Tags
A WGB is a device which associate to an AP (either Lightweight or Autonomous) & provides transparent bridging to its wired clients. Each wired client that WGB learn on its Ethernet get reported to WGB’s root via Inter-Access Point Protocol (IAPP) which is a Cisco proprietary protocol. You can use following CLI command to specify an AP’s radio as WGB.
station role workgroup-bridge
If you want to configure a WGB to work with non-cisco APs, then you have to configure WGB as universal WGB (or uWGB). Then only single device can be connected behind WGB. You can use following CLI under radio interface to configure it as universal WGB.
station-role workgroup-bridge universal ?
H.H.H Universal Client MAC Address
There are two modes in WGB when it connects to Autonomous AP. In unified wireless architecture it only support client mode WGB
1. Infrastructure mode (supports multiple vlan behind WGB)
2. Client BSS mode (supports single vlan behind WGB)
Let’s see a basic configuration of a Root AP & WGB & how we can configure PSK (Pre-shared key security) later on.
Here is the basic config of AAP without any security. You can configure SSID as infrastructrue-SSID to allow only infrastructure devices (such as other AP configured as WGB, bridges) can connect to it. Infrastructure SSID should always map to native VLAN (20 in my example)
hostname AAP1 dot11 ssid MRN-WGB vlan 20 authentication open infrastructure-ssid ! interface Dot11Radio1 ssid MRN-WGB station-role root interface Dot11Radio1.20 encapsulation dot1Q 20 native bridge-group 1 ! interface GigabitEthernet0.20 encapsulation dot1Q 20 native bridge-group 1 ! interface BVI1 ip address 192.168.20.99 255.255.255.0 ip default-gateway 192.168.20.254 sntp server 10.10.205.20
Here is the WGB configuration.
hostname WGB dot11 ssid MRN-WGB vlan 20 authentication open infrastructure-ssid ! interface Dot11Radio1 ssid MRN-WGB station-role workgroup-bridge interface Dot11Radio1.20 encapsulation dot1Q 20 native bridge-group 1 ! interface GigabitEthernet0.20 encapsulation dot1Q 20 native bridge-group 1 ! interface BVI1 no ip address
You can verify WGB & its client association by using “show dot11 associations client” CLI command in Root AP.(wired client is behind WGB get its IP from DHCP defined on CAT2)
AAP1#show dot11 associations client
802.11 Client Stations on Dot11Radio1:
SSID [MRN-WGB] :
MAC Address IP address Device Name Parent State
001f.1618.dfec 192.168.20.100 WGB-client - 44d3.caaf.4343 Assoc
44d3.caaf.4343 0.0.0.0 WGB WGB self Assoc
In WGB you can see the its association to parent by “show dot11 association” command.
WGB#show dot11 associations
802.11 Client Stations on Dot11Radio1:
SSID [MRN-WGB] :
MAC Address IP address Device Name Parent State
a40c.c31a.ee60 192.168.20.99 ap1140-Parent AAP1 - Assoc
By default WGB associate to ROOT as normal client. If you want to send broacast/ multicast traffic reliably to WGB connected clients you can configure “infrastructure-client” on the radio interface of Root AP. In this way root AP will send a unicast copy of multicast packets to WGB where it can acknowledge.This is good for if your WGB is not roaming frequently (like printers,etc). Let’s configure AAP Radio 1 for this.
AAP1(config)#int d1
AAP1(config-if)#infrastructure-client
Once you configure this “infrastructure-client” you cannot see WGB itself as client in “show dot11 association client” output. You have to use “sh dot11 associations all-client” to see WGB as shown below.
AAP1#sh dot11 associations client 802.11 Client Stations on Dot11Radio1: SSID [MRN-WGB] : MAC Address IP address Device Name Parent State 001f.1618.dfec 192.168.20.100 WGB-client - 44d3.caaf.4343 Assoc AAP1#sh dot11 associations all-client Address : 001f.1618.dfec Name : NONE IP Address : 192.168.20.100 Interface : Dot11Radio 1 Device : WGB-client Software Version : NONE CCX Version : NONE Client MFP : Off State : Assoc Parent : 44d3.caaf.4343 SSID : MRN-WGB VLAN : 20 Hops to Infra : 0 Clients Associated: 0 Repeaters associated: 0 Address : 44d3.caaf.4343 Name : WGB IP Address : 0.0.0.0 Interface : Dot11Radio 1 Device : WGB Software Version : 15.2 CCX Version : 5 Client MFP : Off State : Assoc Parent : self SSID : MRN-WGB VLAN : 20 Hops to Infra : 1 Association Id : 1 Clients Associated: 1 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : NONE Encryption : Off Current Rate : m15. Capability : WMM ShortHdr 11h Supported Rates : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -29 dBm Connected for : 356 seconds Signal to Noise : 67 dB Activity Timeout : 30 seconds Power-save : Off Last Activity : 0 seconds ago Apsd DE AC(s) : NONE Packets Input : 20770 Packets Output : 29793 Bytes Input : 3084148 Bytes Output : 33230505 Duplicates Rcvd : 11 Data Retries : 1793 Decrypt Failed : 0 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0
You can use “debug dot11 dot11Radio 1 trace print uplink” to see the steps going through by WGB.
WGB#debug dot11 dot11Radio 1 trace print uplink
*Mar 1 01:30:12.882: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio1, parent lost: Received deauthenticate (1) failure
*Mar 1 01:30:12.882: 474268BE-1 Uplink: Lost AP, Received deauthenticate (1) failure
*Mar 1 01:30:12.882: 47426948-1 Uplink: Wait for driver to stop
*Mar 1 01:30:12.882: 47426980-1 Uplink: Enabling active scan
*Mar 1 01:30:12.885: 47426986-1 Uplink: Not busy, scan all channels
*Mar 1 01:30:12.885: 4742698D-1 Uplink: Scanning
*Mar 1 01:30:13.583: 474D1B25-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 157 638
*Mar 1 01:30:14.275: 4757AAB0-1 Uplink: no rsnie or ssnie chk
*Mar 1 01:30:14.275: 4757AABD-1 Uplink: ssid MRN-WGB auth open
*Mar 1 01:30:14.275: 4757AAC4-1 Uplink: try a40c.c31a.ee60, enc 0 key 0, priv 0, eap 0
*Mar 1 01:30:14.275: 4757AACD-1 Uplink: Authenticating
*Mar 1 01:30:14.275: 4757AD35-1 Uplink: Associating
*Mar 1 01:30:14.379: 47593FA1-1 Uplink: Lost AP, Received deauthenticate (1) failure
*Mar 1 01:30:14.379: 47593FB0-1 Uplink: Reject for 0 seconds
*Mar 1 01:30:14.379: 47593FB6-1 Uplink: Scanning
*Mar 1 01:30:14.392: 47597452-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 157 627
*Mar 1 01:30:15.084: 476403D1-1 Uplink: no rsnie or ssnie chk
*Mar 1 01:30:15.084: 476403DE-1 Uplink: ssid MRN-WGB auth open
*Mar 1 01:30:15.084: 476403E3-1 Uplink: try a40c.c31a.ee60, enc 0 key 0, priv 0, eap 0
*Mar 1 01:30:15.084: 476403ED-1 Uplink: Authenticating
*Mar 1 01:30:15.084: 4764065F-1 Uplink: Associating
*Mar 1 01:30:15.087: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP1 a40c.c31a.ee60 [None]
*Mar 1 01:30:15.087: 4764102F-1 Uplink: Done
Let’s add WPA2-PSK security for this WGB.
In both AAP1 & WGB dot11 ssid MRN-WGB vlan 20 authentication open authentication key-management wpa version 2 wpa-psk ascii MRN-CCIEW interface Dot11Radio1 encryption vlan 20 mode ciphers aes-ccm
You could see the debug messages like below on WGB
*Mar 1 01:45:44.306: 7ED5007F-1 Uplink: Wait for driver to stop *Mar 1 01:45:44.306: 7ED500FE-1 Uplink: Enabling active scan *Mar 1 01:45:44.310: 7ED50104-1 Uplink: Not busy, scan all channels *Mar 1 01:45:44.310: 7ED5010A-1 Uplink: Scanning *Mar 1 01:45:44.939: 7EDEB144-1 Uplink: Rcvd response from a40c.c31a.ee60 channel 40 682 *Mar 1 01:45:45.008: 7EDFBD20-1 Uplink: dot11_uplink_scan_done: rsnie_accept returns 0x0 key_mgmt 0xFAC02 encrypt_type 0x200 *Mar 1 01:45:45.008: 7EDFBD36-1 Uplink: *Mar 1 01:45:45.008: 7EDFBD3D-1 Uplink: try a40c.c31a.ee60, enc 200 key 4, priv 1, eap 0 *Mar 1 01:45:45.008: 7EDFBD47-1 Uplink: Authenticating *Mar 1 01:45:45.008: 7EDFBF9A-1 Uplink: Associating *Mar 1 01:45:45.011: 7EDFC814-1 Uplink: EAP authenticating *Mar 1 01:45:45.112: 7EE15737-1 Uplink: Done *Mar 1 01:45:45.112: 7EE15751-1 Interface up *Mar 1 01:45:45.115: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Mar 1 01:45:45.118: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AAP1 a40c.c31a.ee60 [None WPAv2 PSK] *Mar 1 01:45:46.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
You can verify WGB use configured security methods using “show dot11 association <root-ap-mac> ” commands as well.
WGB#show dot11 ass a40c.c31a.ee60 Address : a40c.c31a.ee60 Name : AAP1 IP Address : 192.168.20.99 Gateway Address : 0.0.0.0 Netmask Address : 0.0.0.0 Interface : Dot11Radio 1 Device : ap1140-Parent Software Version : 12.4 CCX Version : 5 Client MFP : On State : Assoc Parent : - SSID : MRN-WGB VLAN : 20 Hops to Infra : 0 Association Id : 1 Tunnel Address : 0.0.0.0 Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP Current Rate : m12- Capability : WMM ShortHdr 11h Supported Rates : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0-2 m1-2 m2-2 m3-2 m4-2 m5-2 m6-2 m7-2 m8-2 m9-2 m10-2 m11-2 m12-2 m13-2 m14-2 m15-2 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -32 dBm Connected for : 402 seconds Signal to Noise : 64 dB Activity Timeout : 14 seconds Power-save : Off Last Activity : 1 seconds ago Apsd DE AC(s) : NONE Packets Input : 4532 Packets Output : 174 Bytes Input : 877308 Bytes Output : 52789 Duplicates Rcvd : 0 Data Retries : 100 Decrypt Failed : 0 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0
If a wired client does not send traffic for an extended period of time (like printers), the WGB removes the client from its bridge table, even if traffic is continuously sent to the wired client. As a result the traffic flow to the wired client fails. To prevent wired client being removed from the bridge table you have to configure aging-out timer on the WGB to a larger value using the “bridge <bridge group no> aging-time <seconds>” command.
WGB#sh bridge Total of 300 station blocks, 293 free Codes: P - permanent, S - self Bridge Group 1: Address Action Interface Age RX count TX count a088.b435.c2f0 forward Vi0.20 0 2212 7 001f.1618.dfec forward Gi0.20 0 21488 29759 0026.0b63.caf4 forward Vi0.20 0 129 0 7081.0503.7cef forward Vi0.20 0 131 0 001a.e3a7.ff50 forward Vi0.20 0 29905 19704 7073.cbdc.58ea forward Vi0.20 7 86 0 001a.e3a7.ff0f forward Vi0.20 0 7731 0 WGB(config)#bridge ? <1-255> Bridge Group number for Bridging. crb Concurrent routing and bridging irb Integrated routing and bridging mac-address-table MAC-address table configuration commands WGB(config)#bridge 1 ? acquire Dynamically learn new, unconfigured stations address Block or forward a particular Ethernet address aging-time Set forwarding entry aging time bitswap-layer3-addresses Bitswap embedded layer 3 MAC addresses bridge Specify a protocol to be bridged in this bridge group circuit-group Circuit-group domain Establish multiple bridging domains forward-time Set forwarding delay time hello-time Set interval between HELLOs lat-service-filtering Perform LAT service filtering max-age Maximum allowed message age of received Hello BPDUs priority Set bridge priority protocol Specify spanning tree protocol route Specify a protocol to be routed in this bridge group subscriber-policy Subscriber group bridging WGB(config)#bridge 1 aging-time ? <10-1000000> Seconds WGB(config)#bridge 1 aging-time 86400
Related Posts
1. WGB Configuration
2. WGB with EAP-FAST
3. WGB with CAPWAP
4. WGB Roaming
5. WGB-IOS AP with Multiple VLAN
6. WGB-CAPWAP with Multiple VLAN
mrn-cciew 
Pingback: WGB with Autonomous AP’s « Borderless CCIE
Pingback: WLAN Probe mit Cisco AP | Bit's n Dots
Rasika: I get following messages on wgb : Received deauthenticate often, any reason that you know of?
This can be triggered for many reason, check your clock on WGB.
Thank you Aadil for responding to these queries..
Rasika
Hi, i tring configure a WGB with AP non-cisco(TP-Link) in WPA2-PSK but we have this error: “Lost AP, EAP authentication failed 14”. Can you help me?
If it is non-cisco AP, then WGB has to be universal mode (station-role workgroup-bridge universal )
Give it a try & see
HTH
Rasika