Tags

, , ,

Cisco enabled WGB support on their Catalyst APs (91xx series) from IOS-XE 17.8.1 version onward (refer release note to see all features added). It only supports the following 3 AP models in this software release.

  1. Cisco 9105
  2. Cisco 9115
  3. Cisco 9120

If you are familiar with 11ac Wave2 AP WGB configuration (refer to this post for more detail), you can get a feel for WGB configurations with 9100 series as well. Since this is the first code to support WGB functionality in 9100 series AP, certain restrictions listed below are applicable (per in IOS-XE 17.8.1 config guide).

  • MAC filtering is not supported for wired clients.
  • Idle timeout is not supported for both WGB and wired clients.
  • Session timeout is not applicable for wired clients.
  • Web authentication is not supported.
  • WGB supports only up to 20 clients.
  • If you want to use a chain of certificates, copy all the CA certificates to a file and install it under a trust point on the WGB, or else server certificate validation may fail.
  • Wired clients connected to the WGB are not authenticated for security. Instead, the WGB is authenticated against the access point to which it associates. Therefore, we recommend that you physically secure the wired side of the WGB.
  • Wired clients connected to a WGB inherit the WGB’s QoS and AAA override attributes.
  • To enable the WGB to communicate with the root AP, create a WLAN and make sure that Aironet IE is enabled under the Advanced settings.

Here is my test topology for this post. (We will look at the basic config of WGB in this post & do a separate post on additional WGB configurations for wired devices)

For WGB to work, you have to enable “Aironet-IE” under WLAN profile “Advanced” configurations in a 9800. (In AireOS, specific WLAN -> Advanced settings). My SSID is configured with PSK (AKM 2) & FT+PSK (AKM 4) as shown below.

Here is the 9115 firmware (I got it registered to 9800-CL with IOS-XE 17.8.1 like a normal AP first)

AP3-C9115#sh version
AP3-C9115 uptime is 0 days, 4 hours, 52 minutes
Last reload time   : Sat Jul 9 07:05:22 UTC 2022

cisco C9115AXI-B ARMv8 Processor rev 0 (v8l) with 1971460/1186572K bytes of memory.
Processor board ID 0
AP Running Image     : 17.8.0.144
Primary Boot Image   : 17.8.0.144
Backup Boot Image    : 8.10.121.0
.
.
1 Multigigabit Ethernet interfaces
2 802.11 Radios
Radio Driver version : Broadcom BCA: 17.20 RC10.0
Radio FW version : 1570.15656.r44417 44417

You have to get 9105/9115/9120 AP registered to a C9800 that is running 17.8.1 or higher code in order to convert that AP as a WGB mode. Then you can use “ap-type workgroup-bridge” CLI command to convert it to WGB.

AP3-C9115#ap-type        
  capwap            Switch to CAPWAP AP type
  ewc-ap            Switch to EWC AP type
  workgroup-bridge  Switch to Workgroup Bridge(WGB) AP type
AP3-C9115#ap-type workgroup-bridge 

WGB is a wireless client that serve as nonroot ap for wired clients. 
AP is the Master/CAPWAP AP, system will need a reboot when ap type is changed to
 WGB. Do you want to proceed? (y/N): y

Once AP in WGB mode you can do certain configurations using “configure x” in global exec mode. Below shows the SSID profile configuration on WGB (configuration options show to see what’s available in 17.8.1 version)

AP3-C9115#configure 
  ap            AP commands for IPv4/6 Configuration
  boot          Set boot parameters
  clock         Manage the system clock
  crypto        Encryption module
  dot11Radio    Dot11 radio interface
  dot1x         IEEE 802.1X global configuration commands
  eap-profile   EAP global configuration commands
  ntp           Configure NTP
  qos           Configure qos for wireless clients
  radius        Configure radius server
  security      security information
  ssh           Configure secure shell operation
  ssid-profile  Configure SSID profile information
  wgb           Workgroup-bridge configuration
AP3-C9115#configure ssid-profile 
  WORD  <Enter SSID profile name>
AP3-C9115#configure ssid-profile WGB_PSK 
  delete  Delete the SSID profile
  ssid    Configure radio service set parameters
AP3-C9115#configure ssid-profile WGB_PSK ssid WGB_PSK 
  authentication  authentication method
  dtim            Configure DTIM period
  qos             QOS profile configured to ssid
AP3-C9115#configure ssid-profile WGB_PSK ssid WGB_PSK authentication 
  eap   Dot1x method
  open  open method
  psk   Pre-shared key method
AP3-C9115#configure ssid-profile WGB_PSK ssid WGB_PSK authentication psk 
  WORD  Enter pre-shared Key 
AP3-C9115#configure ssid-profile WGB_PSK ssid WGB_PSK authentication psk Vipassana123 
  key-management  key management
AP3-C9115#configure ssid-profile WGB_PSK ssid WGB_PSK authentication psk Vipassana123 key-management 
  dot11r  802.11r Fast BSS Transition
  dot11w  11w PMF Client Configuration
  wpa2    allow WPA Version 2 clients
AP3-C9115#configure ssid-profile WGB_PSK ssid WGB_PSK authentication psk Vipassana123 key-management wpa2

If you want to configure WGB to use FT (802.11r) with PSK you can use “dot11r” option in the configuration.

AP3-C9115#configure ssid-profile WGB_PSK ssid WGB_PSK authentication psk Vipassana123 key-management dot11r

Here is how you can configure a radio role to “workgroup-bridge” and assign the SSID profile to it. Once do that you can enable the radio interface.

AP3-C9115#configure dot11   
  <0-1>  Dot11Radio interface number
AP3-C9115#configure dot11 1 
  antenna        Configure dot11 radio antenna settings
  beacon-period  Configure periodic beacon interval
  channel        Configure root AP mode radio channel
  disable        Disabile the selected radio interface
  enable         Enable the selected radio interface
  encryption     Configure dot11 encryption parameters
  mode           Mode of the radio
  wlan           Configure WLAN at root AP mode radio
AP3-C9115#configure dot11 1 mode 
  root-ap  Root access point or bridge
  scan     WGB passive scanning mode operation
  wgb      Workgroup-bridge
AP3-C9115#configure dot11 1 mode wgb 
  ssid-profile  SSID Profile to be mapped
AP3-C9115#configure dot11 1 mode wgb ssid-profile 
  WORD  <Enter the configured ssid profile name>
AP3-C9115#configure dot11 1 mode wgb ssid-profile WGB_PSK
AP3-C9115#configure dot11 1 enable

Once you enable the radio 1 interface, you should be able to see the client is associating to 9800 configured WLAN and get IP address.

[*07/09/2022 22:26:44.6580] DOT11_CFG[1] Radio Mode is changed from Local to WGB Uplink
[*07/09/2022 22:26:44.6580] DOT11_UPLINK_DRIVER[1]: WGB uplink mode started
[*07/09/2022 22:26:44.9480] DOT11_UPLINK_DRIVER[1]: Disabled radar detection
[*07/09/2022 22:26:44.9620] DOT11_UPLINK_DRIVER[1]: Disabled DFS CAC timer
[*07/09/2022 22:26:45.0360]  SSID-Profile WGB_PSK has been saved successfully 
[*07/09/2022 22:26:45.0360] 
[*07/09/2022 22:26:50.2370] DOT11-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP2-C9130 2C:57:41:52:B0:CF [WPA2 PSK]
[*07/09/2022 22:26:50.2450] DOT11-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP2-C9130 2C:57:41:52:B0:CF [WPA2 PSK]
[*07/09/2022 22:26:51.8890] chatter: DHCP-EVT: Sending DHCP discover packet length 346 bytes
[*07/09/2022 22:26:55.8900] chatter: DHCP-EVT: Sending DHCP discover packet length 346 bytes
[*07/09/2022 22:26:55.9130] chatter: DHCP-EVT: Received DHCP msg type: DHCP_OFFER from server: 192.168.200.1
[*07/09/2022 22:26:55.9130] chatter: DHCP-EVT: DHCP client machine state: init
[*07/09/2022 22:26:55.9130] chatter: DHCP-EVT: Sending DHCP request packet length 346 bytes
[*07/09/2022 22:26:55.9340] chatter: DHCP-EVT: Received DHCP msg type: DHCP_ACK from server: 192.168.200.1
[*07/09/2022 22:26:55.9340] chatter: DHCP-EVT: DHCP client machine state: requesting
[*07/09/2022 22:26:59.2920] odhcp6c[8301]: in timer_init.

You can use “show wgb dot11 x ” CLI command to verify. You can see WGB associated with 11ax and got IP address 192.168.200.101. Note that current data rate shows 2401Mbps, which is the highest data rate you can get with a 4×4:4SS, 80MHz, 0.8us GI client. (You can search 2402 value in mcsindex.com to confirm)

AP3-C9115#show wgb 
  bridge      Bridge Forwarding/Filtering Database [verbose]
  dot11       IEEE 802.11 show information
  dot11v      802.11v info
  eap         Shows EAP information
  forwarding  WGB Forwarding
  mobile      Current mobile station
  qos         Show QOS information
  scan        show passive scan details
  ssid        show configured and connected SSID details
  statistic   Packet statistics
  wifi        WGB frameware wifi0

AP3-C9115#show wgb dot11 associations 
Uplink Radio ID            : 1
Uplink Radio MAC           : F8:0F:6F:15:27:2F
SSID Name                  : WGB_PSK
Parent AP Name             : AP2-C9130
Parent AP MAC              : 2C:57:41:52:B0:CF
Uplink State               : CONNECTED
Auth Type                  : PSK
Key management Type        : WPA2
Dot11 type                 : 11ax
Channel                    : 52
Bandwidth                  : 80 MHz
Current Datarate           : 2401 Mbps
Max Datarate               : 2401 Mbps
RSSI                       : 33
IP                         : 192.168.200.101/24
Default Gateway            : 192.168.200.1
DNS Server1                : 192.168.100.101
Domain                     : mrn.local
IPV6                       : ::/128
Assoc timeout              : 5000 Msec
Auth timeout               : 5000 Msec
Dhcp timeout               : 60 Sec

From 9800 WLC end, you can verify RSSI/SNR for the 9115 WGB client. In my test environment, it is next to each other & hence got 71dB SNR (-28dBm RSSI). I will do another post when IOS-XE 17.9.x comes out by placing WGB at another end of my house.

C9800-2#show wireless client mac-address f80f.6f15.272f detail | in Current|Sup|Client|dB|AP|For
Client MAC Address : f80f.6f15.272f
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address : 192.168.200.101
Client IPv6 Addresses : fe80::524a:8c93:c330:7d60
Client Username: N/A
AP MAC Address : 2c57.4152.b0c0
AP Name: AP2-C9130
AP slot : 1
Client State : Associated
Client type : Workgroup Bridge
Wired Client count : 0
Connected For : 1806 seconds 
Client IIF-ID : 0xa0000003
WMM Support : Enabled
U-APSD Support : Disabled
Fastlane Support : Disabled
Client Active State : Active
Current Rate : m11 ss4
Supported Rates : 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
Client Join Time:
  Join Time Of Client : 07/10/2022 17:28:52 AEST
Client State Servers : None
Client ACLs : None
Client Entry Create Time : 1803 seconds 
EAP Type : Not Applicable
Client Capabilities
Client Statistics:
  Number of Bytes Received from Client : 63776
  Number of Bytes Sent to Client : 15466
  Number of Packets Received from Client : 445
  Number of Packets Sent to Client : 137
  Radio Signal Strength Indicator : -28 dBm
  Signal to Noise Ratio : 71 dB
Client Scan Report Time : Timer not running
Client Scan Reports 
Nearby AP Statistics:
Max Client Protocol Capability: Wi-Fi6 (802.11ax)

You can do other basic configurations like NTP, SSH, Mgt user, etc using the same “configure x ” CLI commands. Even though I enabled SSH, was not able to reach it (maybe something to do with my 9800 side config, not too sure )

AP3-C9115#configure ntp server 192.168.100.1
AP3-C9115#show ntp
Stratum  Version  Last Received    Delay     Offset    Jitter   NTP server
3        4        12sec ago        0.198ms  -0.048ms   0.000ms  192.168.100.1
AP3-C9115#sh clock
*15:46:49 AEST Sun Jul 10 2022

AP3-C9115#configure ssh enable

AP3-C9115#sh ip int brief
Interface            IP-Address      Method   Status                 Protocol   Speed      Duplex  
wired0               unassigned      unset    up                     up         1000       full    
auxiliary-client     192.168.200.101 DHCP     up                     up         n/a        n/a     
apr0v0               n/a             n/a      administatively down   down       n/a        n/a     
apr1v0               n/a             n/a      up                     up         n/a        n/a     

**** basic IP & Mgmt user ***
AP3-C9115#configure ap 
  address     IPv4/6 address config
  hostname    Configure AP hostname
  management  Configure mgmt user credentials
!
AP3-C9115#configure ap management add username rasika password <password> secret <enable_secret>

****

Depending on your SSID, and session timeout (by default 30min) you will notice WGB disassociate & reassociate. In a 9800 you can increase this value to 86400s (24hrs) maximum. There is no way to disable session timeout in that platform (not like AireOS). Here are the WGB console logs when that occurs.

AP3-C9115#[*07/10/2022 15:56:30.0867] Received disassociate (uplink)[F8:0F:6F:15:27:2F], (bssid)[2C:57:41:52:B0:CF] (252) unknown
[*07/10/2022 15:56:30.1347] Received deauthenticate (uplink)[F8:0F:6F:15:27:2F], (bssid)[2C:57:41:52:B0:CF] (252) unknown
[*07/10/2022 15:56:30.2997] wl: Not Ready
[*07/10/2022 15:56:30.3007] (Dot11UplinkBcm) (vendor_set_80211_systemcmd:1093) System cmd wl -i apr1v0 scan -c 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 -s WGB_PSK returned with status: 54016
[*07/10/2022 15:56:35.1607] wl: Scan Rejected
[*07/10/2022 15:56:35.1617] (Dot11UplinkBcm) (vendor_set_80211_systemcmd:1093) System cmd wl -i apr1v0 scan -c 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 -s WGB_PSK returned with status: 54016
[*07/10/2022 15:56:40.1687] wl: Scan Rejected
[*07/10/2022 15:56:40.1687] (Dot11UplinkBcm) (vendor_set_80211_systemcmd:1093) System cmd wl -i apr1v0 scan -c 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165 -s WGB_PSK returned with status: 54016
[*07/10/2022 15:56:49.4918] DOT11-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP2-C9130 2C:57:41:52:B0:CF [WPA2 PSK]
[*07/10/2022 15:56:49.4998] DOT11-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP2-C9130 2C:57:41:52:B0:CF [WPA2 PSK]

If you configure WGB to use 11r, you will see WGB associated with “FT-PSK” when connecting.

[*07/10/2022 21:19:26.5085] DOT11-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP2-C9130 2C:57:41:52:B0:CF [WPA2 FT-PSK]
[*07/10/2022 21:19:26.5165] DOT11-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP AP2-C9130 2C:57:41:52:B0:CF [WPA2 FT-PSK]
[*07/10/2022 21:19:28.3506] chatter: DHCP-EVT: Sending DHCP discover packet length 346 bytes
[*07/10/2022 21:19:28.4796] chatter: DHCP-EVT: Received DHCP msg type: DHCP_OFFER from server: 192.168.200.1
[*07/10/2022 21:19:28.4796] chatter: DHCP-EVT: DHCP client machine state: init
[*07/10/2022 21:19:28.4796] chatter: DHCP-EVT: Sending DHCP request packet length 346 bytes
[*07/10/2022 21:19:28.5016] chatter: DHCP-EVT: Received DHCP msg type: DHCP_ACK from server: 192.168.200.1
[*07/10/2022 21:19:28.5016] chatter: DHCP-EVT: DHCP client machine state: requesting
[*07/10/2022 21:19:33.5216] route: SIOCADDRT: File exists
[*07/10/2022 21:19:33.5606] odhcp6c[30877]: in timer_init.

With this release, Cisco has introduced a way you can simply upload WGB configuration to another AP. First, you can upload your working WGB configuration to a SFTP/TFTP server. Then you can download it to another AP. You can use “copy configuration upload {SFTP|TFTP}: <server_ip_addr> <dir> <filename>” CLI command to upload. By default configuration filename looks like “wgb_running_config.AP3-C9115”. I used my Cisco Prime as TFTP server and then from there I copy it across to my FTP Server in the lab (bit of additional steps to me). 

AP3-C9115#copy configuration upload tftp: 192.168.100.13

Starting upload of WGB config tftp://192.168.100.13 ...
It may take a few seconds. If longer, please cancel command, check network and try again.
######################################################################## 100.0%
Config upload completed.

--- steps to on Cisco Prime ---
cpi/admin# shell
Enter shell access password : 
Starting bash shell ... 
!
ade # cd /localdisk/tftp/
ade # cp wgb_running_config.AP3-C9115 /localdisk/defaultRepo/
!
ade # exit
cpi/admin# copy disk:defaultRepo/wgb_running_config.AP3-C9115 ftp://192.168.99.100/
Username: ftpuser
Password:

Once uploaded you can have a look at your configuration file. Here is my WGB configuration. As you can see there are some default config lines too. Highlighted the lines I manually configured.

configure ap management add username rasika password $1$$aOSB4e1x4s0F7HGAARc5e0 secret $1$$aOSB4e1x4s0F7HGAARc5e0
configure ntp server 192.168.100.1
configure clock timezone AEST-10:0
configure ssid-profile WGB_PSK ssid WGB_PSK authentication psk U2FsdGVkX19dKErYKCCysjYrpLGUF2dhaCIFK61k7TI= key-management dot11r
configure ssid-profile WGB_PSK ssid WGB_PSK qos profile 
configure wgb broadcast tagging disable
configure wgb packet retries 64 drop
configure ssh enable
configure dot11Radio 0 mode wgb ssid-profile WGB_PSK
configure dot11Radio 0 enable
configure dot11Radio 1 encryption mode ciphers aes-ccm
configure dot11Radio 1 mode wgb ssid-profile WGB_PSK
configure dot11Radio 1 enable
configure ap address ipv6 disable

Now you can download this configuration to another WGB with zero config. You can use “copy configuration download {SFTP|TFTP}: <server_ip_addr> <dir> <filename>”. I do not have another 9115 to try it out, I am sure you get the idea.

There are advanced configuration commands available for WGB. If you need to learn all the configuration options/commands, I would highly recommend going through 9800 IOS-XE 17.8.x configuration guide. Then test it out prior to deployment in production.