In this post we will see how to configure a wireless bridge (Root & Non-Root Bridge) with EAP-FAST security. Here is the basic topology for the post & I have used two 1310 AP with 12.4(25d)JA software version.
Here is the G1/0/6 Config of C3750-1 switch. Since wireless bridge has to carry multiple vlan traffic (in my case 20-21) it has to configure as a trunk port.
hostname C3750-1 ! ip dhcp excluded-address 192.168.21.1 192.168.21.50 ip dhcp excluded-address 192.168.21.254 ip dhcp pool VLAN21 network 192.168.21.0 255.255.255.0 default-router 192.168.21.254 ! interface Vlan20 ip address 192.168.20.254 255.255.255.0 interface Vlan21 ip address 192.168.21.254 255.255.255.0 ! interface GigabitEthernet1/0/6 description 1310-1 (ROOT BRIDGE) switchport trunk encapsulation dot1q switchport trunk native vlan 20 switchport trunk allowed vlan 20,21 switchport mode trunk
Here is the Root Bridge configuration without any security configurations. Later on we will configure the EAP-FAST for this. Note that for native vlan (20) to be configured with bridge group 1. Also SSID configured as “infrastructure-ssid” to ensure only infrastructure device could associate to it (no normal clients)
hostname 1310-1 ! dot11 ssid BRIDGE vlan 20 authentication open infrastructure-ssid ! interface Dot11Radio0 ssid BRIDGE station-role root bridge ! interface Dot11Radio0.20 encapsulation dot1Q 20 native bridge-group 1 interface Dot11Radio0.21 encapsulation dot1Q 21 bridge-group 21 ! interface FastEthernet0.20 encapsulation dot1Q 20 native bridge-group 1 interface FastEthernet0.21 encapsulation dot1Q 21 bridge-group 21 ! interface BVI1 ip address 192.168.20.13 255.255.255.0 ip default-gateway 192.168.20.254
Here is the Non-Root Bridge Configuration
hostname 1310-2 ! dot11 ssid BRIDGE vlan 20 authentication open infrastructure-ssid ! interface Dot11Radio0 ssid BRIDGE station-role non-root bridge ! interface Dot11Radio0.20 encapsulation dot1Q 20 native bridge-group 1 interface Dot11Radio0.21 encapsulation dot1Q 21 bridge-group 21 ! interface FastEthernet0.20 encapsulation dot1Q 20 native bridge-group 1 interface FastEthernet0.21 encapsulation dot1Q 21 bridge-group 21 ! interface BVI1 ip address 192.168.20.14 255.255.255.0 ip default-gateway 192.168.20.254
With this configuration, you should see your non-root bridge associating to your root bridge.
1310-2#Nov 8 20:39:46.316: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP 1310-1 001b.2a30.48b0 [None] 1310-1#sh dot11 ass 802.11 Client Stations on Dot11Radio0: SSID [BRIDGE] : MAC Address IP address Device Name Parent State 001b.2a30.48c0 192.168.20.14 bridge 1310-2 self Assoc 1310-1#sh dot11 ass 001b.2a30.48c0 Address : 001b.2a30.48c0 Name : 1310-2 IP Address : 192.168.20.14 Interface : Dot11Radio 0 Device : bridge Software Version : 12.4 CCX Version : 5 Client MFP : Off State : Assoc Parent : self SSID : BRIDGE VLAN : 20 Hops to Infra : 1 Association Id : 1 Clients Associated: 1 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : NONE Encryption : Off Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -75 dBm Connected for : 80 seconds Signal to Noise : 24 dB Activity Timeout : 30 seconds Power-save : Off Last Activity : 1 seconds ago Apsd DE AC(s) : NONE Packets Input : 3341 Packets Output : 10247 Bytes Input : 378995 Bytes Output : 1405473 Duplicates Rcvd : 0 Data Retries : 521 Decrypt Failed : 0 RTS Retries : 12 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0
Here is the R2960 switch configuration. I have given switch management IP from vlan 20.
hostname R2960 ! interface GigabitEthernet0/2 switchport access vlan 21 switchport mode access spanning-tree portfast ! interface GigabitEthernet0/8 switchport trunk native vlan 20 switchport trunk allowed vlan 20,21 switchport mode trunk ! interface Vlan20 ip address 192.168.20.15 255.255.255.0 ! ip default-gateway 192.168.20.254
If you define a DHCP (or you can statically assign a IP for Laptop) for vlan 21, you should see Laptop will get an IP from 192.168.21.0/24 network. In my case Laptop got 192.168.21.51 IP address & I can ping it from my C3750-1 switch.
C3750-1#ping 192.168.21.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
As long as this works you can move on to adding security for this configuration. First we will configure 1310-1(root bridge) as RADIUS server. If you using AP as radius server, you can configure either LEAP, EAP-FAST or MAC authentication methods. In this example we will disable LEAP & MAC authentications. For highest security we have used WPA2/AES.
aaa new-model aaa group server radius RAD-GROUP server 192.168.20.13 auth-port 1812 acct-port 1813 aaa authentication login EAP-METHODS group RAD-GROUP radius-server local no authentication leap no authentication mac nas 192.168.20.13 key 0 MRN-CCIEW user nonroot password nonrootpw radius-server host 192.168.20.13 auth-port 1812 acct-port 1813 key 0 MRN-CCIEW dot11 ssid BRIDGE authentication open eap EAP-METHODS authentication network-eap EAP-METHODS authentication key-management wpa version 2 interface Dot11Radio0 encryption vlan 20 mode ciphers aes-ccm
Then we can configure the Non-Root Bridge with EAP-FAST credential which we defined on the Root Bridge.
1310-2(config)#eap profile FAST 1310-2(config-eap-profile)#method ? fast EAP-FAST method allowed gtc EAP-GTC method allowed leap EAP-LEAP method allowed md5 EAP-MD5 method allowed mschapv2 EAP-MSCHAPV2 method allowed tls EAP-TLS method allowed 1310-2(config-eap-profile)#method fast 1310-2(config)#dot1x credentials FAST 1310-2(config-dot1x-creden)#username nonroot 1310-2(config-dot1x-creden)#password nonrootpw ! 1310-2(config)#dot11 ssid BRIDGE 1310-2(config-ssid)#authentication open eap EAP-METHODS 1310-2(config-ssid)#authentication network-eap EAP-METHODS 1310-2(config-ssid)#authentication key-management wpa version 2 1310-2(config-ssid)#dot1x eap profile FAST 1310-2(config-ssid)#dot1x credentials FAST ! 1310-2(config-ssid)#interface Dot11Radio0 1310-2(config-if)# encryption vlan 20 mode ciphers aes-ccm
Once you do this you should see your Non-Root Bridge associated with Root Bridge using EAP-FAST.
1310-2(config-if)# Nov 8 21:16:51.796: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up Nov 8 21:16:52.063: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP 1310-1 001b.2a30.48b0 [EAP-FAST WPAv2] 1310-1# Nov 8 21:11:42.430: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 1310-2 001b.2a30.48c0 Associated KEY_MGMT[WPAv2] 1310-1#sh dot11 associations 001b.2a30.48c0 Address : 001b.2a30.48c0 Name : 1310-2 IP Address : 192.168.20.14 Interface : Dot11Radio 0 Device : bridge Software Version : 12.4 CCX Version : 5 Client MFP : On State : EAP-Assoc Parent : self SSID : BRIDGE VLAN : 20 Hops to Infra : 1 Association Id : 1 Clients Associated: 1 Repeaters associated: 0 Tunnel Address : 0.0.0.0 Key Mgmt type : WPAv2 Encryption : AES-CCMP Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 Voice Rates : disabled Bandwidth : 20 MHz Signal Strength : -75 dBm Connected for : 214 seconds Signal to Noise : 24 dB Activity Timeout : 30 seconds Power-save : Off Last Activity : 1 seconds ago Apsd DE AC(s) : NONE Packets Input : 41 Packets Output : 365 Bytes Input : 4556 Bytes Output : 42485 Duplicates Rcvd : 0 Data Retries : 2 Decrypt Failed : 0 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Packets Redirected: 0 Redirect Filtered: 0 Session timeout : 0 seconds Reauthenticate in : never
So now you wireless bridge connection is more secure. Make sure you can ping the remote client
C3750-1#ping 192.168.21.51
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.21.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
Hope this is useful for you.
