Autonomous AP as Wireless Bridge

In this post we will learn how to configure AP as wireless bridge. I tried to find the documents on cisco but they are very limited.

Let’s learn something about Wireless Bridges.

Here is my Topology:

Wirelessbridge1

I have two 1240 model APs.

Root-AP: 10.35.80.110

Wireless-Bridge: 10.35.80.111

A wireless bridge is a Layer 2 device; it connects two or more LANs, which can be in different buildings, through the wireless interface. Wireless bridges provide higher data rates and superior throughput for data-intensive and line of sight applications. Wireless bridges eliminate the need for expensive leased lines and fiber-optic cables and mostly used to connect two sites where either WAN line is not available or available but expensive.

In this post I will create a WLAN “RSCCIEW” to connect Root-AP & Wireless-Bridge.

Remembering Points:

  • It will always connect to Root-AP via Native VLAN.
  • It can support multiple VLAN. (Not like Repeater).

Let’s start with configuration:

Basic Root-AP/Wireless-Bridge Configuration with WPA2 encryption/single SSID.

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Once completion of configuration, we will these logs:

*Dec 17 12:44:24.301: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [None WPAv2 PSK]
Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
  
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -13  dBm           Connected for    : 267 seconds
 Signal to Noise   : 75  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 5988               Packets Output   : 3377
 Bytes Input       : 883945             Bytes Output     : 513196
 Duplicates Rcvd   : 0                  Data Retries     : 233
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#

Now let’s connect a client to Wireless-Bridge and see its status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.80.109    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 127 seconds
 Signal to Noise   : 81  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 26129              Packets Output   : 6816
 Bytes Input       : 4276916            Bytes Output     : 1048109
 Duplicates Rcvd   : 0                  Data Retries     : 1204
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

*** If we want to authenticate Wireless-Bridge with LEAP(How to Authenticate with LEAP) or EAP-FAST(How to Authenticate with LEAP) then we have to use the same method as we did for Repeaters. Check my old post to use EAPFAST or LEAP to authenticate Repeater, Wireless Bridge, WGB, and Universal WGB.

Autonomous AP as Repeater with EAP-FAST

In the last post we learnt about the LEAP authentication of a Repeater. For more therortical conectps or musr remeber point please check this link: 

Autonomous AP as Repeater with WPA2

Lets see the configuration of EAP-FAST authentication.

*** In the same way we can authentication Bridge, WGB.

Here are the configurations.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 eapfast authority id 01234567890123456789012345678901
 eapfast authority info CCIEW
 eapfast server-key primary 7 52B537935F17B2359E1DCA5291705E3E76
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials FAST
 dot1x eap profile FAST
 guest-mode
 infrastructure-ssid
 !
 eap profile FAST
 method fast
 !
 dot1x credentials FAST
 username sandeep
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication of a repeater:

*Dec 17 10:43:53.122: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [EAP-FAST WPAv2]

Client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

That is all about Repeaters 🙂

Autonomous AP as Repeater with LEAP

In the last post we learnt about Repeater configuration and authenticaion via WPA2-PSK. Here is the link : Autonomous AP as Repeater with WPA2

In last post we also learned the basic concept and theoretical knowledge of repeater and there usage.

In this post we will directly conifgure the Root AP/Repeater AP with LEAP Authentication.

Here is the configuration of Root and Repeater AP.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method --> also need to add the open EAP for clients which may associate with Repeater AP.
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials LEAP
 dot1x eap profile LEAP
 guest-mode
 infrastructure-ssid
 !
 eap profile LEAP
 method leap
 !
 dot1x credentials LEAP
 username repeater
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication:

 *Dec 17 10:40:02.500: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [LEAP WPAv2]

Here is the client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 ass
 Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

In the next post we will learn how to Authenticate Repeater via EAP-FAST.

Autonomous AP as Repeater with WPA2

In this post we will learn how to configure a repeater to extend our wireless coverage.

To extend or increase the range of our WLAN, we can add a repeater AP to the network. This repeater AP will not physically connected to the WLAN, but is instead added to radio range of the wired connected Access Point and the clients that access the WLAN.

***AP has two radios, only one can be used as a repeater. We must configure the other as a root radio.

***Repeater only can connect to root AP in Autonomous mode.

Here is my test lab setup:

Client………..Repeater-AP…………Root-AP——–Switch

Repeater_setup

When we configure an AP as a repeater, the access point’s Ethernet port does not forward traffic.

*** After our AP is configured as a repeater, it shuts down its Ethernet connection. Any devices connected to the Ethernet port are disconnected from the AP.

Of-course we can configure multiple APs as repeaters, but throughput decreases as additional APs are added to the chain, because each repeater must receive/retransmit the packet on the same channel. Because of this, throughput is cut in half for each repeater added.

A repeater AP connects to the root AP which has the best connectivity. But we can specify the AP to which the repeater associates. Setting up a static, specific association between a repeater and a root access point improves repeater performance.

Remembering Points:

  • It’s best to use repeaters to serve clients that do not require high throughput.
  • Cisco AP repeaters work best when clients are Cisco devices. Problems occur when third-party devices try to associate with repeater APs.
  • Ensure the data rates configured on the repeater AP match the data rates of the parent AP.
  • We can’t configure multiple VLANs on repeater access points. Repeater access points support only native VLAN.
  • If Repeater is connected to root AP, which has many BSSIDs and we are adding/deleting SSID on root AP that might change the parent mac address. So if we are making some changes on root AP then we must again check the connectivity between root AP and repeater after modification.

Steps to Configure the AP as Repeater:

  1. Enable Aironet extensions on both the parent and repeater APs. By default, these extensions are enabled. (Aironet extensions, which are enabled by default, improve the access point’s ability to understand the capabilities of Cisco Aironet client devices associated with the access point.)
  2. Setup the SSID under specific Radio {0 or 1}
  3. Assigns the SSID as an infrastructure SSID. This is the SSID the repeater uses to associate to the root AP.

The infrastructure SSID must be assigned to the native VLAN. If more than one VLAN is created on an AP, an infrastructure SSID cannot be assigned to a non-native VLAN. The following message appears when the infrastructure SSID is configured on non-native VLAN:

ap(config-ssid)#infrastructure-ssid optional
 Dot11Radio0: SSID Test must be configured as native-vlan before enabling infrastructure-ssid
ap(config-ssid)#

*** The ”optional” argument allows regular clients to associate as well.

  1. Establishes this AP’s role as a repeater.

By using this command: station-role repeater

  1. We can enter MAC addresses for up to four parents. If the repeater fails to associate to the first parent, it moves to the next on the list. We can enter a timeout, which establishes how long the repeater tries to associate to a parent before it moves to the next.

 

Root AP/Repeater Configuration with WPA2 encryption.

On Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 104D000A061843595F
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache

Repeater-AP:

hostname Repeater-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no p route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache

Once completion of configuration, we will these logs:

*Oct 6 09:23:28.003: %DOT11-6-ASSOC: Interface Dot11Radio0, Station Repeater-AP 2894.0fa8.a594 Associated KEY_MGMT[WPAv2 PSK]

Now let’s connect a client to repeater AP and see its Status:

Root-AP#sh dot11 ass
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address   IP address     Device       Name           Parent         State
 2894.0fa8.a594 10.35.80.111   ap1240-Rptr   Repeater-AP     self           Assoc
 5426.963e.4bee 10.35.80.108   Rptr-client   -               2894.0fa8.a594 Assoc
Root-AP#

If we want fix the repeater to associate to specific root Aps, we can use “Parent <1-4>mac-address [timeout]” command under radio interface of repeater. Maximum 4 parent’s mac addresses are allowed. In our case we have only one Root-AP.

Also we can enter a timeout value in seconds that determines how long the repeater attempts to associate to a parent access point before trying the next parent in the list. Timeout value varies from 0 to 65535 seconds.

Here is the command:

Repeater-AP#Conf t
Repeater-AP(config)#Parent 1 mac 003a.9914.1370

In next post we will see the Repeater authentication via LEAP.

Redundant WDS devices

How to configure AP as WDS device, check this link: Configure WDS via CLI

It’s the same procedure what we did in last post to configure the Infra AP to make as backup WDS device.

Steps:

  1. First we have to add the WDS-Client AP as a NAS on the primary AP’s radius server so it can request for authentication.
  2. Configure Radius and infrastructure server configure (Same as previous post).

Let’s start:

Only one line is needed on WDS-AP:

WDS-AP(config-radsrv)#nas 10.35.80.111 key cisco123

Then we have to configure Radius and wlccp parameters on WDS-Client AP.

aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 1511021F07257A767B
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp wds priority 250 interface BVI1

This WDS configured with a lower priority of 250 because we have other AP (WDS-AP) with 254.  Now let’s take a look at the results.

Now check the WDS status on both AP:

WDS-AP:

WDS-AP#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
WDS-AP#
WDS-AP#sh wlccp wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 2   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
WDS-Client                       2894.0fa8.a594  10.35.80.111    REGISTERED
WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#

 

WDS-Client AP:

WDS-Client#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds
 MAC: 2894.0fa8.a594, IP-ADDR: 10.35.80.111   , Priority: 250
 Interface BVI1, State: BACKUP
 Currently ACTIVE WDS - MAC: 588d.0903.e31c, Priority: 254, IP-ADDR: 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
 WDS-Client#

Now we will configure both AP to provide service to clients.

WDS-AP Configuration:

hostname WDS-AP
 !
 aaa new-model
 !
 aaa group server radius Infra
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_infra group Infra
 aaa authentication login method_client group Client
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 10.35.80.110 key 7 13061E010803557878
 nas 10.35.80.111 key 7 1511021F07257A767B
 user wds nthash 7 09196D5149553143582D57090E7C7E1611704653462725027C0F00075F2641370B
 user test nthash 7 0251537E5D502D021B1C2D4C5042445C5D56780E017D676374325E4E2552050D0A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744
 !
 wlccp ap username wds password 7 05080F1C2243
 wlccp authentication-server infrastructure method_infra
 wlccp authentication-server client any method_client
 ssid RSCCIEW
 wlccp wds priority 254 interface BVI1

WDS-Client Configuration:

hostname WDS-Client
 !
 aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client1
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 aaa authentication login method_client1 group Client1
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client1
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 121A0C0411045D5679 
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp authentication-server client any Client1
 ssid RSCCIEW
 wlccp wds priority 250 interface BVI1

This is all we have to configure; now we can setup connection with client and test it.

See the client status: Client will authenticate from Primary WDS Device.

WDS-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 ac7b.a1d1.c289 10.35.80.106    ccx-client    WDS-AP          self           EAP-Assoc
WDS-AP#
WDS-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : WDS-AP
 IP Address        : 10.35.80.106       Interface        : Dot11Radio 0
 Device            : ccx-client         Software Version : NONE
 CCX Version       : 4                  Client MFP       : Off
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 0
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 0                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -45  dBm           Connected for    : 14 seconds
 Signal to Noise   : 44  dB            Activity Timeout : 50 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : BK BE VI VO
 Packets Input     : 164                Packets Output   : 45
 Bytes Input       : 32680              Bytes Output     : 9901
 Duplicates Rcvd   : 0                  Data Retries     : 0
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 PMKIDs:
 ED7B7F68446E643F622718DD96A73643
 Session timeout   : 0 seconds
 Reauthenticate in : never
WDS-AP#

WDS(Wireless Domain Service) Overview

In this post we will learn how to use AP as WDS device and what are the benefits of using WDS in autonomous environment.

In the next post we will learn how to configure the AP with WDS as local AAA server.

WDS is a part of the Cisco Structured Wireless Aware Network (SWAN). WDS is cisco IOS Software features that enhance WLAN client mobility, and simplify WLAN deployment and management. This is very useful when we don’t have Controller in our campus and still want to use RRM and roaming then it’s the best choice. WDS offer these features:

  • Fast secure roaming(CCKM)

CCKM (Cisco Centralized Key Management) enables clients and access points to cache and re-use keying material derived from a full 802.1x/EAP authentication. This enables clients to roam between access points faster without the need to perform a full re-authentication.

The WDS device maintains a cache of credentials for CCKM-capable client devices on our wireless LAN. When a CCKM-capable client roams from one AP to another, the client sends a re-association request to the new AP, and the new AP relays the request to the WDS device. The WDS device forwards the client’s credentials to the new AP, and the new access point sends the re-association response to the client. Only two packets pass between the client and the new AP, greatly reducing the re-association time. The client also uses the re-association response to generate the unicast key.

  • Radio management

APs forward radio management information such as rogue Aps, client associations and Signal Strength to the WDS device. The WDS device aggregates this information and forwards it to the Wireless LAN Solution Engine (WLSE) network management device for centralized logging and alerting. WDS also enables 802.11w management frame protection capability by providing a central point for key distribution and management across autonomous access points.

Requirements for WDS and Fast Secure Roaming

We must have these items:

  • At least one AP configure as the WDS device
  • An authentication server or an AP configured as a local authenticator.
  • Rest of other AP must configure as iNfrastructure device to use WDS.

Remembering Points:

  • If we are using AP as WDS then either disable the radio interfaces or use an access point that does not serve a large number of client devices. If client devices associate to the WDS access point when it starts up, the clients might wait up to 10 minutes to be authenticated.
  • A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disabled supports up to 60 participating access points.
  • Repeater AP does not support WDS. Do not configure a repeater access point as a WDS candidate, and do not configure a WDS access point to return (fall back) to repeater mode in case of Ethernet failure.

Communication and Tasks:

The WDS and the infrastructure APs communicate over a multicast protocol WLCCP. These multicast messages cannot be routed. Therefore, a WDS and the associated infrastructure APs must be in the same IP subnetwork and on the same LAN segment.

The WDS AP performs these tasks:

  • Advertises WDS capability and participates in an election of the best WDS device for our WLAN.
  • When we configure our WLAN for WDS, we set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes offline, one of the backup WDS devices takes the place of the main device.
  • Authenticates all APs in the subnetwork and establishes a secure communication channel with each of the APs.
  • Registers all client devices in the subnetwork, establishes session keys for the client devices, and caches the client security credentials.
  • When a client roams to another AP, the WDS device forwards the client security credentials to the new AP.
  • Main task of WDS is to cache the user credentials as soon as the authentication server authenticates the client for the first time. On subsequent attempts, WDS authenticates the client on the basis of the cached information.

Note: A single WDS AP can support a maximum of 60 infrastructure APs when the radio interface is disabled. The number drops to 30 if the AP that acts as the WDS AP also accepts client associations.

Note: A Wireless LAN Services Module (WLSM)-equipped switch supports up to 300 APs.

Note: WDS can perform authentication but not accounting.

Note: We cannot configure a 350 series AP as a WDS device but, we can configure 350 series AP to use the WDS device.

Note: Make sure that the AP and the WDS are located at the same subnet otherwise it’s not possible to have it working. (In case of Local AP as WDS).

Note: If we are using WLSM then we can install our AP at any location in plant for layer 3 mobility.(I don’t have WLSM in my test lab so can’t say more about this)

Make sure:

  • Backup WDS devices must exist in case of primary fails.
  • WDS clients authenticate to the WDS Primary using LEAP. Therefore, LEAP must be enabled in the AAA server performing authentication for WDS devices.
  • All wireless client authentications are performed by the WDS Primary when active.
  • WDS clients will revert to standalone mode if the WDS master fails and CCKM fast roaming will not be available.
  • If a secondary WDS exists, then WDS clients will re-join the new WDS device and begin forwarding wireless client authentications again.
  • Network-EAP (LEAP) must be enabled on SSIDs performing CCKM fast roaming; even if wireless clients are authenticated using another EAP type.

 

More info regarding WDS:

Configuring WDS

WDS on Cisco Autonomous AP