Anyone ever setup a wireless bridge with Cisco AP?

[cpals]

I've got setting up our wireless APs for regular use down pat, but now they are wanting to bridge two APs together from one location to another and I've never done this. This is Cisco specific so I need to know how to do it on a Cisco router (1200 series specifically)...

Anyone know how or at least point me to a website?

I setup both routers identical to a regular AP setup here and then changed one router to be the root bridge and I set the other to be the non-root bridge. When I do that the root station says 'Authentication failed' and the non-root says 'Interface Dot11Radio0, No username/password supplied for uplink authentication'

I'm not sure where on both APs to create a username and put the username.

Thanks.

 

[spidey07]

what encryption and cipher are you using?

looks like you may be doing wpa.

it's really pretty straight forward. I'll find a link for you.

 

[cpals]

Here's how I setup our normal AP config:

Under Encryption Tab:
Cipher - TKIP

Under Server Manager:
We connect to a RADIUS server (running Server 2003)
Default Server Priorities - EAP and Accounting both have the Radius IP

Under SSID Manager:
I choose:
Open Authentication - With EAP
Network EAP - No addition
EAP Authentication Servers - Customize - Radius Server IP
Key Management - Mandatory - WPA
Enable Accounting - Customize - Radius Server IP

Everything else under SSID = default

There are a few levels of security how someone gets on our wireless:
1. They need to be part of a certain AD security group
2. They must have a certificate they download from our network
3. One other thing, but it slips my memory.

So right now I have both set up like a regular AP and they work fine, but I'm not sure where to proceed from here.

 

[spidey07]

you'll have to put in a username/password for the non-root bridge. This username/pass should also be in AD or locally defined on your radius server. the non-root bridge acts like a client.

are you running IOS or lightweight?

 

[cpals]

System Software Version: Cisco IOS Software

So you're saying everything stays as is... I just change one to root-bridge and the other to non-root bridge.

Where does the username/password for the non-root go? Also, will it work either way with AD or locally on the radius or does it depend on my setup?

 

[spidey07]

It doesn't matter if AD or radius. I would probably locally define it on radius.

I'm looking for the command...I think it goes under the ssid section on the config.

I don't know the GUI much at all as I stick strickly to command line (and so should you if you plan on knowing these things better)

you could try the configuration..
dot11 ssid <whatever your ssid>
authentication client username <the AP username> password <ap password>

 

[cpals]

Whatever I'm doing isn't working... I input the commands and they go in fine and then the 802.11 gets reset and then goes down.

Here's my two configs if it helps - if it's too much work, don't worry about it:

Root Bridge

-snip-

Non-Root

-snip-

 

[cpals]

Okay, I might have something now... In the association page on the root-bridge I have this (It's listed as a repeater):

11g-bridge **AP Name** *IP* 000f.24ee.2890 Association processing self none

But it's just sticking there... it's not EAP associated.

 

[spidey07]

take out all the AAA commands on the non-root if you just want it to be a non-root bridge.

If you want to have the non-root bridge act as an infrastructure AP (which it can do both) then leave them in.

you could turn on some debugs on each AP to see what username it is sending.

debug aaa authentication

then type
term mon

so that your telnet session will display terminal messages such as debugs.

If you have maintenance you can call cisco. Or if you want just reset the non-root to defaults and then setup with minimal config (ssid w/encryption & cipher settings, ip address, telnet/enable passwords)

dot11 ssid **SSID**
authentication key-management wpa
authentication client username *USER* password 7 0723225F414A48
infrastructure-ssid optional

 

[cpals]

This is all it shows (keeps scrolling):

Root -

Apr 3 18:04:24.489: %DOT11-7-AUTH_FAILED: Station 000f.24ee.2890 Authentication
failed
Apr 3 18:04:26.353: AAA/BIND(00006136): Bind i/f
Apr 3 18:04:26.357: AAA/AUTHEN/PPP (00006136): Pick method list 'eap_methods1'

Apr 3 18:04:26.367: AAA/AUTHEN/PPP (00006136): Pick method list 'eap_methods1'

Non-Root

Apr 3 18:04:00.606: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'

 

[spidey07]

take off the "aaa new-model" command on the non-root.

It is trying to use your AAA settings for a username.

I've done this with wpa-psk (which may be fine in your case) if you want to eliminate the hassle of a username/pass.

 

[cpals]

Hmm... this is in my radius:

User AcademyAP was denied access.
Fully-Qualified-User-Name = *DOMAIN*/Other Users/AP, Academy
NAS-IP-Address = *IP*
NAS-Identifier = Academy-AP1
Called-Station-Identifier = 0015.f938.b8a0
Calling-Station-Identifier = 000f.24ee.2890
Client-Friendly-Name = Acad-Test1
Client-IP-Address = *IP*
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 25314
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Authenticate all SprintPCS Wireless Connections
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

[cpals]

I don't get it though... the non-root is called Academy-AP2, but in the radius it's saying it's denying Academy-AP1 and using the password from AP2.

 

[cpals]

When I disabled aaa new-model I couldn't login through telnet anymore - didn't even ask for user/pass.

Also, this was in the terminal:

Apr 3 18:29:27.114: AAA/AUTHEN/LOGIN (00000000): Pick method list 'Permanent Lo
cal'

 

[spidey07]

I'd seriously wipe the config and start with the basics. adding all that AAA stuff can get confusing. you can do this with "write erase" command.

the reason it didn't ask for a password is you probably didn't have a password set on the vty lines.

 

[cpals]

Both configs or just the non-root?

BTW, do you have paypal or anything? I really would like to compensate a little for your time. You've been amazingly patient with my cisco noobish self.

 

[nweaver]

Originally posted by: spidey07

I don't know the GUI much at all as I stick strickly to command line (and so should you if you plan on knowing these things better)

except they change contexts on the CLI from release to release /slap cisco devs with a large trout!

 

[spidey07]

Originally posted by: cpals
Both configs or just the non-root?

BTW, do you have paypal or anything? I really would like to compensate a little for your time. You've been amazingly patient with my cisco noobish self.

don't be silly, thanks though.

Just the non-root.

Also forum.cisco.com is very good for cisco specific help. there is a wireless/general area there that is pretty good.

 

[spidey07]

Originally posted by: nweaver

Originally posted by: spidey07

I don't know the GUI much at all as I stick strickly to command line (and so should you if you plan on knowing these things better)

except they change contexts on the CLI from release to release /slap cisco devs with a large trout!

12.3.8 JA came out a little bit ago.

me thinks I'm gonna let that one cook before using it after the 12.3.7 JA fiasco and other muck-ups before it.

 

[cpals]

We're using 12.3(7)JA2 Is that bad?

Also, did you forget to mention I need to type 'reload' after I erase the memory?

 

[spidey07]

yes, reload and don't save anything. of course the AP will have a blank config at this point.

12.3.7.JA2 is the recommended code - you're fine.