cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
304
Views
0
Helpful
4
Replies
Highlighted
Beginner

Autonomous wireless bridge on WLAN with RADIUS

- I have a WLC5508 running 8.5.140.0

- I have our primary/production SSID on VLAN1 with RADIUS authentication managed through Windows group policy.  The domain controller is the RADIUS server.  Encryption is WPA2.

- When I place a laptop in the correct Active Directory Organizational Unit, the wireless policies are applied to that machine and the host automatically associates with the SSID using either computer authentication or user authentication, defaults to computer authentication.  The security methods are PEAP with EAP-MSCHAPv2.  Works great, has been working well for years.  Images attached for details on the RADIUS configuration.

 

I need to configure a wireless bridge for use in the lab.  The bridge will provide connectivity to one or two hosts that are not wireless-enabled and cannot be tethered by network cables for a few reasons.  I need the bridge to provide VLAN1 connectivity to the hosts through this RADIUS-authenticated SSID.  I am using the GUI for configuration of the bridge AP, which is an Aironet 1142 with autonomous image version 15.3(3)JAB.

 

I have created an active directory user account for the AP, which should be all it needs.  I am able to connect a cell phone to this SSID using a valid set of Windows credentials, so I hope the AP can do the same.

 

I am having difficulty matching up the settings on the AP with my existing wireless configuration. I can't seem to get the bridge to associate, and I'm not sure where to look for detailed debugging.  I have a console session with the bridge, but I'm not super proficient with the CLI.

 

Rather than go overboard posting lots of information, please tell me what you need to see beyond what I've put in this first post, and I will provide is as quickly as possible.  Hopefully somebody can help me out.

 

Annotation 2019-11-20 121209.png

 

BRIDGE-AP-01#sh run
Building configuration...

Current configuration : 2827 bytes
!
! Last configuration change at 03:11:05 UTC Fri Mar 1 2002
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BRIDGE-AP-01
!
!
logging rate-limit console 9
enable secret 5 $1$/EFC$mbtwzj9IBER5APZ8TyvBu1
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
no ip source-route
no ip cef
ip domain name XXXXX.local
ip name-server 192.168.65.4
!
!
!
!
dot11 syslog
!
dot11 ssid X_PROD_SSID_X
   vlan 1
   authentication open eap eap_methods
   authentication shared eap eap_methods
   authentication network-eap eap_methods
   dot1x credentials wireless-ap
   dot1x eap profile X_EAP_PROFILE_X
!
!
!
eap profile X_EAP_PROFILE_X
 method peap
 method mschapv2
!
!
!
dot1x credentials wireless-ap
 username wireless-ap
 password 7 000000000000000000000000
!
username CISCO password 7 096F471A1A0A
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers aes-ccm
 !
 broadcast-key vlan 1 change 1024 membership-termination capability-change
 !
 !
 ssid X_PROD_SSID_X
 !
 antenna gain 0
 mbssid
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption vlan 1 mode ciphers aes-ccm
 antenna gain 0
 peakdetect
 station-role workgroup-bridge
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 mac-address 5475.d0b5.4e52
 ip address dhcp
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
!
radius-server attribute 32 include-in-access-req format %h
!
radius server RADIUS_SERVER_HOST_NAME
 address ipv4 192.168.65.8 auth-port 1645 acct-port 1646
 key 7 0000000000000000000000
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input all
!
end

BRIDGE-AP-01#

 

 

 

 

 

 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

If client need to validate RADIUS server certificate, you may have to install server root cert  on your AP.

Also I would go without any sub-interfaces for simplicity. Follow this post for more guidance

https://mrncciew.com/2018/05/25/wgb-with-peap/ 

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

If client need to validate RADIUS server certificate, you may have to install server root cert  on your AP.

Also I would go without any sub-interfaces for simplicity. Follow this post for more guidance

https://mrncciew.com/2018/05/25/wgb-with-peap/ 

 

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Highlighted

Looks like either your reply or my original post was marked as SPAM. Not sure why. You post was helpful, I got farther but I'm still not connecting. Having an issue with association or EAP. Hopefully they revive the post so we can continue.
Highlighted

Hi Rasika.  I eventually discovered that because my infrastructure SSID has a space in it, some of the configuration steps would reject my commands.  Perhaps I did not need to match the trustpoint name to the SSID, but I was trying to match your method as closely as possible.

 

Rather than rename the production SSID, I created a new SSID on a new VLAN, placed the desired root AP into its own AP group on the controller, and configured basic WPA2 security.  With this configuration the bridge works perfectly, and the bridge SSID is limited to only the area where it is required rather than across the entire campus.

 

Thank you for your help, I believe your information was correct, it was my environment that prevented this from working as expected.

Highlighted

Hi Justin,

 

Glad to hear that.

 

Rasika