11-20-2019 09:36 AM - edited 07-05-2021 11:20 AM
- I have a WLC5508 running 8.5.140.0
- I have our primary/production SSID on VLAN1 with RADIUS authentication managed through Windows group policy. The domain controller is the RADIUS server. Encryption is WPA2.
- When I place a laptop in the correct Active Directory Organizational Unit, the wireless policies are applied to that machine and the host automatically associates with the SSID using either computer authentication or user authentication, defaults to computer authentication. The security methods are PEAP with EAP-MSCHAPv2. Works great, has been working well for years. Images attached for details on the RADIUS configuration.
I need to configure a wireless bridge for use in the lab. The bridge will provide connectivity to one or two hosts that are not wireless-enabled and cannot be tethered by network cables for a few reasons. I need the bridge to provide VLAN1 connectivity to the hosts through this RADIUS-authenticated SSID. I am using the GUI for configuration of the bridge AP, which is an Aironet 1142 with autonomous image version 15.3(3)JAB.
I have created an active directory user account for the AP, which should be all it needs. I am able to connect a cell phone to this SSID using a valid set of Windows credentials, so I hope the AP can do the same.
I am having difficulty matching up the settings on the AP with my existing wireless configuration. I can't seem to get the bridge to associate, and I'm not sure where to look for detailed debugging. I have a console session with the bridge, but I'm not super proficient with the CLI.
Rather than go overboard posting lots of information, please tell me what you need to see beyond what I've put in this first post, and I will provide is as quickly as possible. Hopefully somebody can help me out.
BRIDGE-AP-01#sh run Building configuration... Current configuration : 2827 bytes ! ! Last configuration change at 03:11:05 UTC Fri Mar 1 2002 version 15.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname BRIDGE-AP-01 ! ! logging rate-limit console 9 enable secret 5 $1$/EFC$mbtwzj9IBER5APZ8TyvBu1 ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! ! ! ! ! aaa session-id common no ip source-route no ip cef ip domain name XXXXX.local ip name-server 192.168.65.4 ! ! ! ! dot11 syslog ! dot11 ssid X_PROD_SSID_X vlan 1 authentication open eap eap_methods authentication shared eap eap_methods authentication network-eap eap_methods dot1x credentials wireless-ap dot1x eap profile X_EAP_PROFILE_X ! ! ! eap profile X_EAP_PROFILE_X method peap method mschapv2 ! ! ! dot1x credentials wireless-ap username wireless-ap password 7 000000000000000000000000 ! username CISCO password 7 096F471A1A0A ! ! bridge irb ! ! ! interface Dot11Radio0 no ip address ! encryption vlan 1 mode ciphers aes-ccm ! broadcast-key vlan 1 change 1024 membership-termination capability-change ! ! ssid X_PROD_SSID_X ! antenna gain 0 mbssid station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address ! encryption vlan 1 mode ciphers aes-ccm antenna gain 0 peakdetect station-role workgroup-bridge ! interface Dot11Radio1.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 spanning-disabled ! interface GigabitEthernet0 no ip address duplex auto speed auto ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 mac-address 5475.d0b5.4e52 ip address dhcp ipv6 address dhcp ipv6 address autoconfig ipv6 enable ! ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! ! radius-server attribute 32 include-in-access-req format %h ! radius server RADIUS_SERVER_HOST_NAME address ipv4 192.168.65.8 auth-port 1645 acct-port 1646 key 7 0000000000000000000000 ! bridge 1 route ip ! ! ! line con 0 line vty 0 4 transport input all ! end BRIDGE-AP-01#
Solved! Go to Solution.
11-20-2019 10:01 AM
If client need to validate RADIUS server certificate, you may have to install server root cert on your AP.
Also I would go without any sub-interfaces for simplicity. Follow this post for more guidance
https://mrncciew.com/2018/05/25/wgb-with-peap/
HTH
Rasika
*** Pls rate all useful responses ***
11-20-2019 10:01 AM
If client need to validate RADIUS server certificate, you may have to install server root cert on your AP.
Also I would go without any sub-interfaces for simplicity. Follow this post for more guidance
https://mrncciew.com/2018/05/25/wgb-with-peap/
HTH
Rasika
*** Pls rate all useful responses ***
11-20-2019 12:36 PM
11-21-2019 08:51 AM
Hi Rasika. I eventually discovered that because my infrastructure SSID has a space in it, some of the configuration steps would reject my commands. Perhaps I did not need to match the trustpoint name to the SSID, but I was trying to match your method as closely as possible.
Rather than rename the production SSID, I created a new SSID on a new VLAN, placed the desired root AP into its own AP group on the controller, and configured basic WPA2 security. With this configuration the bridge works perfectly, and the bridge SSID is limited to only the area where it is required rather than across the entire campus.
Thank you for your help, I believe your information was correct, it was my environment that prevented this from working as expected.
11-21-2019 09:08 AM
Hi Justin,
Glad to hear that.
Rasika
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide