Cisco enabled WGB feature on Wave2 APs (only for 2800/3800/1560 series) from AireOS 8.8.x release onward. Traditionally WGB feature supported only on Autonomous mode in IOS based APs. There are not autonomous images available for COS based APs (Click OS APs – 1800/2800/3800/4800).
In this post, we will configure 3802 as WGB with 802.1X (PEAP). Here is the topology for this post. 802.1X SSID configured with Central switching. WGB and wired client behind it get IP addresses via DHCP from the central site (192.168.99.x/24)
Here is the 3802 image version being used in this testing.
AP3802#show version
cisco AIR-AP3802I-Z-K9 ARMv7 Processor rev 1 (v7l) with 1028252/557172K bytes of memory.
Processor board ID FGL2201A3U2
AP Running Image : 8.10.122.0
Primary Boot Image : 8.10.122.0
Backup Boot Image : 8.10.121.0
.
Radio Driver version : 9.0.5.5-W8964
Radio FW version : 9.1.8.1
NSS FW version : 2.4.28
If you follow my previous post on WGB with PEAP on Autonomous AP, you see config steps are shown below
- Configure a Trust Point on AP
crypto pki trustpoint MRN_TRUST enrollment terminal subject-name CN=WGB revocation-check none rsakeypair WGB 2048
- Upload Root CA for configured Trust Point
WGB#crypto pki authenticate MRN_TRUST Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- . . -----END CERTIFICATE----- quit - Configure 802.X credential profile
dot1x credentials MRN-CRD username xxx password xxxx pki-trustpoint MRN_TRUST
- Configure EAP Profile
eap profile MRN-PRO method peap
- Configure SSID and map EAP/802.1X Profile
dot11 ssid mrn-wpa2e authentication open eap MRN_TRUST authentication key-management wpa version 2 dot1x credentials MRN-CRD dot1x eap profile MRN-PRO infrastructure-ssid
- Change Radio station-role to WGB and assign SSID
interface Dot11Radio1 encryption mode ciphers aes-ccm ssid mrn-wpa2e station-role workgroup-bridge
Before you configure WGB settings on 3802, you have to change AP mode to WGB. AP will be reloaded & then you can configure WGB specific configurations.
AP3802>enable AP3802#ap-type ? capwap Switch to CAPWAP AP type cloud Switch to cloud AP type mobility-express Switch to Mobility Express AP type workgroup-bridge Switch to Workgroup Bridge(WGB) AP type AP3802#ap-type workgroup-bridge WGB is a wireless client that serve as nonroot ap for wired clients. AP is the Master/CAPWAP AP, system will need a reboot when ap type is changed to WGB. Do you want to proceed? (y/N): y
Once converted to WGB, you can do configurations simply start command with the “configure” keyword. You can see different configuration options available shown below
AP3802#configure ? ap AP commands for IPv4/6 Configuration boot Set boot parameters clock Manage the system clock crypto Encryption module dot11Radio Dot11 radio interface dot1x IEEE 802.1X global configuration commands eap-profile EAP global configuration commands ntp Configure NTP security security information ssh Configures secure shell operation ssid-profile Configure SSID profile information wgb Workgroup-bridge configuration
It is important to configure accurate time, especially if you are using 802.1X. You can do it by using “configure clock” CLI command. It is a good idea to syn it with a NTP server
AP3802#configure clock set Set the time and date timezone Configure time zone AP3802#configure clock set 14:21:19 7 4 2020 Sat Jul 4 14:21:19 AEST 2020 AP3802#show clock *14:21:26 AEST Sat Jul 4 2020 AP3802#configure ntp server 192.168.100.1
You can configure Trust Point and associated parameters as shown below. In this case enrollment type is chosen as “terminal”. By using the “authenticate” option you can load the CA root certificate on to WGB.
AP3802#configure crypto pki trustpoint MRN_TRUST allow-expired-cert Allow expired certificates to be accepted authenticate Get the CA certificate auto-enroll Configure auto-enroll delete Delete a CA trustpoint enroll Request a certificate from a CA enrollment Enrollment parameters import Import certificate key-size Private key size subject-name Subject Name AP3802#configure crypto pki trustpoint MRN_TRUST enrollment terminal ! AP3802#configure crypto pki trustpoint MRN_TRUST authenticate Enter the base 64 encoded CA certificate. ....And end with the word "quit" on a line by itself.... -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- quit Certificate has the following attributes: MD5 Fingerprint=26:5A:98:E9:99:6A:3A:4A:80:47:80:B1:1F:37:8F:5CSHA1 Fingerprint=4D:84:64:C9:34:0F:0F:FB:8F:23:E0:A6:96:14:CF:9B:49:1B:EF:D4 PKI trustpoint configuration has been saved successfully
You can verify certificate details as shown below (not shown the complete output)
AP3802#show crypto pki trustpoint
Crypto PKI trustpoints are:-
================================================================
Trustpoint name : MRN_TRUST
Enrollment method : Terminal
CA-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_ca.pem
Client-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_client.pem
Subject : C=AU,ST=VIC,L=MERNDA,O=MRN,OU=IT,CN=wgb.mrn.local,emailAddress=wgb@mrn.local
Key size : 2048
AP3802#show crypto pki trustpoint MRN_TRUST certificate CA Certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 14:1b:8f:c5:3a:34:8a:a8:45:d3:8d:56:91:64:81:8e Signature Algorithm: sha256WithRSAEncryption Issuer: CN=mrnRootCA Validity Not Before: Aug 31 16:09:05 2019 GMT Not After : Aug 31 16:19:04 2029 GMT
You can configure 802.1X credential profile as shown below. You can delete a configured profile using the “delete” keyword after the credential profile name using the same config line.
AP3802#configure dot1x credential WORD Specify a profile name AP3802#configure dot1x credential MRN-CRD delete Delete the dot1x credential profile username Configure 802.1X username AP3802#configure dot1x credential MRN-CRD username wgb password Configure 802.1X password AP3802#configure dot1x credential MRN-CRD username wgb password xxxx
Next, you can configure an EAP-Profile & specify EAP method you would like to use and attach trust point to that EAP profile. You have to link your dot1x credential profile configured under the previous step.
AP3802#configure eap-profile
WORD Specify a profile name (max 32 characters)
AP3802#configure eap-profile MRN-PRO
delete Delete the EAP profile
dot1x-credential Configure 802.1X credentials profile
method EAP method type
trustpoint Attach CA trustpoint
AP3802#configure eap-profile MRN-PRO method
fast fast method
leap leap method
peap peap method
tls eap-tls method
AP3802#configure eap-profile MRN-PRO method peap
!
AP3802#configure eap-profile MRN-PRO trustpoint
default To use MIC certificate
name To use CA trustpoint
AP3802#configure eap-profile MRN-PRO trustpoint name
WORD Trustpoint Name
AP3802#configure eap-profile MRN-PRO trustpoint name MRN_TRUST
AP3802#configure eap-profile MRN-PRO dot1x-credential MRN-CRD
You can verify your EAP Profile configuration as shown below. By using the “all” keyword you can verify both dot1x credential & eap profile configurations.
AP3802#show wgb eap profile all Shows both EAP and dot1x profile details <cr> AP3802#show wgb eap profile all EAP Profiles are:- ==================================== Profile Name : MRN-PRO Method : PEAP Trustpoint : MRN_TRUST Dot1x Credential : MRN-CRD Dot1x Profiles are:- ==================================== Dot1x Credential : MRN-CRD Username : wgb
Next, you can configure SSID with necessary security methods (Open, PSK, EAP). You can configure PMF and 802.11r if needed. My configuration is simply enabled WPA2 for EAP
AP3802#configure ssid-profile WORD <Enter ssid profile name> AP3802#configure ssid-profile 1X delete Delete the ssid profile said Configure radio service set parameters AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication authentication method AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap Dot1x method open open method psk Pre-shared key method AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap profile EAP profile configuration AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap profile MRN-PRO key-management key management AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap profile MRN-PRO key-management dot11r 802.11r Fast BSS Transition dot11w 11w PMF Client Configuration wpa2 allow WPA Version 2 clients AP3802#configure ssid-profile 1X ssid mrn-wpa2e authentication eap profile MRN-PRO key-management wpa2 AP3802#configure dot11radio 1 encryption mode ciphers aes-ccm
Finally, you can map SSID profile to Radio interface while configuring it for WGB mode. You can enable/disable radio interface when you do configuration modification on radio interface to take effect.
AP3802#configure dot11radio 1
antenna Configure dot11 radio antenna settings
disable Disabile the selected radio interface
enable Enable the selected radio interface
encryption Configure dot11 encryption parameters
mode Mode of the radio
AP3802#configure dot11radio 1 mode
root-ap Root access point or bridge
uwgb Universal Client
wgb Workgroup-bridge
AP3802#configure dot11radio 1 mode wgb
ssid-profile SSID Profile to be mapped
AP3802#configure dot11radio 1 mode wgb ssid-profile
WORD <Enter the configured ssid profile name>
AP3802#configure dot11radio 1 mode wgb ssid-profile 1X
AP3802#configure dot11radio 1 enable
With this configuration, your client should be able to connect to your SSID (assuming your WLC configured properly with 802.1X SSID)
You can use “show wgb < >” CLI command to verify connectivity details from WGB itself.
AP3802#show wgb ?
bridge Bridge Forwarding/Filtering Database [verbose]
dot11 IEEE 802.11 show information
dot11v 802.11v info
eap Shows EAP information
forwarding WGB Forwarding
mobile Current mobile station
ssid show configured and connected SSID details
statistic Packet statistics
wifi WGB frameware wifi0
You can verify connected SSID details using “show wgb said” CLI command
AP3802#show wgb ssid
Configured SSIDs details:
SSID-Profile SSID Authentication
=======================================================
1X mrn-wpa2e DOT1X
Connected SSIDs details:
Radio ID : 1
Radio Mode : WGB
BSSID : 2C:57:41:52:B0:CB
SSID : mrn-wpa2e
Authentication : DOT1X
You can verify the WGB IP address using “show wgb dot11 associations” CLI command.
AP3802#show wgb dot11 associations
Uplink Radio ID : 1
Uplink Radio MAC : 00:A7:42:BF:CD:6F
SSID Name : mrn-wpa2e
Parent AP Name : AP9130-2
Parent AP MAC : 2C:57:41:52:B0:CB
Uplink State : CONNECTED
Auth Type : DOT1X
EAP Method Name : PEAP
Key management Type : WPA2
Channel : 100
IP : 192.168.99.151/24
Default Gateway : 192.168.99.1
DNS Server1 : 192.168.100.101
Domain : mrn.local
IPV6 : ::/128
Dot11 type : 11ac
Assoc timeout : 5000 Msec
Auth timeout : 5000 Msec
Dhcp timeout : 60 Sec
RSSI : 29
From WLC end, you can verify Here is the WLC end client detail
(vwlc) >show client summary
Number of Clients................................ 2
Number of EoGRE Clients.......................... 0
MAC Address AP Name Slot Status WLAN Auth Protocol Port Wired Tunnel Role
----------------- ---------- ------------- ----- ---- ---------------- ---- ----- ------- ----------------
00:a7:42:bf:cd:6f AP9130-2 1 Associated 19 Yes 802.11ac(5 GHz) 1 N/A No Local
d4:81:d7:bb:15:b3 AP9130-2 1 Associated 19 Yes N/A 1 N/A No Local
(vwlc) >show client detail 00:a7:42:bf:cd:6f
Client MAC Address............................... 00:a7:42:bf:cd:6f
Client Username ................................. WGB
Client Webauth Username ......................... N/A
Hostname: .......................................
Device Type: .................................... Cisco-Device
AP MAC Address................................... 2c:57:41:52:b0:c0
AP Name.......................................... AP9130-2
AP radio slot Id................................. 1
Client State..................................... Associated
User Authenticated by ........................... RADIUS Server
Client User Group................................ WGB
Client NAC OOB State............................. Access
Workgroup Bridge................................. 1 client(s)
Wireless LAN Id.................................. 19
Wireless LAN Network Name (SSID)................. mrn-wpa2e
Wireless LAN Profile Name........................ wpa2e
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 23547 secs
BSSID............................................ 2c:57:41:52:b0:cb
Channel.......................................... 100
IP Address....................................... 192.168.99.151
.
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP-128 (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
FlexConnect Data Switching....................... Central
Here is the Wired Client detail behind WGB
(vwlc) >show client detail d4:81:d7:bb:15:b3
Client MAC Address............................... d4:81:d7:bb:15:b3
Client Username ................................. N/A
Client Webauth Username ......................... N/A
Hostname: .......................................
Device Type: .................................... Dell-Device
AP MAC Address................................... 2c:57:41:52:b0:c0
AP Name.......................................... AP9130-2
AP radio slot Id................................. 1
Client State..................................... Associated
User Authenticated by ........................... None
Client User Group................................
Client NAC OOB State............................. Access
Workgroup Bridge Client.......................... WGB: 00:a7:42:bf:cd:6f
Wireless LAN Id.................................. 19
Wireless LAN Network Name (SSID)................. mrn-wpa2e
Wireless LAN Profile Name........................ wpa2e
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 23651 secs
BSSID............................................ 2c:57:41:52:b0:cb
Channel.......................................... 100
IP Address....................................... 192.168.99.152
Gateway Address.................................. 192.168.99.1
Netmask.......................................... 255.255.255.0
If you compare IOS based AP to Click OS-based AP (wave 2 AP), you notice Wave2 APs support newer encryption methods (128/256 bit AES with CCMP/GCMP). During AP boot up you can see the support of that encryption methods verified.
[*07/04/2020 05:18:40.5336] Preparing to set HW specs [*07/04/2020 05:18:40.5339] FIPS enc aes-ccmp Verified [*07/04/2020 05:18:40.5340] FIPS dec aes-ccmp Verified [*07/04/2020 05:18:40.5341] FIPS enc aes-ccmp-256 Verified [*07/04/2020 05:18:40.5342] FIPS dec aes-ccmp-256 Verified [*07/04/2020 05:18:40.5343] FIPS enc aes-gcmp Verified [*07/04/2020 05:18:40.5344] FIPS dec aes-gcmp Verified [*07/04/2020 05:18:40.5345] FIPS enc aes-gcmp-256 Verified [*07/04/2020 05:18:40.5347] FIPS dec aes-gcmp-256 Verified
If you capture wireless traffic when WGB is associate with 802.1X SSID, you will see it is using TLS 1.2 (RFC 5246) when it establishes a secure tunnel for inner EAP exchanges. With traditional IOS APs (eg 3702) you will only see TLS 1.0 (RFC 2246) support. In that way, these latest AP provide better security when it uses as WGB.
Here is the packet capture (mrn-3802-wgb-peap.pcapng) of my 3802 in WGB mode connecting to “mrn-wpa2e” SSID. Pls note it is filtered for WGB mac address & excluding control frames for simplicity.
In the “Client Hello” message coming from WGB listed all those cipher suites supported (55 listed in that frame#13)
In my case RADIUS server (Cisco ISE) dictate to use one of the cipher suites for TLS tunnel establishment. Refer “Server Hello” message in frame#22. You can see “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)” selected by the RADIUS server as TLS Cipher Suite. It uses ECDHE for Key Exchange with ECDSA signing algorithm. AES-256-GCMP use for encryption and SHA384 for Message Integrity
Here is what you see with a traditional IOS AP as WGB (3702 in my case) where it only support TLS 1.0. As you can see in “Client Hello” it only supports RSA for Authenticated Key exchange, AES-128-CBC is the highest encryption cipher (weaker encryption RC4 & 3DES supported too) & SHA-1 for message integrity.
You can see all configurations using “show configuration” or “show run” CLI command as shown below.
AP3802#show running-config AP Name : AP3802 AP Mode : WorkGroupBridge CDP State : Enabled Watchdog monitoring : Enabled SSH State : Enabled AP Username : admin Session Timeout : 900 NTP server ip : 192.168.100.1
Radio and WLAN-Profile mapping:-
====================================
Radio ID Radio Mode SSID-Profile SSID Authentication Method Dot1x UserName
--------------------------------------------------------------------------------------------------------------------------------------
0 RootAP DEFAULT_SSID NA
1 WGB 1X mrn-wpa2e DOT1X PEAP WGB
Radio configurations:-
===============================
Radio Id : 0
Admin state : DISABLED
Mode : RootAP
Radio Id : 1
Admin state : ENABLED
Mode : WGB
Dot11 type : 11ac
Encryption mode : AES128
WGB specific configuration:-
====================================
WGB Radio Id : 1
Mode State : Enable
SSID Profile : 1X
UWGB Radio Id : NA
Mode Enable : NA
SSID Profile : NA
MAC Address : NA
Rx Beacon Missing Count : 0
Packet retries Value : 64
RSSI Threshold Value : -70 dBm
Threshold timeout : 20 sec
HSR-Scan status : Disable
Auth response timeout : 5000 Msec
Assoc response timeout : 5000 Msec
WGB channel scan timeout : 40 Msec
Dhcp response timeout : 60 Sec
EAP timeout : 3000 Msec
Bridge table aging-time : 300 Sec
Probe pak data rate type : NA
Probe pak data rate : 0
Antenna Band Mode : Dual
Broadcast tagging : Disable
Total SSID profiles configured are:
===========================================
SSID-Profile : 1X
SSID Name : mrn-wpa2e
SSID Profile path : /data/platform/wbridge/1X
Auth type : DOT1X
EAP Method : PEAP
Dot1x username : WGB
Key management : WPA2
EAP Profiles are:-
====================================
Profile Name : MRN-PRO
Method : PEAP
Trustpoint : MRN_TRUST
Dot1x Credential : MRN-CRD
Dot1x Profiles are:-
====================================
Dot1x Credential : MRN-CRD
Username : wgb
Crypto PKI trustpoints are:-
================================================================
Trustpoint name : MRN_TRUST
Enrollment method : Terminal
CA-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_ca.pem
Client-Cert file : /storage/wbridge_pki_cert/MRN_TRUST/MRN_TRUST_client.pem
Subject : C=AU,ST=VIC,L=MERNDA,O=MRN,OU=IT,CN=wgb.mrn.local,emailAddress=wgb@mrn.local
Key size : 2048
*** End of WBridge configurations ***
You can refer to this configuration guide for applicable commands for WGB in a Wave2 AP.
I will do a bit more testing with EAP-TLS on WGB and do a post in the near future.
RELATED POSTS
1. WGB with PEAP
2. Wireless & Wired Clients behind WGB
3. IOS AP-WGB with Multiple VLAN