–This release improves the reliability of fast roaming on workgroup bridges by allowing the unit an additional retry when it needs to reassociate to the root access point.
–This release also improves the method that workgroup bridges use to select the "best parent" access point. Workgroup bridges can share association histories with rot access points, which can build and share a list of best root access points among workgroup bridges. This method improves helps workgroup bridges select the best root access point when roaming.
VideoStream support on workgroup bridges (when used as a client): VideoStream improves the reliability of an IP multicast stream by converting the multicast frame, over the air, to a unicast frame. VideoStream was not supported for workgroup bridge clients in previous releases because a workgroup bridge's wired clients cannot be added to the controller (WLC) multicast table. In this release, the workgroup bridge is added to the WLC multicast table, and the workgroup bridge converts the VideoStream unicast frame into an Ethernet multicast frame and sends it out to its wired clients.
Enter this command on the controller to enable VideoStream for workgroup bridges:
config media-stream wired-client enable
How to configure WGB with PEAP
In this example, the 1260 Autonomous Access Point is configured as a workgroup bridge and connects to the LWAPP network. Use the SSID WGB-PEAP for the connection to the WLAN and use the PEAP for the authentication of the WGB to the LWAPP network.
Configure ACS to Let the WGB authenticate in EAP
Complete these steps in order to configure the ACS to let the WGB authenticate in ACS:
Add the WLC as a NAS (AAA client)
In the ACS GUI, click Network Configuration on the left.
Under AAA Clients, click Add Entry.
Enter a name under AAA Client Hostname.
Enter the management interface IP address of the WLC under AAA Client IP Address.
Enter the RADIUS key under Shared Secret and make a note of it.
In the Authenticate Using drop-down menu, choose RADIUS (Cisco Airespace).
2. Enable EAP-TLS in ACS
Choose System Configuration > Global Authentication Setup.
Under EAP-TLS, for example, the top-level EAP-TLS, after EAP-FAST, not the EAP-TLS under PEAP, check Allow EAP-TLS.
Check all three of the certificate verification options.
Choose Submit + Restart.
3. Add the WGB as an ACS
In User Setup, enter the name of the WGB in the User panel, and click Add/Edit. This example uses "WGB".
Enter a hard-to-guess password. This is required, although not used in EAP-TLS.
Configuring Work Group Bridge (WGB)
Setting the hostname, domain name and time of the WGB as needed.
Note: The hostname must match the username entered for it in ACS as in the previous step:
WGB-Client#clock set 14:00:00 5 Dec 2012
Note: The time must be correct, for the certifications to work (clock set exec CLI, or configure an SMTP server).
2. Configure the trustpoint for the Certificate Authority:
WGB-Client(config)#crypto pki trustpoint WGB-PEAP
Note: subject-name CN=<ClientName> is required. Without it, the Microsoft CA fails to issue the cert, with the The request subject name is invalid or too long. 0x80094001 error message.
Note: The revocation-check none command is necessary to avoid the problem described in Cisco bug ID CSCsl07349. WGB disassociates/reassociates often and takes a long time to reconnect.
Note: To stop a debug, use the no debug all or undebug all commands. Verify that the debugs have been turned off using the command show debug.
Remember that the commands no logging console and terminal no monitor only prevent the output from being output on the console, Aux or vty respectively. It does not stop the debugging and therefore uses up router resources.
It’s been a long road for our AireOS wireless controllers. In fact these products have been around Cisco in some form since 2005. As you may have heard, Cisco made the decision to End-of-Sale (EOS) these products last month.
That means that these AireOS ...
Hello everyone, I just got a monitor AIR-AP1800S-Z-K9 and it has no ethernet port, only USB. Wrondering if it is possible to deploy it using some kind of deployment SSID, just like Mobility Express does or if I´ll need to buy and Ethernet...
Hello If APs are deployed with only a primary controller assigned. By default, which mobility group member controller do the orphaned APs join in the event of a failed controller. There are multiple WLC in HA configuration in a mobil...
Hi expert I convert my Cat 9120 AP to EWC.Then I try to provision it using iPad by Over-the-Air Provisioning (OTAP).But the configured SSID doesn't appear in my laptop, iPad, smartphone. But in CLI, I can see the SSID already up.Does anyone...