WDS master fails and CCKM fast roaming will not be available.
  • If a secondary WDS exists, then WDS clients will re-join the new WDS device and begin forwarding wireless client authentications again.
  • Network-EAP (LEAP) must be enabled on SSIDs performing CCKM fast roaming; even if wireless clients are authenticated using another EAP type.

 

More info regarding WDS:

Configuring WDS

WDS on Cisco Autonomous AP

WGB with multiple VLAN in UWNS

In this post we will see how to configure a WGB for multiple VLAN in unified wireless environment. This is useful when we want to have wired client behind WGB in different VLAN.

WGB connects to a wired network over a single wireless segment by learning the MAC address of its wired clients on the Ethernet interface and reporting them to the lightweight access point using Internet Access Point Protocol (IAPP) messaging. The WGB provides wireless access connectivity to wired clients by establishing a single connection to the lightweight access point. The lightweight access point treats the WGB as a wireless client.

Remembering Points:

  • The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8) JEB or greater (on 16-MB access points).
  • On the wireless LAN controller, we should have software version 4.1.185.0 or later. The WGB mode is not supported on the controller on any of the earlier versions.
  • We do not need to configure anything on the controller to enable the WGB to communicate with the lightweight access point. However, to ensure proper communication, we should create a WLAN on the controller that matches the SSID and security method that was configured on the WGB.
  • LAP is acting as root AP for WGB.
  • We can only configure one radio for WGB mode to connect to LAP.
  • By default, access points treat workgroup bridges as client device.
  • WGB can support maximum 20 clients.
  • These lightweight features are supported for use with a workgroup bridge:
    • Guest N+1 redundancy
    • Local EAP
  • These lightweight features are not supported for use with a workgroup bridge:
  • Cisco Centralized Key Management (CCKM)
    • Hybrid REAP
    • Idle timeout
    • Web authentication
  • These features are not supported for wired clients connected to a workgroup bridge:
    • MAC filtering
    • Link tests
    • Idle timeout

My topology for this LAB:

Core Switch——-WLC——-LAP~~~~~~~~~~WGB———–Switch——Client

  • The Dynamic Host Configuration Protocol (DHCP) is configured for VLAN 80(On Core Switch) and 81(On WLC).
  • The WLC has the dynamic interfaces created for VLAN 80 and 81.
  • The WGB has sub-interfaces for required VLANs — 80 and 81.
  • The switch behind the WGB has required VLANs — 80 and 81.
  • WLC is connected with trunk port to Core switch and AP001 (LAP) is connected with access port.
  • WLC1 is configured with 2 dynamic interfaces: 80(Test) and 81(Coding)
  • Created a SSID”Test” with WPA2/AES – PSK as shown below.

WGB_MuVLAN1

Config. on Core Switch:

First we have to create DHCP pool and SVI interface for the management VLAN so that LAP and WGB can get the IP address. Here I created DHCP Pool “WGB” for VLAN 80 and configured the WLC and AP port with right configuration as shown below.

ip dhcp excluded-address 10.35.80.1 10.35.80.100
ip dhcp excluded-address 10.35.80.120 10.35.80.254
 !
 ip dhcp pool WGB
 network 10.35.80.0 255.255.255.0
 default-router 10.35.80.254
 option 43 ip 10.35.80.1
 lease 3
 !
 vlan 80
 name Management
 !
 vlan 81
 name coding
 !
 interface FastEthernet1/24
 description LAP - AP001
 switchport access vlan 80
 switchport mode access
 !
 interface FastEthernet0/25
 description *** WLC1  ***
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 80,81
 switchport mode trunk
 !
 interface Vlan80
 ip address 10.35.80.245 255.255.255.0

Configuration on WLC:

WLAN Configuration:

Step1: As shown in pic, I created a SSID Test with WPA2-PSK security policy and management interface assigned to it.

WGB_MuVLAN2

Step2: DHCP Scope for VLAN 81:

Wired client behind the WGB will get the IP from VLAN 81 so we have to create a DHCP scope for them in WLC.

WGB_MuVLAN3

Step3: Also enable the WGB by WLC CLI:

(WLC1) >config wgb vlan enable

By default its disabled and we must enable it to get WGB VLAN client connectivity.

Config of WGB:

  1. I am using the WGB to configured for the 2.4-GHz and that is 802.11b radio is 0. (We can only configure one radio for WGB mode to connect to LAP).
  2. To support multiple VLAN on WGB we have to use VLAN tagging feature which enables segregation of VLAN traffic based on the VLAN numbers for Unified WGB solution. When this feature is enabled, the WGB removes the 802.1q header while sending the packet from a VLAN client to the wireless LAN controller (WLC). WGB gets the packet to a VLAN client without 802.1q header and WGB code has to be modified to add the 802.1q header while forwarding the frame to the switch behind WGB.

WGB updates the WLC with the wired-client VLAN information in the Internet Access Point Protocol (IAPP) Association message. WLC treats the WGB client as a VLAN-client and forwards the packet in the right VLAN interface based on the source-mac-address.

In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC.

In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.

To enable VLAN tagging, we have to use this command:

(WLC1) > workgroup-bridge unified-vlan-client
  1. If you faced this kind of problem while testing: When wired client got connection to WGB but after sometime it automatically removed because of extended of time(specially the connected switch to WGB was losing IP address). To stop this we have to configure aging time on WGB. By using this command:
(WLC1) > bridge brige-group-number aging-time 65535

So here is the complete config for WGB:

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 105A0C0A114640585851
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge --> To define the role of this AP as WGB
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 no ip route-cache
 bridge-group 81
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 no ip route-cache
 bridge-group 81
 !
 interface BVI1
 ip address dhcp
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 !
 workgroup-bridge unified-vlan-client --> To support multiple VLAN on WGB

Verification:

On WGB:

WGB#sh bridge
 Total of 300 station blocks, 293 free
 Codes: P - permanent, S - self
 Bridge Group 1:
 Address       Action   Interface       Age   RX count   TX count
 0022.bd98.3a30   forward   Vi0.80            2          3          0
 381c.1a89.f4c1   forward   Fa0.80            2         12          2
 381c.1a89.f481   forward   Fa0.80            0        654          0
 001e.4a81.4c96   forward   Vi0.80            0        386          4
 Bridge Group 81:
 381c.1a89.f4c2   forward   Fa0.81            3          1          0
 c434.6b25.80c8   forward   Fa0.81            0       2352          0
 381c.1a89.f481   forward   Fa0.81            0        316          0
WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a32 10.35.80.1      LWAPP-Parent AP001           -              Assoc
WGB#sh dot11 associations  0022.bd98.3a32
 Address           : 0022.bd98.3a32     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 0
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -46  dBm           Connected for    : 989 seconds
 Signal to Noise   : 43  dB            Activity Timeout : 15 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 672848             Packets Output   : 66093
 Bytes Input       : 128614720          Bytes Output     : 6258031
 Duplicates Rcvd   : 0                  Data Retries     : 3361
 Decrypt Failed    : 0                  RTS Retries      : 425
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
  

ON WLC:

Via GUI:

WGB_MuVLAN4

WGB_MuVLAN5

WGB_MuVLAN6

Client got the IP in VLAN 81 ,which is connected with Switch.

WGB_MuVLAN7

Via CLI:

(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11g            2
(WLC1) >show wgb detail 58:8d:09:03:e3:1c
 Number of wired client(s): 2
 MAC Address        IP Address      AP Name            Mobility   WLAN Auth
 -----------------  --------------- -----------------  ---------- ---- ----
 c4:34:6b:25:80:c8  10.35.81.32     AP001              Local      3    Yes
 38:1c:1a:89:f4:c1  10.35.80.108    AP001              Local      3    Yes
(WLC1) >show client  summary
 Number of Clients................................ 3
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 38:1c:1a:89:f4:c1 AP001             Associated    3              Yes  N/A              1    N/A
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11g          1    N/A
 c4:34:6b:25:80:c8 AP001             Associated    3              Yes  N/A              1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c --> My WGB
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 2 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 900 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
 ............................................. 12.0,18.0,24.0,36.0,48.0,
 ............................................. 54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80
(WLC1) >show client detail 38:1c:1a:89:f4:c1 --> Switch in vlan 80
 Client MAC Address............................... 38:1c:1a:89:f4:c1
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 909 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.80.108
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Disabled
 Power Save....................................... OFF
 Supported Rates..................................
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... N/A
 Encryption Cipher................................ None
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 0
 (WLC1) >show client detail c4:34:6b:25:80:c8 --> Client in VLAN 81
 Client MAC Address............................... c4:34:6b:25:80:c8
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge Client.......................... WGB: 58:8d:09:03:e3:1c
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:32
 Connected For ................................... 919 secs
 Channel.......................................... 1
 IP Address....................................... 10.35.81.32
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Disabled
 Power Save....................................... OFF
 Supported Rates..................................
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... N/A
 Encryption Cipher................................ None
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ coding
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81

***Configuring a specific Client VLAN

If wired devices connected to the WGBs Ethernet port should all be assigned to a specific VLAN then we can configure a VLAN for the connected devices. By using this command on the WGB:

WGB(config)# workgroup-bridge client-vlan vlan-id

All the devices connected to the Workgroup Bridge’s Ethernet port are assigned to that VLAN.

That’s all for today 🙂