Workgroup Bridges

Cisco Workgroup Bridges

A workgroup bridge (WGB) is an Access Point (AP) mode to provide wireless connectivity to wired clients that are connected to the Ethernet port of the WGB AP. A WGB connects a wired network over a single wireless segment by learning the MAC addresses of its wired clients on the Ethernet interface and reporting them to the WLC through infrastructure AP using Internet Access Point Protocol (IAPP) messaging. The WGB establishes a single wireless connection to the root AP, which in turn, treats the WGB as a wireless client.

The following features are supported for use with a WGB:

Table 1. WGB Feature Matrix
Feature	Cisco Wave 1 APs	Cisco Wave 2
802.11r	Supported	Supported
QOS	Supported	Supported
UWGB mode	Supported	Supported on Wave 2 APs
IGMP Snooping or Multicast	Supported	Supported
802.11w	Supported	Supported
PI support (without SNMP)	Supported	Not supported
IPv6	Supported	Supported
VLAN	Supported	Supported
802.11i (WPAv2)	Supported	Supported
Broadcast tagging/replicate	Supported	Supported
Unified VLAN client	Implicitly supported (No CLI required)	Supported
WGB client	Supported	Supported
802.1x – PEAP, EAP-FAST, EAP-TLS	Supported	Supported
NTP	Supported	Supported
Wired client support on all LAN ports	Supported in Wired-0 and Wired-1 interfaces	Supported in all Wired-0, 1 and LAN ports 1, 2, and 3

The following table shows the supported and unsupported authentication and switching modes for Cisco APs when connecting to a WGB.

Table 2. Supported Access Points and Requirements
Access Points	Requirements
Cisco Aironet 2700, 3700, and 1572 Series	Requires autonomous image.
Cisco Aironet 2800, 3800, 4800, 1562, and Cisco Catalyst 9105, 9115, IW6300 and ESW6300 Series	CAPWAP image starting from Cisco AireOS 8.8 release.

Table 3. WGB Support on APs
WGB WLAN Support	Cisco Wave 2 APs	Cisco Catalyst 9100 Series APs
Central Authentication	Supported	Supported
Central Switching	Supported	Supported
Local Authentication	Not Supported	Not Supported
Local Switching	Supported	Supported

MAC filtering is not supported for wired clients.
Idle timeout is not supported for both WGB and wired clients.
Session timeout is not applicable for wired clients.
Web authentication is not supported.
WGB supports only up to 20 clients.
If you want to use a chain of certificates, copy all the CA certificates to a file and install it under a trust point on the WGB, else server certificate validation may fail.
Wired clients connected to the WGB are not authenticated for security. Instead, the WGB is authenticated against the access point to which it associates. Therefore, we recommend that you physically secure the wired side of the WGB.
Wired clients connected to a WGB inherit the WGB's QoS and AAA override attributes.
To enable the WGB to communicate with the root AP, create a WLAN and make sure that Aironet IE is enabled under the Advanced settings.

Configure a WGB on a WLAN

Deploy a WGB so that connected wired devices can access the network via WLAN.

WGBs allow wired devices to join a wireless network by bridging their wired connections over Wi-Fi. This configuration is used in environments where direct wireless capability is not available for all devices.

Before you begin

Ensure WLAN security (such as authentication and encryption) is already configured.

Procedure

Step 1	Enter global configuration mode. Example: `Device# configure terminal`
Step 2	Enter WLAN configuration submode. Example: `Device(config)# wlan profile-name` The profile-name is the profile name of the configured WLAN.
Step 3	Configure the Cisco Client Extensions option and sets the support of Aironet IE on the WLAN. Example: `Device(config-wlan)# ccx aironet-iesupport`
Step 4	Exit the WLAN configuration submode. Example: `Device(config-wlan)# exit`
Step 5	Configure WLAN policy profile and enters the wireless policy configuration mode. Example: `Device(config)# wireless profile policy profile-policy`
Step 6	Add a description for the policy profile. Example: `Device(config-wireless-policy)# description "test-wgb"`
Step 7	Assign the profile policy to the VLAN. Example: `Device(config-wireless-policy)# vlan vlan-no`
Step 8	Configure WGB VLAN client support. Example: `Device(config-wireless-policy)# wgb vlan`
Step 9	Configure WGB broadcast tagging on a WLAN. Example: `Device(config-wireless-policy)# wgb broadcast-tagging`
Step 10	Restart the policy profile. Example: `Device(config-wireless-policy)# no shutdown`
Step 11	Exit the wireless policy configuration mode. Example: `Device(config-wireless-policy)# exit`
Step 12	Configure policy tag and enters policy tag configuration mode. Example: `Device(config)# wireless tag policy policy-tag`
Step 13	Map a policy profile to a WLAN profile. Example: `Device(config-policy-tag)# wlan profile-name policy profile-policy`
Step 14	Exit policy tag configuration mode, and returns to privileged EXEC mode. Example: `Device(config-policy-tag)# end`

The WGB is now configured and can join the designated WLAN, bridging its wired clients to the wireless network.

Verify the status of a WGB on the controller

Use these commands to verify the status of a WGB.

To display the wireless-specific configuration of active clients, use this command:

Device# show wireless client summary

To display the WGBs on your network, use this command:

Device# show wireless wgb summary

To display the details of wired clients that are connected to a particular WGB, use this command:

Device# show wireless wgb mac-address 00:0d:ed:dd:25:82 detail

Configure AP as WGB

Convert a Cisco Aironet 2700/3700/1572 Series AP to autonomous mode

Enable standalone (autonomous) functioning on a Cisco Aironet AP when controller-based (lightweight) mode is not required or available.

This conversion is commonly used for deployments where APs must function independently, such as remote locations or testing environments.

Before you begin

Download the appropriate autonomous image for your AP model from software.cisco.com and place it on a reachable TFTP server.

Procedure

Step 1

Enable console CLI access on the AP.

Example:

Device# debug capwap console cli

Allows use of all CLI commands during image conversion.

Step 2

Download and install the autonomous image using the TFTP server.

Example:

Device(config)# archive download-sw force-reload overwrite tftp://server-ip/path/image-filename

Replaces the current image with the autonomous image. The AP reloads automatically after the upgrade.

The AP loads the autonomous image and operates independently, with its web UI and CLI.

Configure Cisco Wave 2 APs in WGB or CAPWAP AP mode (CLI)

Set up the AP mode and management configuration for Cisco APs using the CLI.

This task is applicable when you need to quickly reconfigure the AP operation mode between Workgroup Bridge and CAPWAP using the AP's command-line interface.

Procedure

Step 1	Enters the privileged mode of the AP. Example: `Device# enable`
Step 2	Move the AP in to the Workgroup Bridge mode. Example: `Device# ap-type workgroup-bridge`
Step 3	Configures DHCP or static IP address using the configure ap address ipv4 dhcp or configure ap address ipv4 static `ip-address` `netmask` `gateway-ipaddress` command. Example: DHCP IP Address `Device# configure ap address ipv4 dhcp` Static IP Address `Device# configure ap address ipv4 static 10.10.10.2 255.255.255.234 192.168.4.1`
Step 4	Configure an username for the AP management. Example: `Device# configure ap management add username username password password secret secret`
Step 5	Configure the AP hostname. Example: `Device# configure ap hostname host-name`

The AP is successfully configured in the selected mode with the desired network and management settings.

Configure an SSID profile for Cisco Wave 2 APs (CLI)

Set up secure Wi-Fi profiles for Wave 2 and 11AX APs, allowing client authentication and traffic management using the AP CLI.

This configuration is performed on the AP console and does not apply to the controller CLI. Choose authentication and QoS settings best suited for your environment.

Before you begin

Ensure you have access to the AP console and any preshared keys or EAP profiles needed for authentication.

Procedure

Step 1	Create an SSID profile and specify authentication (open, PSK, or EAP) and key management options. Example: SSID profile with open authentication: `Device# configure ssid-profile test WRT s1 authentication open` SSID profile with PSK authentication: `Device# configure ssid-profile test WRT s1 authentication psk 1234 key-management dot11r` SSID profile with EAP authentication: `Device# configure ssid-profile test WRT s1 authentication eap profile test2 key-management dot11r` Choose the authentication protocol that matches your deployment requirements.
Step 2	Attach the SSID profile to a radio interface. Example: `Device# configure dot11radio radio-interface mode wgb ssid-profile profle-name` Binds the SSID profile for wireless bridge operations.
Step 3	(Optional) Delete and SSID. Example: `Device# configure ssid-profile profle-name delete`
Step 4	(Optional) Display summary of configured and connected SSIDs. Example: `Device# show wgb ssid`
Step 5	(Optional) Display management, control, and data packet statistics for WGB SSIDs. Example: `Device# show wgb packet statistics`

The SSID profile is configured for the AP and mapped to the desired radio interface. Wireless clients can now connect using the specified authentication mode, traffic is prioritized according to QoS settings, and you can monitor SSID and packet statistics as needed.

Configure Dot1X credential (CLI)

Configure or remove a Dot1X credential profile, and manage WGB client authentication using CLI commands.

Dot1X credentials are used to authenticate devices securely to the network. You can create or remove these credentials as required, and clear authenticated Workgroup Bridge (WGB) clients using dedicated commands.

Before you begin

Ensure the device is in global configuration mode before issuing these commands.

Procedure

Step 1

Configure a Dot1X credential profile with username and password.

Example:


Device(config)# configure dot1x credential profile-name username username password password

Creates or updates a Dot1X credential profile with the specified username and password.

Step 2

Delete a Dot1X credential profile.

Example:


Device(config)# configure dot1x credential profile-name delete

Removes the specified Dot1X credential profile.

Step 3

Clear a WGB client session based on MAC address or clear all WGB clients.

Example:


Device# clear wgb client single mac-address

Deauthenticates a specific WGB client identified by MAC address. To clear all WGB clients, use:

Device# clear wgb client all

Dot1X credentials and WGB client sessions are managed according to your chosen operations.

Configure an EAP profile (CLI)

Use this procedure to create, manage, or delete EAP profiles on your device for authentication using the CLI.

An EAP profile defines the authentication method for wireless users. You can configure various methods and associate trustpoints or credentials to strengthen security for wireless authentication.

Before you begin

Enable global configuration mode on the device and verify access to CLI.

Procedure

Step 1

Configure an EAP profile and set the EAP method.

Example:

Device# configure eap-profile profile-name method method-name

Configures an EAP profile with the chosen method.

The method-name can be:

fast
leap
peap
tls

Step 2

Associate a trustpoint with the EAP profile . Use either the default or a specific name.

Example:

EAP profile to Trustpoint with MIC Certificate:

Device# configure eap-profile profile-name trustpoint default

EAP profile to Trustpoint with CA Certificate:

Device# configure eap-profile profile-name trustpoint name trustpoint-name

Configures an EAP profile with a trustpoint for authentication.

Step 3

Attach a CA trustpoint to the EAP profile.

Example:

Device# configure eap-profile profile-name trustpoint {default | name trustpoint-name}

Attaches the CA trustpoint.

Note

With the default profile, WGB uses the internal MIC certificate for authentication.

Step 4

Configure the 802.1X credential profile for the EAP profile.

Example:

Device# configure eap-profile profile-name dot1x-credential profile-name

Configures the 802.1X credential profile associated with the EAP profile.

Step 5

(Optional) Delete an EAP profile .Delete an EAP profile.

Example:

Device# configure eap-profile profile-name delete

Step 6

(Optional) Display the WGB EAP dot1x credential profile summary .Display the WGB EAP dot1x credential profile summary.

Example:

Device# show wgb eap dot1x credential profile

Step 7

(Optional) Display the EAP profile summary.

Example:

Device# show wgb eap profile

Step 8

(Optional) Display all configured EAP and dot1x profiles .Display all configured EAP and dot1x profiles.

Example:

Device# show wgb eap profile all

The EAP profile is now configured as required. You can display or modify EAP profiles as needed to support different authentication strategies.

Configure manual-enrollment of a trustpoint for WGB (CLI)

Manually configure and enroll a trustpoint on a WGB to enable certificate-based security authentication via CLI.

A trustpoint defines a Certification Authority (CA) used to issue certificates for device authentication. Manual enrollment is used when automatic enrollment via HTTP/SCEP is not available.

Before you begin

Ensure that the WGB configuration is complete and the required CA certificate is accessible. You must have administrator access to the CLI and all necessary server and certificate information.

Procedure

Step 1	Configure a trustpoint on the WGB and set the enrollment method to terminal. Example: `Device# configure crypto pki trustpoint ca-server-name enrollment terminal` Defines a new trustpoint and specifies that certificate content will be entered manually.
Step 2	Authenticate the trustpoint and input the base 64 encoded CA certificate. Example: `Device# configure crypto pki trustpoint ca-server-name authenticate` Authenticates a trustpoint by pasting the CA-signed certificate. End certificate input by typing quit on a new line.
Step 3	Configure the private key size for the trustpoint. Example: `Device# configure crypto pki trustpoint ca-server-name key-size key-length` Sets the RSA key pair length for the trustpoint’s private key.
Step 4	Configure the subject name attributes for the trustpoint’s certificate. Example: `Device# configure crypto pki trustpoint ca-server-name subject-name name 2ltr-country-code state-name locality org-name org-unit email` Example: `Device# configure crypto pki trustpoint ca-server-US subject-name test US CA abc cisco AP test@cisco.com` Specifies certificate subject fields, matching your organization’s naming policy.
Step 5	Generate a Certificate Signing Request (CSR) on the WGB and enroll the trustpoint. Example: `Device# configure crypto pki trustpoint ca-server-name enroll` Generates the private key and a CSR; provide the CSR output to your CA server for certificate signing.
Step 6	Import the signed certificate from the CA back into the WGB trustpoint. Example: `Device# configure crypto pki trustpoint ca-server-name import certificate` Installs the issued device certificate. End certificate input with the quit command on a new line.
Step 7	(Optional) Delete the trustpoint if reconfiguration is needed. Example: `Device# configure crypto pki trustpoint ca-server-name delete` Removes a trustpoint configuration from the device.
Step 8	(Optional) Display the trustpoint summary. Example: `Device# show crypto pki trustpoint` Shows all trustpoints configured on the device.
Step 9	(Optional) Display certificates associated with a trustpoint. Example: `Device# show crypto pki trustpoint ca-server-name certificate` Inspect the contents of certificates for a specific trustpoint.

Manual trustpoint enrollment is now complete on the WGB. The device can use the certificates for secure authentication and establish connections as required for network operation.

Configure auto-enrollment of a trustpoint for workgroup bridge (CLI)

Enable automatic certificate enrollment for secure communication by configuring a trustpoint and CA enrollment in a WGB deployment.

Auto-enrollment of a trustpoint streamlines certificate management for workgroup bridges by allowing automatic acquisition and renewal of CA certificates.

Before you begin

Ensure the device is running the appropriate WGB image and has connectivity to the CA server.

Procedure

Step 1	Configure the trustpoint and specify the CA server enrollment URL. Example: `Device# configure crypto pki trustpoint ca-server-name enrollment url ca-server-url` Enrolls a trustpoint in WGB using the CA server URL.
Step 2	Authenticate the trustpoint by fetching the CA certificate from the CA server. Example: `Device# configure crypto pki trustpoint ca-server-name authenticate` Fetches the CA certificate for trustpoint authentication.
Step 3	Set the private key size for the trustpoint. Example: `Device# configure crypto pki trustpoint ca-server-name key-size key-length` Example: `Device# configure crypto pki trustpoint ca-server-Us key-size 60`
Step 4	Configure the subject name for the trustpoint. Example: `Device# configure crypto pki trustpoint ca-server-name subject-name name 2ltr-country-code state-name locality org-name org-unit email` Example: `Device# configure crypto pki trustpoint ca-server-US subject-name test US CA abc cisco AP test@cisco.com` Customize the subject name parameters as needed for your deployment.
Step 5	Enroll the trustpoint to request a signed certificate from the CA server. Example: `Device# configure crypto pki trustpoint ca-server-name enroll` Initiates the certificate enrollment request to the CA server.
Step 6	Enable auto-enrollment and specify the renewal percentage threshold. Example: `Device# configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage` Example: `Device# configure crypto pki trustpoint ca-server-US auto-enroll enable 10` Use disable to turn off auto-enroll if needed.
Step 7	(Optional) Delete the trustpoint if it is no longer required. Example: `Device# configure crypto pki trustpoint ca-server-name delete` Removes the trustpoint from the configuration.
Step 8	(Optional) Display the summary of trustpoints. Example: `Device# show crypto pki trustpoint` Lists all configured trustpoints and their status.
Step 9	(Optional) Display the certificate for a specific trustpoint. Example: `Device# show crypto pki trustpoint ca-server-name certificate` Shows the certificate configured for the specified trustpoint.
Step 10	(Optional) Display the PKI timer information. Example: `Device# show crypto pki timers` Displays timer settings related to PKI operations.

The trustpoint is now auto-enrolled and managed on the WGB, ensuring secure and automated certificate renewal.

Configure manual certificate enrollment using TFTP server (CLI)

Manual certificate enrolment allows devices to obtain certificates from a TFTP server, which is essential for secure communications.

Procedure

Step 1	Specify the enrollment method to retrieve the CA certificate and client certificate for a trustpoint in WGB. Example: `Device# configure crypto pki trustpoint ca-server-name enrollment addr/file-name` Specifies the enrolment method to retrieve the CA certificate and client certificate for a trustpoint in WGB.
Step 2	Authenticate the CA certificate from the specified TFTP server. Example: `Device# configure crypto pki trustpoint ca-server-name authenticate` Retrieves the CA certificate and authenticates it from the specified TFTP server. If the file specification is included, the WGB will append the extension “.ca” to the specified filename.
Step 3	Configure the private key size for the trustpoint. Example: `Device# configure crypto pki trustpoint ca-server-name key-size key-length` Configures a private key size.
Step 4	Set the subject name for the trustpoint. Example: `Device# configure crypto pki trustpoint ca-server-name subject-name test US CA abc cisco AP test@cisco.com` Configures the subject name.
Step 5	Generate a private key and certificate signing request (CSR). Example: `Device# configure crypto pki trustpoint ca-server-name enroll` Generate a private key and Certificate Signing Request (CSR) and writes the request out to the TFTP server. The filename to be written is appended with the extension “.req”.
Step 6	Import the signed certificate into WGB using TFTP at the console terminal, which retrieves the granted certificate. Example: `Device# configure crypto pki trustpoint ca-server-name import certificate` Import the signed certificate in WGB using TFTP at the console terminal, which retrieves the granted certificate. The WGB will attempt to retrieve the granted certificate using TFTP using the same filename and the file name appended with “.crt” extension.
Step 7	(Optional) Display the trustpoint summary. Example: `Device# show crypto pki trustpoint` Displays the trustpoint summary.
Step 8	(Optional) Display the content of the certificates for a trustpoint. Example: `Device# show crypto pki trustpoint trustpoint-name certificate` Displays the content of the certificates that are created for a trustpoint.

Import the PKCS12 format certificates from the TFTP server (CLI)

Importing PKCS12 format certificates is essential for establishing secure communications in network devices.

Procedure

Step 1

Import the PKCS12 format certificate from the TFTP server.

Example:

Device# configure crypto pki trustpoint 
                        ca-server-name import pkcs12 tftp addr/file-name password pwd

Example:

Device# configure crypto pki trustpoint 
                        ca-server-US import pkcs12 tftp://10.8.0.6/all_cert.p12 password ******

Step 2

(Optional) Display the trustpoint summary.

Example:

Device# show crypto pki trustpoint

Step 3

(Optional) Display the content of the certificates created for a trustpoint.

Example:

Device# show crypto pki trustpoint trustpoint-name certificate

Example:

Device# show crypto pki trustpoint ca-server-US certificate

Configure radio interface for workgroup bridges (CLI)

From the available two radio interfaces, before configuring WGB or UWGB mode on one radio interface, configure the other radio interface to root AP mode.

Procedure

Step 1

Configure a radio interface as root AP.

Example:

Device# configure dot11Radio radio-int mode root-ap

Example:

Device# configure dot11Radio 0/3/0 mode root-ap

Maps a radio interface as root AP.

Note

When an active SSID or EAP profile is modified, you need to reassociate the profile to the radio interface for the updated profile to be active.

Step 2

Configure the periodic beacon interval in milliseconds.

Example:

Device# configure dot11radio dotradiovalue beacon-period beacon-interval

The value range is between 2 and 2000 milliseconds.

Step 3

Maps a radio interface to a WGB SSID profile.

Example:

Device# configure dot11Radio 0/3/0 mode wgb ssid-profile ssid-profile-name

Maps a radio interface to a WGB SSID profile.

Step 4

Maps a radio interface to a UWGB SSID profile.

Example:

Device# configure dot11Radio radio-int mode uwgb mac-addr ssid-profile ssid-profile-name

Maps a radio interface to a WGB SSID profile.

Step 5

Configures a radio interface.

Example:

Device# configure dot11Radio radio-int mode enable

After configuring the uplink to the SSID profile, we recommend that you disable and enable the radio for the changes to be active.

Step 6

Configures a radio antenna.

Example:

Device# configure dot11Radio radio-int antenna a-antenna

Configures a radio antenna.

Step 7

Configures the radio interface encryption mode.

Example:

Device# configure dot11Radio radio-int encryption mode ciphers aes-ccm

Configures the radio interface.

Step 8

Configures the device channel rate.

Example:

Device# configure wgb mobile rate basic 6 9 18 24 36 48 54

Configures the device channel rate.

Step 9

Configure the threshold duration and signal strength to trigger scanning.

Example:

Device# configure wgb mobile period seconds thres-signal

Configure the threshold duration and signal strength to trigger scanning.

Step 10

Configures the static roaming channel.

Example:

Device# configure wgb mobile station interface dot11Radio 0/3/0 scan channel-number add

Configures the static roaming channel.

Step 11

(Optional) Delete the mobile channel.

Example:


                        Device# configure wgb mobile station interface dot11Radio 0/3/0 scan channel-number delete

Step 12

(Optional) Disable the mobile channel.

Example:

Device# configure wgb mobile station interface dot11Radio 0/3/0 scan disable

Step 13

(Optional) Configure the beacon miss-count.

Example:

Device# configure wgb beacon miss-count value

Note

When you set the beacon miss-count value to 10 or lower, then the beacon miss-count gets disabled. Set the value to 11 or higher to enable this function.

Step 14

(Optional) Display the Wi-Fi station statistics.

Example:

Device# show wgb wifi wifi-interface stats

Step 15

(Optional) Display the radio antenna statistics.

Example:

Device# show controllers dot11Radio radio-interface antenna

Step 16

(Optional) Display the mobile station channels scan configuration.

Example:

Device# show wgb mobile scan channel

Step 17

(Optional) Display the configuration that is stored in the NV memory.

Example:

Device# show configuration

Step 18

(Optional) Display the running configuration in the device.

Example:

Device# show running-config

Configure workgroup bridge timeouts (CLI)

Use this task to configure various timeout values that control workgroup bridge (WGB) behavior, improving reliability and performance.

Set specific timeout limits for association, authentication, EAP, DHCP response, and channel scan processes.

Timeout values affect how long the WGB waits for events before triggering corrective actions or failure notices.

This task applies to Cisco devices in environments where precise timeout management is needed for workgroup bridge operations and troubleshooting.

Before you begin

Ensure you have privileged EXEC access on the device.

Verify device compatibility and active WGB configuration.

Procedure

Step 1	Configure the WGB association response timeout. Example: `Device# configure wgb association response timeout response-millisecs` Default: 5000 ms; Range: 300–5000 ms.
Step 2	Configure the WGB authentication response timeout. Example: `Device# configure wgb authentication response timeout response-millisecs` Default: 5000 ms; Range: 300–5000 ms.
Step 3	Configure the Universal WGB client response timeout. Example: `Device# configure wgb uclient timeout timeout-secs` Default: 60 s; Range: 1–65535 s.
Step 4	Configure the WGB EAP timeout. Example: `Device# configure wgb eap timeout timeout-secs` Default: 3 s; Range: 2–60 s.
Step 5	Configure the WGB channel scan timeout. Example: `Device# configure wgb channel scan timeout {fast \| slow \| medium}` Select scan speed according to site requirements.
Step 6	Configure the WGB DHCP response timeout. Example: `Device# configure wgb dhcp response timeout timeout-secs` Default: 60 s; Range: 1000–60000 ms.
Step 7	Display the WGB association summary. Example: `Device# show wgb dot11 association` Display associated WGB clients and related statistics.

The configured timeout parameters apply immediately and affect how the WGB responds to events and failures.

For example, to set the WGB association response timeout to 4000 ms:

Device# configure wgb association response timeout 4000

What to do next

Verify timeout settings by using display commands and monitoring WGB behavior.

Adjust timeouts as needed for specific network or client stability.

Configure bridge forwarding for workgroup bridge (CLI)

Before you begin

The Cisco Wave 2 APs as Workgroup Bridge recognizes the Ethernet clients only when the traffic has the bridging tag.

We recommend setting the WGB bridge client timeout value to default value of 300 seconds, or less in environment where change is expected, such as:

Ethernet cable is unplugged and plugged back.
Endpoint is changed.
Endpoint IP is changed (static to DHCP and vice versa).

If you need to retain the client entry in the WGB table for a longer duration, we recommend you increase the client WGB bridge timeout duration.

Procedure

Step 1	Add a WGB client using the MAC address. Example: `Device# configure wgb bridge client add mac-address` Example: `Device# configure wgb bridge client add F866.F267.7DFB`
Step 2	Configure the WGB bridge client timeout. Default timeout value is 300 seconds. The valid range is between 10 and 1000000 seconds. Example: `Device# configure wgb bridge client timeout timeout-secs` Example: `Device# configure wgb bridge client timeout 400`
Step 3	Display the WGB wired clients over the bridge. Example: `Device# show wgb bridge`
Step 4	Display the WGB Gigabit wired clients over the bridge. Example: `Device# show wgb bridge wired gigabitEthernet interface` Example: `Device# show wgb bridge wired gigabitEthernet 0/1`
Step 5	Display the WGB bridge radio interface summary. Example: `Device# show wgb bridge dot11Radio interface-number` Example: `Device# show wgb bridge dot11Radio 0/3/1`

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.4.x

Bias-Free Language

Results

Chapter: Workgroup Bridges

Workgroup Bridges

Cisco Workgroup Bridges

Configure a WGB on a WLAN

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Verify the status of a WGB on the controller

Configure AP as WGB

Convert a Cisco Aironet 2700/3700/1572 Series AP to autonomous mode

Before you begin

Procedure

Example:

Example:

Configure Cisco Wave 2 APs in WGB or CAPWAP AP mode (CLI)

Procedure

Example:

Example:

Example:

Example:

Example:

Configure an SSID profile for Cisco Wave 2 APs (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Configure Dot1X credential (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Configure an EAP profile (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure manual-enrollment of a trustpoint for WGB (CLI)

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configure auto-enrollment of a trustpoint for workgroup bridge (CLI)

Before you begin

Procedure

Example:

Example: