Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
4
Helpful
5
Replies

Configure IW3702 as Workgroup Bridge

lecabral
Level 1
Level 1

‎03-08-2023 10:12 AM

Hi,

I'm trying to achieve something that should be fairly simple: configuring a standalone IW3702 running version 15.3(3)JPN1 as a workgroup bridge AP.

I've followed instructions from links like this one, but I don't have the exact same commands available.

This is what I have (the most relevant):

!
aaa new-model
!

!
dot11 ssid indnet
dot1x credentials YAR
dot1x eap profile YAR
!

dot1x credentials YAR
description Connection to indnet
username <theUser>
password 7 <thePass>
!

interface Dot11Radio0
description Radio-2.4Ghz
no ip address
shutdown
! 
ssid indnet
! 
antenna gain 4
station-role workgroup-bridge
mobile station scan 2412 2437 2462
mobile station ignore neighbor-list
mobile station period 20 threshold 70
bridge-group 1
bridge-group 1 spanning-disabled
!

When I do a no shut for the interface to test connectivity, I get:

 %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No matching privacy setting (from 6c31.0eaf.3740)

The wlan I'm trying to connect has 802.1x authentication.

Thanks in advance for any suggestions.

LeoC.

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎03-08-2023 10:42 AM

Do you have root AP ?

check some config guides for reference :

https://mrncciew.com/2020/07/07/cisco-2800-3800-ap-as-wgb/

https://rscciew.wordpress.com/tag/autonomous-ap/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rich R
VIP
VIP

‎03-10-2023 09:44 AM

Have you checked this? 
https://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/115736-wgb-peap-00.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

lecabral
Level 1
Level 1
In response to Rich R

‎03-11-2023 09:47 AM

Thank you @Rich R it was very helpful.

I was able to make the config work by using the doc you pointed out, with a minor change. I believe there is a mistake in the document when it indicates to download the ISE PEAP certificate and install it on the AP. Actually the certificate that needed to be installed on the AP was the root certificate, in order for the AP to be able to verify the cert presented by ISE.

ISE was showing clearly:

Failure Reason12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

Also, the document was pretty straight forward to make the config work but omitted some useful commands and options present in other documents about WGB like those related to mobile bridges: mobile station / mobile station scan / mobile station ignore neighbor-list. 

For anyone interested, here is a full working config:

PoCWGB01_MOVIL#sh run
Building configuration...

Current configuration : 6200 bytes
!
! Last configuration change at 13:36:19 ARG Sat Mar 11 2023
! NVRAM config last updated at 13:43:58 ARG Sat Mar 11 2023
! NVRAM config last updated at 13:43:58 ARG Sat Mar 11 2023
version 15.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname PoCWGB01_MOVIL
!
!
logging rate-limit console 9
enable secret <removed>
!
no aaa new-model
clock timezone ARG -3 0
no ip source-route
no ip cef
ip name-server 10.0.0.21
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid indnet
authentication open eap POC-PEAP-CERT
authentication key-management wpa version 2
dot1x credentials POC-CREDS
dot1x eap profile POC-PEAP
infrastructure-ssid
!
!
!
!
eap profile POC-PEAP
method peap
!
no ipv6 cef
!
crypto pki trustpoint POC-PEAP-CERT
enrollment terminal
revocation-check none
!
!
crypto pki certificate chain POC-PEAP-CERT
certificate ca 0AC9C70E9F0471A14C9054FD51188504
30820614 308203FC A0030201 0202100A C8C70E9F 0471A14C 9954FD51 18850430
<removed>
36ABC0D2 7AC7E33B 267735A3 9E0028AB 917294B3 CE777CC4
quit
dot1x credentials POC-CREDS
username pocuser
password <removed>
pki-trustpoint POC-PEAP-CERT
!
username pocadmin privilege 15 password <removed>
!
!
bridge irb
!
!
!
interface Dot11Radio0
description Connection to indnet in 2.4Ghz
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid indnet
!
antenna gain 0
station-role workgroup-bridge
mobile station scan 2412 2437 2462
mobile station ignore neighbor-list
mobile station period 20 threshold 70
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
shutdown
antenna gain 0
peakdetect
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface GigabitEthernet1
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
mac-address 6c31.0e70.5a44
ip address dhcp client-id GigabitEthernet0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
sntp server 10.0.0.31
end

PoCWGB01_MOVIL#

@balaji.bandiI'm going to test this WGB agains RAP and MAP APs, some of them on AireOS WLCs, others on 9800.

Thank you @balaji.bandi and @Rich R for your replies, they were very helpful.

Best regards,

LeoC.

Rich R
VIP
VIP
In response to lecabral

‎03-11-2023 05:57 PM

Glad to hear you got it working.

Thanks for sharing your configs to help anybody else trying to do the same thing.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to lecabral

‎03-12-2023 04:49 AM 

@balaji.bandiI'm going to test this WGB agains RAP and MAP APs, some of them on AireOS WLCs, others on 9800.

Thank you @balaji.bandi and @Rich R for your replies, they were very helpful.

Glad to know and i know  @Rich R always helpful more focussed Wilress stuff and he guide in right direction with his comments.

if all is good and no assistance is required - can we mark it as resolved?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card