Autonomous AP as Wireless Bridge with Multiple VLAN

In last post we learned about how to setup a root and non-root bridge. In this post we will see the configuration for multiple VLAN on Root, Non-Root Bridge for wireless clients.

Topology is same as it was in last post: Autonomous AP as Wireless Bridge

Again here I will use WPA2-PSK to authenticate both WLAN. One WLAN for Root-AP to Wireless-Bridge communication and other WLAN for clients to authenticate.

We will not waste our much time on theory, let’s directly jump to configuration:

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 wpa-psk ascii 7 094F471A1A0A464058
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 dot11 ssid BRIDGE-CLIENT
 vlan 81
 authentication open
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 14141B180F0B7B7977
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 encryption vlan 81 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 ssid BRIDGE-CLIENT
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface Dot11Radio0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.81
 encapsulation dot1Q 81
 bridge-group 81
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

That’s all for configuration. Now we are ready to test a client for VLAN 81.

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.81.157    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations  003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 48.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 58 seconds
 Signal to Noise   : 82  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 25049              Packets Output   : 6732
 Bytes Input       : 4102567            Bytes Output     : 1025396
 Duplicates Rcvd   : 0                  Data Retries     : 1185
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 
Root-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.81.157       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
  
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 81
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

Autonomous AP as Wireless Bridge

In this post we will learn how to configure AP as wireless bridge. I tried to find the documents on cisco but they are very limited.

Let’s learn something about Wireless Bridges.

Here is my Topology:

Wirelessbridge1

I have two 1240 model APs.

Root-AP: 10.35.80.110

Wireless-Bridge: 10.35.80.111

A wireless bridge is a Layer 2 device; it connects two or more LANs, which can be in different buildings, through the wireless interface. Wireless bridges provide higher data rates and superior throughput for data-intensive and line of sight applications. Wireless bridges eliminate the need for expensive leased lines and fiber-optic cables and mostly used to connect two sites where either WAN line is not available or available but expensive.

In this post I will create a WLAN “RSCCIEW” to connect Root-AP & Wireless-Bridge.

Remembering Points:

  • It will always connect to Root-AP via Native VLAN.
  • It can support multiple VLAN. (Not like Repeater).

Let’s start with configuration:

Basic Root-AP/Wireless-Bridge Configuration with WPA2 encryption/single SSID.

Root AP:

hostname Root-AP
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 infrastructure-ssid
 wpa-psk ascii 7 0822455D0A16544541
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Wireless-Bridge:

hostname Wireless-Bridge
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open
 authentication key-management wpa version 2
 guest-mode
 infrastructure-ssid
 wpa-psk ascii 7 030752180500701E1D
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role non-root bridge wireless-clients
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 speed 100
 full-duplex
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254

Once completion of configuration, we will these logs:

*Dec 17 12:44:24.301: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [None WPAv2 PSK]
Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
  
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 1                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -13  dBm           Connected for    : 267 seconds
 Signal to Noise   : 75  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 1 seconds ago
 Apsd DE AC(s)     : NONE
  
 Packets Input     : 5988               Packets Output   : 3377
 Bytes Input       : 883945             Bytes Output     : 513196
 Duplicates Rcvd   : 0                  Data Retries     : 233
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#

Now let’s connect a client to Wireless-Bridge and see its status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 003a.9a3e.a380 10.35.80.111    bridge        Wireless-Bridge self           Assoc
 ac7b.a1d1.c289 10.35.80.109    Br-client     Wireless-Bridge 003a.9a3e.a380 Assoc
 Root-AP#
 Root-AP#sh dot11 associations 003a.9a3e.a380
 Address           : 003a.9a3e.a380     Name             : Wireless-Bridge
 IP Address        : 10.35.80.111       Interface        : Dot11Radio 0
 Device            : bridge             Software Version : 12.4
 CCX Version       : 5                  Client MFP       : On
 State             : Assoc              Parent           : self
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 2                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -6   dBm           Connected for    : 127 seconds
 Signal to Noise   : 81  dB            Activity Timeout : 30 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 26129              Packets Output   : 6816
 Bytes Input       : 4276916            Bytes Output     : 1048109
 Duplicates Rcvd   : 0                  Data Retries     : 1204
 Decrypt Failed    : 0                  RTS Retries      : 29
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Wireless-Bridge
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Br-client          Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : Assoc              Parent           : 003a.9a3e.a380
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0
 Root-AP#

*** If we want to authenticate Wireless-Bridge with LEAP(How to Authenticate with LEAP) or EAP-FAST(How to Authenticate with LEAP) then we have to use the same method as we did for Repeaters. Check my old post to use EAPFAST or LEAP to authenticate Repeater, Wireless Bridge, WGB, and Universal WGB.

Autonomous AP as Repeater with EAP-FAST

In the last post we learnt about the LEAP authentication of a Repeater. For more therortical conectps or musr remeber point please check this link: 

Autonomous AP as Repeater with WPA2

Lets see the configuration of EAP-FAST authentication.

*** In the same way we can authentication Bridge, WGB.

Here are the configurations.

Root AP:

hostname Root-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication network-eap eap_method
 authentication key-management wpa version 2
 infrastructure-ssid
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.110 255.255.255.0
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 radius-server local
 eapfast authority id 01234567890123456789012345678901
 eapfast authority info CCIEW
 eapfast server-key primary 7 52B537935F17B2359E1DCA5291705E3E76
 nas 10.35.80.110 key 7 070C285F4D06485744
 nas 10.35.80.111 key 7 14141B180F0B7B7977
 user repeater nthash 7 144231535C540C7A77096016074B51332753030D0877705A264F450A09720A7307
 user sandeep nthash 7 101B2A415547345A5F25790801706510064152425325720D7D04075D523D4F780A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744

Repeater AP:

hostname Repeater-AP
 !
 aaa new-model
 !
 aaa group server radius rad_eap
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login eap_method group rad_eap
 !
 dot11 ssid RSCCIEW
 vlan 80
 authentication open eap eap_method
 authentication network-eap eap_method
 authentication key-management wpa version 2
 dot1x credentials FAST
 dot1x eap profile FAST
 guest-mode
 infrastructure-ssid
 !
 eap profile FAST
 method fast
 !
 dot1x credentials FAST
 username sandeep
 password 7 01100F175804
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role repeater
 !
 interface Dot11Radio0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
 !
 interface BVI1
 ip address 10.35.80.111 255.255.255.0
 no ip route-cache
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 030752180500701E1D

This is the notification we get after authentication of a repeater:

*Dec 17 10:43:53.122: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP Root-AP 003a.9914.1370 [EAP-FAST WPAv2]

Client status:

Root-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 2894.0fa8.a594 10.35.80.111    ap1240-Rptr   Repeater-AP     self           EAP-Assoc
 ac7b.a1d1.c289 10.35.80.109    Rptr-client   Repeater-AP     2894.0fa8.a594 EAP-Assoc
 Root-AP#
 Root-AP#sh dot11 associations ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : Repeater-AP
 IP Address        : 10.35.80.109       Interface        : Dot11Radio 0
 Device            : Rptr-client        Software Version : NONE
 CCX Version       : NONE               Client MFP       : Off
 State             : EAP-Assoc          Parent           : 2894.0fa8.a594
 SSID              : RSCCIEW
 VLAN              : 80
 Hops to Infra     : 0
 Clients Associated: 0                  Repeaters associated: 0

That is all about Repeaters 🙂

WGB with EAP-FAST in UWNS

In this post we will see how to configure the WGB with WPA2-Dot1x EAP-FAST in Unified Wireless Network Solutions.

I have a lightweight AP (AP001) connected to WLC1 in local mode.

DHCP functionality is defined on Core switch for VLAN 80

WGB and Client will get IP in VLAN 80.

Here is my Topology

WGB°°°°°°°°°°°°°LAP—————-Switch————–WLC

Fast1

WLC Configuration:

First we have to configure a WLAN “Test” with WPA2 policy and 802.1x authentication key management.

Fast2

Fast3

Now we have to create an EAP Profile “WGB_TEST” and assign it to WLAN for EAP-FAST authentication.

Fast4

Fast5

We must assign the order of authentication for local EAP.

Fast6

End of WLC configuration, we should create a username and password to authenticate with WGB and assign this user to specific WLAN.

Fast7

WGB Configuration:

Here is the configuration of WGB with EAP-FAST.

hostname WGB
 !
 dot11 ssid Test
 vlan 80
 authentication open eap eap_FAST
 authentication network-eap eap_FAST
 authentication key-management wpa version 2
 dot1x credentials WGB_FAST
 dot1x eap profile WGB_TEST
 !
 eap profile WGB_TEST
 method fast
 !
 dot1x credentials WGB_FAST
 username testuser
 password 7 15060E1F107B79777C66
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 80 mode ciphers aes-ccm
 !
 ssid Test
 !
 station-role workgroup-bridge
 !
 interface Dot11Radio1.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 !
 interface FastEthernet0.80
 encapsulation dot1Q 80 native
 no ip route-cache
 bridge-group 1
 !
 interface BVI1
 ip address DHCP
 no ip route-cache
 !
 ip default-gateway 10.35.80.254
 bridge 1 address 588d.0903.e31c forward fastethernet0.80 -->Used to add permanent entry in WGB Table

Just after completing the configuration we will see this message on WGB CLI:

 *Jul 24 01:53:14.255: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP001 0022.bd98.3a3d [EAP-FAST WPAv2]

Verification:

WGB#sh dot11 associations
 802.11 Client Stations on Dot11Radio1:
 SSID [Test] :
 MAC Address    IP address      Device        Name            Parent         State
 0022.bd98.3a3d 10.35.80.1      LWAPP-Parent AP001           -              EAP-Assoc
WGB#sh dot11 associations 0022.bd98.3a3d
 Address           : 0022.bd98.3a3d     Name             : AP001
 IP Address        : 10.35.80.1         Interface        : Dot11Radio 1
 Device            : LWAPP-Parent      Software Version : NONE
 CCX Version       : 5                  Client MFP       : On
 State             : EAP-Assoc          Parent           : -
 SSID              : Test
 VLAN              : 80
 Hops to Infra     : 0                  Association Id   : 1
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 36.0               Capability       : WMM 11h
 Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -75  dBm           Connected for    : 221 seconds
 Signal to Noise   : 22  dB            Activity Timeout : 13 seconds
 Power-save        : Off                Last Activity    : 2 seconds ago
 Apsd DE AC(s)     : NONE
 Packets Input     : 20799              Packets Output   : 1663
 Bytes Input       : 3847215            Bytes Output     : 180188
 Duplicates Rcvd   : 0                  Data Retries     : 812
 Decrypt Failed    : 0                  RTS Retries      : 18
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
(WLC1) >show wgb summary
 WGB Vlan Client Support.......................... Enabled
 Number of WGBs................................... 1
 MAC Address        IP Address      AP Name            Status    WLAN  Auth  Protocol          Clients
 -----------------  --------------- -----------------  --------- ----  ----  ----------------  -------
 58:8d:09:03:e3:1c  10.35.80.110    AP001              Assoc     3     Yes   802.11a            0
(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 58:8d:09:03:e3:1c AP001             Associated    3              Yes  802.11a          1    N/A
(WLC1) >show client detail 58:8d:09:03:e3:1c
 Client MAC Address............................... 58:8d:09:03:e3:1c
 Client Username ................................. testuser
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Workgroup Bridge................................. 0 client(s)
 Wireless LAN Id.................................. 3
 BSSID............................................ 00:22:bd:98:3a:3d
 Connected For ................................... 308 secs
 Channel.......................................... 36
 IP Address....................................... 10.35.80.110
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Client CCX version............................... 5
 Client E2E version............................... No E2E support
 Diagnostics Capability........................... Not Supported
 S69 Capability................................... Not Supported
 Re-Authentication Timeout........................ 86111
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Current Rate..................................... 54.0
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... 802.1x
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... Yes
 EAP Type......................................... EAP-FAST
 Interface........................................ management
 VLAN............................................. 80
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 80

 

Autonomous AP with Local RADIUS server – EAP FAST

In this post we will see, how to configure a standalone AP to act as AUTHENTCATOR SERVER (RADIUS).

Standalone AP can be configured as local RADIUS server to provide the AAA service.

This kind of solution can be used in small scale deployment or which can not afford to buy ACS or ISE and It can also provide as a backup RADIUS server in case of primary fails.

Normally Autonomous AP can use three types authentication:

*** EAP-TLS is not supported on Autonomous AP.

First we will configure for EAP-FAST 🙂

I will create one SSID”data1” and map to specific VLAN”101”.

Remembering points:

  1. The local RADIUS server uses UDP ports 1812 and 1813.
  2. Keep the config as simple as possible.
  3. In this type of scenario, AP is using as Authenticator and Authenticator server (Both).
  4. AP can authenticate max 50 client’s devices.
  5. AP performs up to 5 authentications per second.
  6. When AP acts as Local authenticator, performance may decrease for associated clients.

Steps to Configure:

  1. Configure the local AP as NAS (Network Access Server).
  2. Create user groups
  3. Create users to authorize to authenticate.
  4. Enter the local authenticator as radius server.

We can configure by two ways: GUI and CLI

Via CLI:

Switch config for AP connection:

int fa 0/15
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 100, 101

Step1: Configure the SSID and map to a VLAN

Config t
 Dot11 ssid data1 
 Vlan 101
 Authentication open eap local_eap
 Authentication network-eap local_eap
 Authentication key-management wpa version 2
 Guest-mode
 end

Step2: Configure the radio and Ethernet interface

Config t
 Interface dot11Radio0
 ssid data1
 exit
Interface dot11Radio0.100
 encapsulation dot1Q 100
Interface dot11Radio0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit
int fa 0.100
 encapsulation dot1Q 1080
Interface fa0.101
 encapsulation dot1Q 101
 bridge-group 101
 exit

Step3: Assign encryption to SSIDs with VLAN

Int dot11Radio0
 Encryption vlan 101 mode  ciphers aes-ccm

Step4: Configure AP for management

Int BVI1
 Ip address 10.35.100.15 255.255.255.0
 !
 Ip default-gateway 10.35.100.254

Step5: Define a AAA group, AAA login method and configure RADIUS server with its own IP address

aaa new-model
 aaa group server radius radius_fast
 server 10.35.100.15 auth-port 1812 acct-port 1813
 aaa authentication login local_eap group radius_fast

Step6: Configure local AP as authenticator

radius-server host 10.35.100.15 auth-port 1812 acct-port 1813 key fast12345 

Step7: Configure local users to authenticate as NAS entries.

Radius server local
 Nas 10.35.100.15 key fast12345
 User Sandeep password test12345
 User sandeep1 password rscciew12345

Step8: Configure EAP-FAST Settings (authority ID, Info, server key…Etc.).

Authority ID

All EAP-FAST authenticators are identified by an authority identity (AID). The local authenticator sends its AID to an authenticating client, and the client checks its database for a matching AID. If the client does not recognize the AID, it requests a new PAC.

AP002(config)#radius-server local
AP002(config-radsrv)#eapfast authority id ?
 Hex-data  32 hexadecimal digits
AP002(config-radsrv)#eapfast authority id 98765432198765432198765432198765

Authority Info:

AP002(config-radsrv)#eapfast authority info ?
 LINE ASCII string (32 char)
AP002(config-radsrv)#eapfast authority info cisco

Server Key

The local authenticator uses server keys to encrypt PACs that it generates and to decrypt PACs when authenticating clients. The server maintains two keys, primary key and secondary key, and uses the primary key to encrypt PACs. By default, the server uses a default value as the primary key but does not use a secondary key unless we configure one.
When the local authenticator receives a client PAC, it attempts to decrypt the PAC with the primary key. If decryption fails with the primary, the authenticator attempts to decrypt the PAC with the secondary key if one is configured. If decryption fails, the authenticator rejects the PAC as invalid.

AP002(config-radsrv)#eapfast server-key ?
 primary primary key
 secondary secondary key
AP002(config-radsrv)#eapfast server-key primary ?
 0 Specifies an UNENCRYPTED password will follow
 7 Specifies an HIDDEN password will follow
 Hex-data 32 hexadecimal digits
 auto-generate auto generate the key
AP002(config-radsrv)#eapfast server-key primary auto-generate

AP002(config-radsrv)#eapfast server-key secondary ?
 0 Specifies an UNENCRYPTED password will follow
 7 Specifies an HIDDEN password will follow
 Hex-data 32 hexadecimal digits
AP002(config-radsrv)#eapfast server-key secondary 98765432198765432198765432198765
AP002(config-radsrv)#

PAC Generation for specific Username

The local authenticator automatically generates PACs for EAP-FAST clients that request them. However, we might need to generate a PAC manually for some client devices. When we enter the command, the local authenticator generates a PAC file and writes it to the network location that we specify. The user imports the PAC file into the client profile.
Use this command to generate a PAC manually:

AP002#radius local-server pac-generate ?
 WORD username, for which PAC to be issued
AP002#radius local-server pac-generate sandeep1 ?
 WORD filename to save generated PAC(ex: tftp://172.1.1.1/test/user.pac)
AP002#radius local-server pac-generate sandeep1 tftp://10.35.100.100/sandeep1.pac password rscciew12345 expiry 10
 Generating PAC for the user: sandeep1
!!
AP002#

Step9: Verification

AP002#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [data1] :
 MAC Address    IP address      Device        Name            Parent         State
 bd7b.a1d1.c289 10.35.101.152    ccx-client    AP002           self           EAP-Assoc
 AP002#sh dot11 associations  ac7b.a1d1.c289
 Address           : bd7b.a1d1.c289     Name             : AP002
 IP Address        : 10.35.101.152       Interface        : Dot11Radio 0
 Device            : ccx-client         Software Version : NONE
 CCX Version       : 4                  Client MFP       : Off
 State             : EAP-Assoc          Parent           : self
 SSID              : data1
 VLAN              : 81
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 0                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -33  dBm           Connected for    : 31 seconds
 Signal to Noise   : 59  dB            Activity Timeout : 50 seconds
 Power-save        : On                 Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : BK BE VI VO
 Packets Input     : 640                Packets Output   : 353
 Bytes Input       : 61156              Bytes Output     : 35666
 Duplicates Rcvd   : 0                  Data Retries     : 27
 Decrypt Failed    : 0                  RTS Retries      : 73
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 Session timeout   : 0 seconds
 Reauthenticate in : never
 AP002#

 Screenshot:

 

leap_autonomous

Thats all for today 🙂

———x———————————————-

Step8 can also be configured in this way :

radius-server local
 eapfast authority id 01234567890123456789012345678901
 eapfast authority info cisco
 eapfast server-key primary 12345678901234567890123456789012
 eapfast server-key secondary 12345678901234567890123456789012
 nas 10.35.100.15 key  fast12345
 user Sandeep password test12345
 user sandeep1 password rscciew12345

Configure Local EAP on WLC

Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the external authentication server goes down. When we enable local EAP, the controller serves as the authentication server and the local user database, which removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.

If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then re-authenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP. If we never want the controller to try to authenticate clients using an external RADIUS server,  then use this CLI commands in this order: config wlan radius_server auth disable wlan_id

 Note: Local EAP profiles are not supported on Office Extend 600 AP

EAP Topology

 

We can create network users on WLC either via GUI or CLI. Via CLI method we can define two type of users (Permenant & Guest). If we specify the WLAN ID as “0″ than users will allow to any WLAN. For a guest user you can specify the lifetime. (2 hrs in my example)

But I my example we will use a separate WLAN for test purpose and it is “Test” with WLAN id:8

How to create Local network users on WLC:

Via GUI:

Login to WLC, go to Security > AAA > Local Net Users and on right side click on New to add.

Local user wlc

In my example, I will create a 2 permanent type user and one guest type user.

Local user edit

Here are the all 3 local users in my WLC:

2 Permanent User
1 Guest User

List local user

Via CLI:

Here is the procedure to create netuser with CLI.

(WLAN1) >config netuser ?
add            Creates a local network user.
delete         Delete an existing network user.
description    Sets the description for a network user.
lifetime       Configures the lifetime for a Guest Network User. Valid range is 60 to 31536000 seconds.
maxUserLogin   Configures the maximum number of login sessions allowed for a network user
password       Configures a password for a network user.
wlan-id        Configures a Wireless LAN Id for a network user.
(WLAN1) >config netuser add ?
<username>     Enter name up to 50 alphanumeric characters.
(WLAN1) >config netuser add sandeep ?
<password>     Enter password up to 24 alphanumeric characters.
(WLAN1) >config netuser add sandeep cisco ?
wlan           Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan ?
<WLAN id>      Enter a Wireless LAN Identifier to associate with or zero for any.
(WLAN1) >config netuser add sandeep cisco wlan 8 ?
userType       Enter the keyword 'userType'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent ?
description    Enter the keyword 'description'.
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab ?
(WLAN1) >config netuser add sandeep cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep1 cisco wlan 8 userType permanent description testlab
(WLAN1) >config  netuser add sandeep2 cisco wlan 8 userType guest  lifetime 7200 description testlab

If our WLN don’t have  web-auth security then it will not add a guets user.

WLAN does not have Web-Auth security configured. Guest user not added.

Create local EAP settings on WLC:

Step1: Configure General setting for local EAP (Specify EAP Timers).

Via GUI:

Go to Security > Local EAP > General

EAP general

Specify values for the local EAP timers

Via CLI:

These are the commands through which we can configure these EAP timers

(WLAN1) >config locaL-AUth Active-timeout ?
<1 to 3600>    Enter the timeout period for the Local EAP to remain active, in seconds.
(WLAN1) >config locaL-AUth Active-timeout 300
(WLAN1) >config advanced eap identity-request-timeout?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap identity-request-timeout 30
(WLAN1) >config advanced eap identity-request-retries ?
<retries>      Enter the number of retries between 1 and 20
(WLAN1) >config advanced eap identity-request-retries 2
(WLAN1) >config advanced eap key-index ?
<key-index>    Enter the key index value, 0 or 3.
(WLAN1) >config advanced eap key-index 0
(WLAN1) >config advanced eap request-timeout ?
<seconds>      Enter the number of seconds between 1 and 120
(WLAN1) >config advanced eap request-timeout 30
(WLAN1) >config advanced eap request-retries ?
<retries>      Enter the number of retries between 0 and 20
(WLAN1) >config advanced eap request-retries 2
(WLAN1) >config advanced eap max-login-ignore-identity-response ?
enable         ignore the same username reaching max in the EAP identity response
disable        check the same username reaching max in the EAP identity response
(WLAN1) >config advanced eap max-login-ignore-identity-response enable
(WLAN1) >config advanced eap eapol-key-timeout ?
<milliseconds> Enter the number of milliseconds between 200 and 5000
(WLAN1) >config advanced eap eapol-key-timeout 1000
(WLAN1) >config advanced eap eapol-key-retries ?
<retries>      Enter the number of retries between 0 and 4
(WLAN1) >config advanced eap eapol-key-retries 2

Step2: We have to create a local EAP profile, which specifies the EAP authentication types that are supported on the wireless clients. I have created a profile named “Test-Local-EAP” and enable EAP-FAST, EAP-TLS & PEAP as allowed protocol.

Via GUI:

EAP profile

Choose Security > Local EAP > Profiles to open the Local EAP Profiles page, We can create up to 16 local EAP profiles. Click New to open the Local EAP Profiles > New page. In the Profile Name text box, enter a name for our new profile(Test-Local-EAP) and then click Apply.

When the Local EAP Profiles page reappears, click the name of our new profile (Test-Local-EAP). The Local EAP Profiles > Edit page appears. Select the EAP-FAST, EAP-TLS, and/or PEAP check boxes to specify the EAP type that can be used for local authentication and then click on Apply.

*** If we chose EAP-FAST and want the device certificate on the controller to be used for authentication, select the Local Certificate Required check box. If we want to use EAP-FAST with PACs instead of certificates, leave this check box unselected, which is the default setting.

EAP profile edit

EAP-FAST parameters can be changed via “Security -> Local EAP -> EAP-FAST Parameters” section as shown below.

EAP Fast

Step3: Now enable local EAP on a WLAN.

Choose WLANs to open the WLANs page.

Untitled

 

Click the ID number of the Test WLAN.

Untitled

 

When the WLANs > Edit page appears, choose the Security > AAA Servers tabs to open the WLANs > Edit (Security > AAA Servers) page.  Select the Local EAP Authentication check box to enable local EAP for this WLAN. From the EAP Profile Name drop-down list, choose the EAP profile that you want to use for this WLAN.

*** We must disable the Radius server authentication means don’t check that box

EAPonwlan3

Click Apply to save.

Via CLI:

Create a local EAP profile

(WLAN1) >config local-auth eap-profile add ?
<profile-name> Enter the profile name, up to 63 alphanumeric characters.
(WLAN1) >config local-auth eap-profile add Test-Local-EAP
Add an EAP method to a local EAP profile by entering this command:
(WLAN1) >config local-auth eap-profile method ?
add            Adds a method to a Local EAP Profile.
delete         Deletes a method from a Local EAP Profile.
fast           Configure EAP-FAST parameters.
(WLAN1) >config local-auth eap-profile method add ?
<EAP-profile-method> Method for an EAP Profile.
(WLAN1) >config local-auth eap-profile method add fast Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add tls Test-Local-EAP
(WLAN1) >config local-auth eap-profile method add peap Test-Local-EAP
Configure EAP-FAST parameters if you created an EAP-FAST profile by entering this command:
(WLAN1) >config local-auth method fast ?
anon-prov      Configures whether anonymous provision is allowed.
authority-id   Set the authority identifier.
pac-ttl        Set Time to Live for the PAC (Protected Access Credentials).
server-key     Set the server key to encrypt/decrypt PACs.
Enable local EAP and attach an EAP profile to a WLAN by entering this command:
(WLAN1) >config wlan local-auth enable Test-Local-EAP ?
<wlanid>       Enables the EAP profile on this WLAN.
(WLAN1) >config wlan local-auth enable Test-Local-EAP 8

Save your changes by entering this command:

(WLAN1) >save config

Lets test EAP Fast and PEAP (EAP-TLS need certificate on client and server side and it is not possible because right now for me to install certificate now, we will do in future post)

Let check first for PEAP client association:

PEAP client asso

Now we will check for EAP-FAST client association:

EAP Fast client asso

If any one found any error in this post then please let me know or just comment here 🙂