In this post we will see how to configure security for basic Autonomous WGB solution. Here is the topology I will use for this post. A Laptop connected to the WGB (1252 AP) ethernet port & it is expected to get an IP in vlan 110 (native vlan for the AAP1) where DHCP is defined on DS01.
Here is the basic configuration of WGB without any security.
hostname AAP1 dot11 ssid WGB vlan 110 authentication open infrastructure-ssid interface Dot11Radio1 ssid WGB infrastructure-client interface Dot11Radio1.110 encapsulation dot1Q 110 native bridge-group 1 interface GigabitEthernet0.110 encapsulation dot1Q 110 native bridge-group ! interface BVI1 ip address 10.10.110.100 255.255.255.0 ip default-gateway 10.10.110.3
Here is the config of AAP2 (or WGB) as I configured in the config prompt. You will notice as soon as you enable the interface WGB is associated to the AAP1.
hostname AAP2 dot11 ssid WGB vlan 110 authentication open interface Dot11Radio1 ssid WGB station-role workgroup-bridge interface Dot11Radio1.110 encapsulation dot1Q 110 native bridge-group 1 interface GigabitEthernet0.110 encapsulation dot1Q 110 native bridge-group 1
Once you configure this & enable the Radio1 interface (where I configured WGB SSID) you will see AAP2 associated to AAP1. Also PC connected to AAP2 will get an IP from the DHCP pool defined on DS01
*Apr 28 11:18:01.031: %DOT11-6-ASSOC: Interface Dot11Radio1, Station AAP2 68ef.bd0f.d95a Associated KEY_MGMT[NONE] *Apr 28 11:18:01.791: %DOT11-6-ASSOC: Interface Dot11Radio1, Station AAP2 68ef.bd0f.d95a Associated KEY_interface GigabitEthernet0 *Apr 28 11:19:10.030: %DOT11-6-ADD: Interface Dot11Radio1, Station 001f.1618.dfec Associated to Parent 68ef.bd0f.d95a ! AAP1#sh dot11 associations 802.11 Client Stations on Dot11Radio1: SSID [WGB] : MAC Address IP address Device Name Parent State 001f.1618.dfec 10.10.110.151 WGB-client - 68ef.bd0f.d95a Assoc 68ef.bd0f.d95a 10.10.110.101 WGB AAP2 self Assoc
Now we will see how we can configure this with EAP-FAST with WPA2/AES encryption. AAP1 will act as local radius and first will configure AAP1 for this. Here are the CLI commands to configure AAP1 for local radius. A user created (wgbuser) with password (wgbpassword) for local authentication. Since we are testing EAP-FAST, I have disabled LEAP & MAC authentication which is enabled by default when we configure local radius.
aaa new-model aaa group server radius RAD-GROUP server 10.10.110.100 auth-port 1812 acct-port 1813 aaa authentication login EAP-METHODS group RAD-GROUP radius-server local no authentication leap no authentication mac nas 10.10.110.100 key 0 MRN-CCIEW user wgbuser password wgbpassword radius-server host 10.10.110.100 auth-port 1812 acct-port 1813 key 0 MRN-CCIEW dot11 ssid WGB authentication open eap EAP-METHODS authentication network-eap EAP-METHODS authentication key-management wpa version 2 interface Dot11Radio1 encryption vlan 110 mode ciphers aes-ccm
Now in the WGB, you have to configure same encryption & authentication key management. Even though we are not configuring any radius config in WGB, to define the authentication key-management we have to configure some fake eap methods. Also you need to create EAP Profile & dot1x Credential for WGB as shown in the below.
dot11 ssid WGB authentication open eap EAP-METHODS <- any fake name to be used authentication network-eap EAP-METHODS <- any fake name to be used authentication key-management wpa version 2 interface Dot11Radio1 encryption vlan 110 mode ciphers aes-ccm AAP2(config)#eap profile FAST AAP2(config-eap-profile)#method fast AAP2(config-eap-profile)#method ? fast EAP-FAST method allowed gtc EAP-GTC method allowed leap EAP-LEAP method allowed md5 EAP-MD5 method allowed mschapv2 EAP-MSCHAPV2 method allowed tls EAP-TLS method allowed AAP2(config)#dot1x credentials FAST AAP2(config-dot1x-creden)#username wgbuser AAP2(config-dot1x-creden)#password wgbpassword AAP2(config)#dot11 ssid WGB AAP2(config-ssid)#dot1x eap profile FAST AAP2(config-ssid)#dot1x credentials FAST *Mar 14 16:45:45.955: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP1 a40c.c31a.ee60 [EAP-FAST WPAv2]
You can see WGB associated to AAP1 via EAP-FAST. You can use “show radius local-server statistics” AAP1 to confirm or failure reasons (if any)
AAP1#show radius local-server statistics Successes : 1 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 0 Unknown NAS : 0 Invalid packet from NAS: 0 NAS : 10.10.110.100 Successes : 1 Unknown usernames : 0 Client blocks : 0 Invalid passwords : 0 Corrupted packet : 0 Unknown RADIUS message : 0 No username attribute : 0 Missing auth attribute : 0 Shared key mismatch : 0 Invalid state attribute: 0 Unknown EAP message : 0 Unknown EAP auth type : 0 Auto provision success : 1 Auto provision failure : 0 PAC refresh : 0 Invalid PAC received : 0 Username Successes Failures Blocks wgbuser 1 0 0
If you want to configure LEAP, it is the similar process where you configure EAP profile method as “LEAP”.
1. Lightweight to Autonomous (vice versa) Conversion
2. Multiple SSID Config on Autonomous AP
3. Autonomous AP – Wireless Bridges
4. WorkGroup Bridge – WGB Configurations
5. Autonomous AP – Repeater
6. Configuring Authentication in AAP
7. Autonomous AP – QoS
Thanks for this blog, is it possible to do the same thing but with EAP-TLS ?
I haven’t test this by myself, but it is possible.
Following links may help you for WGB config for EAP-TLS & PEAP.
I’m looking for associate a WGB to a lightweight AP with EAP methods. Have you test this configuration ? Is it possible ?
If I have different choices, I prefer EAP-TLS for the authentication.
The answer is yes, the same configuration works with lightweight AP. I just tested but without vlans.
Great ! Thanks for letting us know it worked