This config was used on a pair of Cisco 1242 access points where I was using the dot11 radio 0 (2.4GHz) interface for the bridge link. The same configuration can be used on the dot11radio 1 (5GHz) interface as well, just substitute the interface name of your choosing into the following template.
The configuration commands below are all that is necessary to establish a working bridge link secured with EAP-FAST authentication and WPAv2 security.
The configuration is also sorted into the order in which the commands can be configured via the CLI over a console connection. The commands will show up in their proper place when you execute the show run command after you've applied the configuration. Don't forget to wr when you're done!
hostname ROOT_AP
aaa new-model
!
radius-server host [ROOT AP IP ADDRESS] auth-port 1812 acct-port 1813 key 0 [RADIUSKEY]
!
aaa group server radius [SERVER GROUP NAME]
server [ROOT AP IP ADDRESS] auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group [SERVER GROUP NAME]
!
radius-server local
nas [ROOT AP IP ADDRSS] key 0 [RADIUSKEY]
user [USERNAME] password 0 [PASSWORD]
!
access-list 700 permit [NONROOT DOT11 0 INTERFACE MAC ADDRESS] 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
!
dot11 association mac-list 700
!
dot11 ssid [BRIDGE LINK SSID]
vlan [VLAN NUMBER]
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
infrastructure-ssid
!
interface Dot11Radio0
!
encryption vlan [VLAN NUMBER] mode ciphers aes-ccm
!
station-role root bridge
l2-filter bridge-group-acl
!
interface Dot11Radio0.[VLAN NUMBER]
encapsulation dot1Q [VLAN NUMBER] native
no ip route-cache
bridge-group 1
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
!
interface FastEthernet0.[VLAN NUMBER]
encapsulation dot1Q [VLAN NUMBER] native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address [IP ADDRESS] [SUBNET MASK]
!
ip default-gateway [DEFAULT GATEWAY IP ADDRESS]
---------
hostname NONROOT_AP!
eap profile [PROFILE NAME]
method fast
dot1x credentials [PROFILE NAME]
username [USERNAME]
password 0 [PASSWORD]
!
access-list 700 permit [ROOT DOT11 0 INTERFACE MAC ADDRESS] 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
!
dot11 association mac-list 700
!
dot11 ssid [BRIDGE LINK SSID]
vlan [VLAN NUMBER]
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
dot1x credentials [PROFILE NAME]
dot1x eap profile [PROFILE NAME]
infrastructure-ssid
!
interface Dot11Radio0.[VLAN NUMBER]
encapsulation dot1Q [VLAN NUMBER] native
no ip route-cache
bridge-group 1
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
!
interface FastEthernet0.[VLAN NUMBER]
encapsulation dot1Q [VLAN NUMBER] native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address [IP ADDRESS] [SUBNET MAKS]
!
ip default-gateway [DEFAULT GATEWAY IP ADDRESS]
I frequently work in a railyard environment where bridging is essential. The 1242 is one of my favorites for creating bridge links. I use the 5.0GHz radio for the bridge and the 2.4GHz radio for client coverage on the far-side... as well as on the near side. This way I can use two devices where we used to use four and the bridge channel doesn't affect the channels available for client coverage.
ReplyDeleteHello,
ReplyDeleteThank you for the awesome blogpost! There is very little documentation on this and it's nice to see a complete config available for reference.
I have a couple of doubts in the config:
1) The use of "Infrastructure-ssid" in the ROOT AP. Is this required? AFAIK, one must enable this command only on the non-root bridge?
2) The use of "Infrastructure-ssid" on the NON-ROOT BRIDGE . In case of plain 'ol "station-role non-root bridge" , i don't think infrstructure-ssid is needed on the non-root bridge. Only when the "wireless-clients" keyword is added to the station-role command, do we need to specify the SSID as the infrastructure SSID.
I would love to hear your thoughts on this.
Regards,
TacACK