Cisco 2800/3800 AP as WGB

Tags

, , , , , ,

Cisco enabled WGB feature on Wave2 APs (only for 2800/3800/1560 series) from AireOS 8.8.x release onward. Traditionally WGB feature supported only on Autonomous mode in IOS based APs. There are not autonomous images available for COS based APs (Click OS APs – 1800/2800/3800/4800).

In this post, we will configure 3802 as WGB with 802.1X (PEAP). Here is the topology for this post. 802.1X SSID configured with Central switching. WGB and wired client behind it get IP addresses via DHCP from the central site (192.168.99.x/24)

3802-WGB-PEAP00

Here is the 3802 image version being used in this testing.

AP3802#show version
cisco AIR-AP3802I-Z-K9 ARMv7 Processor rev 1 (v7l) with 1028252/557172K bytes of memory.
Processor board ID FGL2201A3U2
AP Running Image     : 8.10.122.0
Primary Boot Image   : 8.10.122.0
Backup Boot Image    : 8.10.121.0
.
Radio Driver version : 9.0.5.5-W8964
Radio FW version : 9.1.8.1
NSS FW version : 2.4.28

If you follow my previous post on WGB with PEAP on Autonomous AP, you see config steps are shown below

  1. Configure a Trust Point on AP
    crypto pki trustpoint MRN_TRUST
     enrollment terminal
     subject-name CN=WGB
     revocation-check none
     rsakeypair WGB 2048
  2. Upload Root CA for configured Trust Point
    WGB#crypto pki authenticate MRN_TRUST
    Enter the base 64 encoded CA certificate.
    End with a blank line or the word "quit" on a line by itself
    -----BEGIN CERTIFICATE-----
    .
    .
    -----END CERTIFICATE-----
    quit
  3. Configure 802.X credential profile
    dot1x credentials MRN-CRD 
     username xxx
     password xxxx
     pki-trustpoint MRN_TRUST
  4. Configure EAP Profile
    eap profile MRN-PRO
    method peap
  5. Configure SSID and map EAP/802.1X Profile
    dot11 ssid mrn-wpa2e
    authentication open eap MRN_TRUST 
    authentication key-management wpa version 2
    dot1x credentials MRN-CRD
    dot1x eap profile MRN-PRO
    infrastructure-ssid
  6. Change Radio station-role to WGB and assign SSID
    interface Dot11Radio1
    encryption mode ciphers aes-ccm 
    ssid mrn-wpa2e
    station-role workgroup-bridge

Before you configure WGB settings on 3802, you have to change AP mode to WGB. AP will be reloaded & then you can configure WGB specific configurations.

AP3802>enable
AP3802#ap-type ?
capwap Switch to CAPWAP AP type
cloud Switch to cloud AP type
mobility-express Switch to Mobility Express AP type
workgroup-bridge Switch to Workgroup Bridge(WGB) AP type

AP3802#ap-type workgroup-bridge 
WGB is a wireless client that serve as nonroot ap for wired clients. 
AP is the Master/CAPWAP AP, system will need a reboot when ap type is changed to
WGB. Do you want to proceed? (y/N): y

Once converted to WGB, you can do configurations simply start command with the “configure” keyword. You can see different configuration options available shown below

AP3802#configure ?
ap                AP commands for IPv4/6 Configuration
boot              Set boot parameters
clock             Manage the system clock
crypto            Encryption module
dot11Radio        Dot11 radio interface
dot1x             IEEE 802.1X global configuration commands
eap-profile       EAP global configuration commands
ntp               Configure NTP
security          security information
ssh               Configures secure shell operation
ssid-profile      Configure SSID profile information
wgb               Workgroup-bridge configuration

It is important to configure accurate time, especially if you are using 802.1X. You can do it by using  “configure clock” CLI command. It is a good idea to syn it with a NTP server

AP3802#configure clock 
     set Set the time and date
     timezone Configure time zone
AP3802#configure clock set 14:21:19 7 4 2020 
     Sat Jul  4 14:21:19 AEST 2020
AP3802#show clock                            
     *14:21:26 AEST Sat Jul  4 2020
AP3802#configure ntp server 192.168.100.1

You can configure Trust Point and associated parameters as shown below. In this case enrollment type is chosen as “terminal”. By using the “authenticate” option you can load the CA root certificate on to WGB.

AP3802#configure crypto pki trustpoint MRN_TRUST 
    allow-expired-cert  Allow expired certificates to be accepted
    authenticate        Get the CA certificate
    auto-enroll         Configure auto-enroll
    delete              Delete a CA trustpoint
    enroll              Request a certificate from a CA
    enrollment          Enrollment parameters
    import              Import certificate
    key-size            Private key size
    subject-name        Subject Name

AP3802#configure crypto pki trustpoint MRN_TRUST enrollment terminal
!
AP3802#configure crypto pki trustpoint MRN_TRUST authenticate

Enter the base 64 encoded CA certificate.
....And end with the word "quit" on a line by itself....

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
quit

Certificate has the following attributes:
MD5 Fingerprint=26:5A:98:E9:99:6A:3A:4A:80:47:80:B1:1F:37:8F:5CSHA1 Fingerprint=4D:84:64:C9:34:0F:0F:FB:8F:23:E0:A6:96:14:CF:9B:49:1B:EF:D4

PKI trustpoint configuration has been saved successfully

You can verify certificate details as shown below (not shown the complete output)

AP3802#show crypto pki trustpoint

Crypto PKI trustpoints are:-
================================================================
Trustpoint name : MRN_TRUST
Enrollment method : Terminal
CA-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_ca.pem
Client-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_client.pem
Subject : C=AU,ST=VIC,L=MERNDA,O=MRN,OU=IT,CN=wgb.mrn.local,emailAddress=wgb@mrn.local
Key size : 2048
AP3802#show crypto pki trustpoint MRN_TRUST certificate 
CA Certificate:
Certificate:
 Data:
    Version: 3 (0x2)
    Serial Number:
      14:1b:8f:c5:3a:34:8a:a8:45:d3:8d:56:91:64:81:8e
  Signature Algorithm: sha256WithRSAEncryption
   Issuer: CN=mrnRootCA
   Validity
      Not Before: Aug 31 16:09:05 2019 GMT
      Not After : Aug 31 16:19:04 2029 GMT

You can configure 802.1X credential profile as shown below. You can delete a configured profile using the “delete” keyword after the credential profile name using the same config line.

AP3802#configure dot1x credential 
  WORD       Specify a profile name
AP3802#configure dot1x credential MRN-CRD 
  delete     Delete the dot1x credential profile
  username   Configure 802.1X username
AP3802#configure dot1x credential MRN-CRD username wgb 
  password   Configure 802.1X password
AP3802#configure dot1x credential MRN-CRD username wgb password xxxx

Next, you can configure an EAP-Profile & specify EAP method you would like to use and attach trust point to that EAP profile. You have to link your dot1x credential profile configured under the previous step.

AP3802#configure eap-profile 
WORD Specify a profile name (max 32 characters)
AP3802#configure eap-profile MRN-PRO 
    delete            Delete the EAP profile
    dot1x-credential  Configure 802.1X credentials profile
    method            EAP method type
    trustpoint        Attach CA trustpoint
AP3802#configure eap-profile MRN-PRO method 
     fast     fast method
     leap     leap method
     peap     peap method
     tls      eap-tls method
AP3802#configure eap-profile MRN-PRO method peap
!
AP3802#configure eap-profile MRN-PRO trustpoint 
      default To use MIC certificate
      name To use CA trustpoint
AP3802#configure eap-profile MRN-PRO trustpoint name 
      WORD Trustpoint Name
AP3802#configure eap-profile MRN-PRO trustpoint name MRN_TRUST
AP3802#configure eap-profile MRN-PRO dot1x-credential MRN-CRD

You can verify your EAP Profile configuration as shown below. By using the “all” keyword you can verify both dot1x credential & eap profile configurations.

AP3802#show wgb eap profile 
   all     Shows both EAP and dot1x profile details
   <cr>
AP3802#show wgb eap profile all
EAP Profiles are:-
====================================
Profile Name : MRN-PRO
Method : PEAP
Trustpoint : MRN_TRUST
Dot1x Credential : MRN-CRD

Dot1x Profiles are:-
====================================
Dot1x Credential : MRN-CRD
Username : wgb

Next, you can configure SSID with necessary security methods (Open, PSK, EAP). You can configure PMF and 802.11r if needed. My configuration is simply enabled WPA2 for EAP

AP3802#configure ssid-profile 
     WORD   <Enter ssid profile name>
AP3802#configure ssid-profile 1X 
     delete       Delete the ssid profile
     said         Configure radio service set parameters
AP3802#configure ssid-profile 1X ssid mrn-wpa2e 
     authentication authentication method
AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication 
     eap           Dot1x method
     open          open method
     psk           Pre-shared key method
AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap 
     profile       EAP profile configuration
AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap profile MRN-PRO 
     key-management key management
AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap profile MRN-PRO key-management 
     dot11r        802.11r Fast BSS Transition
     dot11w        11w PMF Client Configuration
     wpa2          allow WPA Version 2 clients
AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap profile MRN-PRO key-management wpa2
AP3802#configure dot11radio 1 encryption mode ciphers aes-ccm

Finally, you can map SSID profile to Radio interface while configuring it for WGB mode. You can enable/disable radio interface when you do configuration modification on radio interface to take effect.

AP3802#configure dot11radio 1 
     antenna             Configure dot11 radio antenna settings
     disable             Disabile the selected radio interface
     enable              Enable the selected radio interface
     encryption          Configure dot11 encryption parameters
     mode                Mode of the radio
AP3802#configure dot11radio 1 mode 
     root-ap             Root access point or bridge
     uwgb                Universal Client
     wgb                 Workgroup-bridge
AP3802#configure dot11radio 1 mode wgb 
     ssid-profile        SSID Profile to be mapped
AP3802#configure dot11radio 1 mode wgb ssid-profile 
     WORD                <Enter the configured ssid profile name>
AP3802#configure dot11radio 1 mode wgb ssid-profile 1X
AP3802#configure dot11radio 1 enable

With this configuration, your client should be able to connect to your SSID (assuming your WLC configured properly with 802.1X SSID)

You can use “show wgb < >” CLI command to verify connectivity details from WGB itself.

AP3802#show wgb ?
  bridge      Bridge Forwarding/Filtering Database [verbose]
  dot11       IEEE 802.11 show information
  dot11v      802.11v info
  eap         Shows EAP information
  forwarding  WGB Forwarding
  mobile      Current mobile station
  ssid        show configured and connected SSID details
  statistic   Packet statistics
  wifi        WGB frameware wifi0

You can verify connected SSID details using “show wgb said” CLI command

AP3802#show wgb ssid

Configured SSIDs details: 
SSID-Profile       SSID              Authentication
=======================================================
1X               mrn-wpa2e                DOT1X 

Connected SSIDs details:
Radio ID : 1
Radio Mode : WGB
BSSID : 2C:57:41:52:B0:CB
SSID : mrn-wpa2e
Authentication : DOT1X

You can verify the WGB IP address using “show wgb dot11 associations” CLI command.

AP3802#show wgb dot11 associations 
Uplink Radio ID            : 1
Uplink Radio MAC           : 00:A7:42:BF:CD:6F
SSID Name                  : mrn-wpa2e
Parent AP Name             : AP9130-2
Parent AP MAC              : 2C:57:41:52:B0:CB
Uplink State               : CONNECTED
Auth Type                  : DOT1X
EAP Method Name            : PEAP 
Key management Type        : WPA2 
Channel                    : 100
IP                         : 192.168.99.151/24
Default Gateway            : 192.168.99.1
DNS Server1                : 192.168.100.101
Domain                     : mrn.local
IPV6                       : ::/128
Dot11 type                 : 11ac
Assoc timeout              : 5000 Msec
Auth timeout               : 5000 Msec
Dhcp timeout               : 60 Sec
RSSI                       : 29

From WLC end, you can verify Here is the WLC end client detail

(vwlc) >show client summary 
Number of Clients................................ 2
Number of EoGRE Clients.......................... 0
                                               
MAC Address       AP Name    Slot  Status       WLAN  Auth Protocol       Port Wired Tunnel  Role
----------------- ----------  ------------- ----- ---- ---------------- ---- ----- ------- ----------------
00:a7:42:bf:cd:6f AP9130-2    1   Associated     19   Yes   802.11ac(5 GHz)  1    N/A   No     Local           
d4:81:d7:bb:15:b3 AP9130-2    1   Associated     19   Yes   N/A              1    N/A   No     Local
(vwlc) >show client detail 00:a7:42:bf:cd:6f
Client MAC Address............................... 00:a7:42:bf:cd:6f
Client Username ................................. WGB
Client Webauth Username ......................... N/A
Hostname: ....................................... 
Device Type: .................................... Cisco-Device
AP MAC Address................................... 2c:57:41:52:b0:c0
AP Name.......................................... AP9130-2          
AP radio slot Id................................. 1  
Client State..................................... Associated     
User Authenticated by ........................... RADIUS Server
Client User Group................................ WGB
Client NAC OOB State............................. Access
Workgroup Bridge................................. 1 client(s)
Wireless LAN Id.................................. 19 
Wireless LAN Network Name (SSID)................. mrn-wpa2e
Wireless LAN Profile Name........................ wpa2e
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 23547 secs
BSSID............................................ 2c:57:41:52:b0:cb  
Channel.......................................... 100
IP Address....................................... 192.168.99.151
.
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP-128 (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
FlexConnect Data Switching....................... Central

Here is the Wired Client detail behind WGB

(vwlc) >show client detail d4:81:d7:bb:15:b3
Client MAC Address............................... d4:81:d7:bb:15:b3
Client Username ................................. N/A
Client Webauth Username ......................... N/A
Hostname: ....................................... 
Device Type: .................................... Dell-Device
AP MAC Address................................... 2c:57:41:52:b0:c0
AP Name.......................................... AP9130-2          
AP radio slot Id................................. 1  
Client State..................................... Associated     
User Authenticated by ........................... None
Client User Group................................ 
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 00:a7:42:bf:cd:6f
Wireless LAN Id.................................. 19 
Wireless LAN Network Name (SSID)................. mrn-wpa2e
Wireless LAN Profile Name........................ wpa2e
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 23651 secs
BSSID............................................ 2c:57:41:52:b0:cb  
Channel.......................................... 100
IP Address....................................... 192.168.99.152
Gateway Address.................................. 192.168.99.1
Netmask.......................................... 255.255.255.0

If you compare IOS based AP to Click OS-based AP (wave 2 AP), you notice Wave2 APs support newer encryption methods (128/256 bit AES with CCMP/GCMP). During AP boot up you can see the support of that encryption methods verified.

[*07/04/2020 05:18:40.5336] Preparing to set HW specs
[*07/04/2020 05:18:40.5339] FIPS enc aes-ccmp Verified
[*07/04/2020 05:18:40.5340] FIPS dec aes-ccmp Verified
[*07/04/2020 05:18:40.5341] FIPS enc aes-ccmp-256 Verified
[*07/04/2020 05:18:40.5342] FIPS dec aes-ccmp-256 Verified
[*07/04/2020 05:18:40.5343] FIPS enc aes-gcmp Verified
[*07/04/2020 05:18:40.5344] FIPS dec aes-gcmp Verified
[*07/04/2020 05:18:40.5345] FIPS enc aes-gcmp-256 Verified
[*07/04/2020 05:18:40.5347] FIPS dec aes-gcmp-256 Verified

If you capture wireless traffic when WGB is associate with 802.1X SSID, you will see it is using TLS 1.2 (RFC 5246)  when it establishes a secure tunnel for inner EAP exchanges. With traditional IOS APs (eg 3702) you will only see TLS 1.0 (RFC 2246) support. In that way, these latest AP provide better security when it uses as WGB.

Here is the packet capture (mrn-3802-wgb-peap.pcapng) of my 3802 in WGB mode connecting to “mrn-wpa2e” SSID. Pls note it is filtered for WGB mac address & excluding control frames for simplicity.

3802-WGB-PEAP01

In the  “Client Hello” message coming from WGB listed all those cipher suites supported (55 listed in that frame#13)

3802-WGB-PEAP02

In my case RADIUS server (Cisco ISE) dictate to use one of the cipher suites for TLS tunnel establishment. Refer “Server Hello” message in frame#22. You can see “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)” selected by the RADIUS server as TLS Cipher Suite. It uses ECDHE for Key Exchange with ECDSA signing algorithm.  AES-256-GCMP use for encryption and SHA384 for Message Integrity

3802-WGB-PEAP03

Here is what you see with a traditional IOS AP as WGB (3702 in my case) where it only support TLS 1.0. As you can see in “Client Hello” it only supports RSA for Authenticated Key exchange,  AES-128-CBC is the highest encryption cipher (weaker encryption RC4 & 3DES supported too) & SHA-1 for message integrity.

3802-WGB-PEAP04

You can see all configurations using “show configuration” or “show run” CLI command as shown below.

AP3802#show running-config 
AP Name : AP3802
AP Mode : WorkGroupBridge
CDP State : Enabled
Watchdog monitoring : Enabled
SSH State : Enabled
AP Username : admin
Session Timeout : 900
NTP server ip : 192.168.100.1
Radio and WLAN-Profile mapping:-
====================================
Radio ID    Radio Mode    SSID-Profile                    SSID                            Authentication    Method   Dot1x UserName  
--------------------------------------------------------------------------------------------------------------------------------------
0           RootAP        DEFAULT_SSID                                                    NA                
1           WGB           1X                              mrn-wpa2e                       DOT1X             PEAP     WGB               

Radio configurations:-
===============================
Radio Id             : 0
   Admin state       : DISABLED
   Mode              : RootAP
Radio Id             : 1
   Admin state       : ENABLED
   Mode              : WGB
   Dot11 type        : 11ac
   Encryption mode   : AES128

WGB specific configuration:-
====================================
WGB Radio Id         : 1
  Mode State         : Enable
  SSID Profile       : 1X
UWGB Radio Id        : NA
  Mode Enable        : NA
  SSID Profile       : NA
  MAC Address        : NA
Rx Beacon Missing Count    : 0
Packet retries Value       : 64
RSSI Threshold Value       : -70 dBm
Threshold timeout          : 20 sec
HSR-Scan status            : Disable
Auth response timeout      : 5000 Msec
Assoc response timeout     : 5000 Msec
WGB channel scan timeout   : 40 Msec
Dhcp response timeout      : 60 Sec
EAP timeout                : 3000 Msec
Bridge table aging-time    : 300 Sec
Probe pak data rate type   : NA
Probe pak data rate        : 0
Antenna Band Mode          : Dual
Broadcast tagging          : Disable

Total SSID profiles configured are:
===========================================
SSID-Profile         : 1X
   SSID Name         : mrn-wpa2e
   SSID Profile path : /data/platform/wbridge/1X
   Auth type         : DOT1X
   EAP Method        : PEAP
   Dot1x username    : WGB
   Key management    : WPA2

EAP Profiles are:-
====================================
Profile Name         : MRN-PRO
   Method            : PEAP
   Trustpoint        : MRN_TRUST
   Dot1x Credential  : MRN-CRD

Dot1x Profiles are:-
====================================
Dot1x Credential     : MRN-CRD
   Username          : wgb

Crypto PKI trustpoints are:-
================================================================
     Trustpoint name : MRN_TRUST
   Enrollment method : Terminal
        CA-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_ca.pem
    Client-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_client.pem
             Subject : C=AU,ST=VIC,L=MERNDA,O=MRN,OU=IT,CN=wgb.mrn.local,emailAddress=wgb@mrn.local
            Key size : 2048

*** End of WBridge configurations ***

You can refer to this configuration guide for applicable commands for WGB in a Wave2 AP.

I will do a bit more testing with EAP-TLS on WGB and do a post in the near future.

RELATED POSTS
1. WGB with PEAP
2. Wireless & Wired Clients behind WGB
3. IOS AP-WGB with Multiple VLAN