Configuring WGB

This chapter contains these topics:

Configuring AP to WGB Mode

Cisco 802.11ac wave2 AP (IW6300 and ESW6300) and 802.11ax AP module (WP-WIFI6) are Cheetah OS (COS) based access points. The COS WGB function runs on the following image versions:

  • ap3g3-k9w8-tar.xxx.tar

  • ap1g8-k9w8-tar.xxx.tar

Make sure that you use the correct image version for WGB deployment.

  • To configure a Cisco AP from Capwap mode to WGB mode, use the following command:

    # ap-type workgroup-bridge

WGB is a wireless client that serve as nonroot ap for wired clients. 
AP is the Master/CAPWAP AP, system will need a reboot when ap type is 
changed to WGB. Do you want to proceed? (y/N):y

  • To reverse the AP to Capwap mode, configure ap-type as Capwap by using the following command:

    # ap-type capwap

Note

Switching between EWC mode and WGB mode is not supported.

Configure IP address

Configure IPv4 address

  • Use the configure ap address ipv4 dhcp command to configure IPv4 address using DHCP. 

    Device#configure ap address ipv4 dhcp
  • Use the configure ap address ipv4 static ipv4_addr netmask gateway command to configure the static IPv4 address. By doing so, you can manage the device using a wired interface without an uplink connection. 
    Device#configure ap address ipv4 static ipv4_addr netmask gateway

Verify current IP configuration

Use show ip interface brief command to view the current IP address configuration. 

Device#show ip interface brief

Configure IPv6 address

Use the configure ap address ipv6 static ipv6_addr prefixlen [gateway] command to configure the static IPv6 address. This configuration allows you to manage the AP through a wired interface without uplink connection. 

Device#configure ap address ipv6 static ipv6_addr prefixlen [gateway]

Enable IPv6 auto configuration

Use the configure ap address ipv6 auto-config enable command to enable the IPv6 auto configuration on the AP. 

Device#configure ap address ipv6 auto-config enable

Note

  • Use the configure ap address ipv6 auto-config disable command to disable the IPv6 auto configuration on the AP.

  • Use the configure ap address ipv6 auto-config enable command to enable IPv6 SLAAC. Note that SLAAC does not apply to CoS of WGB. This command configures IPv6 address with DHCPv6 instead of SLAAC.

Configure IPv6 address using DHCP

Use the configure ap address ipv6 dhcp command to configure IPv6 address using DHCP.
Device#configure ap address ipv6 dhcp

Verify current IP configuration

Use the show ipv6 interface brief command to verify current IP address configuration. 

Device#show ipv6 interface brief

Configure a Dot1X credential

Use the configure dot1x credential profile-name username name password pwd command to configure Dot1x credential.
Device#configure dot1x credential profile-name username name password pwd

Verify WGB EAP Dot1x profile

Use the show wgb eap dot1x credential profile command to view the status of WGB EAP Dot1x profile. 

Device#show wgb eap dot1x credential profile

Deauthenticate WGB wired client

Use the clear wgb client {all |single mac-addr} command to deauthenticate WGB wired client. 

Device#clear wgb client {all |single mac-addr}

Configure an EAP profile

Perform these steps to configure an EAP profile:

  1. Attach the Dot1x credential profile to the EAP profile.

  2. Attach the EAP profile to the SSID profile.

  3. Attach the SSID profile to the radio.

Procedure

Step 1

Use the configure eap-profile profile-name method { fast | leap | peap | tls} command to configure the EAP profile. 

Device#configure eap-profile profile-name method { fast | leap | peap | tls}

Note

 

Choose an EAP profile method.

  • fast

  • peap, or

  • tls.

Step 2

Use the configure eap-profile profile-name trustpoint { default | name trustpoint-name} command to attach the CA trustpoint for TLS. By default, the WGB uses the internal MIC certificate for authentication. 

Device#configure eap-profile profile-name trustpoint { default | name trustpoint-name}

Step 3

Use the configure eap-profile profile-name dot1x-credential profile-name command to attach the dot1x-credential profile. 

Device#configure eap-profile profile-name dot1x-credential profile-name

Step 4

[Optional] Use the configure eap-profile profile-name delete command to delete an EAP profile. 

Device#configure eap-profile profile-name delete

Configure trustpoint manual enrollment for terminal

Procedure

Step 1

Use the configure crypto pki trustpoint ca-server-name enrollment terminal command to create a trustpoint in WGB. 

Device#configure crypto pki trustpoint ca-server-name enrollment terminal

Step 2

Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. 

Device#configure crypto pki trustpoint ca-server-name authenticate

Enter the base 64 encoded CA certificate.

Enter quit to finish the certificate.

Note

 

If you use an intermediate certificate, import all the certificate chains in the trustpoint.

Example:

Device#configure crypto pki trustpoint demotp authenticate
 
Enter the base 64 encoded CA certificate.
....And end with the word "quit" on a line by itself....
 
-----BEGIN CERTIFICATE-----
[base64 encoded root CA certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[base64 encoded intermediate CA certificate]
-----END CERTIFICATE-----
quit

Step 3

Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. 

Device#configure crypto pki trustpoint ca-server-name key-size key-length

Step 4

Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. 

Device#configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email

Step 5

Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and certificate signing request (CSR). 

Device#configure crypto pki trustpoint ca-server-name enroll

Create the digitally signed certificate using the CSR output in the CA server.

Step 6

Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. 

Device#configure crypto pki trustpoint ca-server-name import certificate

Enter the base 64 encoded CA certificate.

Enter quit to finish the certificate. 

Device#quit

Step 7

[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. 

Device#configure crypto pki trustpoint trustpoint-name delete

Step 8

Use the show crypto pki trustpoint command to view the trustpoint summary. 

Device#show crypto pki trustpoint

Step 9

Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. 

Device#show crypto pki trustpoint trustpoint-name certificate

Configure trustpoint auto-enrollment for WGB

Procedure

Step 1

Use the configure crypto pki trustpoint ca-server-name enrollment url ca-server-url command to enroll a trustpoint in the WGB using the server URL. 

Device#configure crypto pki trustpoint ca-server-name enrollment url ca-server-url

Step 2

Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint. 

Device#configure crypto pki trustpoint ca-server-name authenticate

This command fetches the CA certificate from CA server automatically.

Step 3

Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. 

Device#configure crypto pki trustpoint ca-server-name key-size key-length

Step 4

Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. 

Device#configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email

Step 5

Use the configure crypto pki trustpoint ca-server-name enroll command to enroll the trustpoint. 

Device#configure crypto pki trustpoint ca-server-name enroll

Request the digitally signed certificate from the CA server.

Step 6

Use the configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage command to enable auto-enroll. 

Device#configure crypto pki trustpoint ca-server-name auto-enroll enable renew-percentage

Note

 

Use the configure crypto pki trustpoint ca-server-name auto-enroll disable command to disable the auto-enroll.

Step 7

[Optional] Use the configure crypto pki trustpoint trustpoint-name delete command to delete a trustpoint. 

Device#configure crypto pki trustpoint trustpoint-name delete

Step 8

Use the show crypto pki trustpoint command to view the trustpoint summary. 

Device#show crypto pki trustpoint

Step 9

Use the show crypto pki trustpoint trustpoint-name certificate command to view the details of the certificate for a specific trustpoint. 

Device#show crypto pki trustpoint trustpoint-name certificate

Step 10

Use the show crypto pki timers command to view the public key infrastructure (PKI) timer information.

show crypto pki timers 

Device#show crypto pki timers

Configure manual certificate enrollment using TFTP server

Procedure

Step 1

Specify the enrollment method.

Use the configure crypto pki trustpoint ca-server-name enrollment tftp tftp-addr/file-name command to retrieve the CA and client certificate for a trustpoint. 

Device#configure crypto pki trustpoint ca-server-name enrollment tftp tftp-addr/file-name

Step 2

Use the configure crypto pki trustpoint ca-server-name authenticate command to authenticate a trustpoint manually. 

Device#configure crypto pki trustpoint ca-server-name authenticate

This retrieves and authenticates the CA certificate from the specified TFTP server. If the file specification is included, the WGB adds the extension .ca to the specified filename.

Step 3

Use the configure crypto pki trustpoint ca-server-name key-size key-length command to configure a private key size. 

Device#configure crypto pki trustpoint ca-server-name key-size key-length

Step 4

Use the configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email command to configure the subject-name. 

Device#configure crypto pki trustpoint ca-server-name subject-name name [Optional] 2ltr-country-code state-name locality org-name org-unit email

Step 5

Use the configure crypto pki trustpoint ca-server-name enroll command to generate a private key and Certificate Signing Request (CSR). 

Device#configure crypto pki trustpoint ca-server-name enroll

This generates certificate request and sends the request to the TFTP server. The filename to be written is appended with the .req extension.

Step 6

Use the configure crypto pki trustpoint ca-server-name import certificate command to import the signed certificate in WGB. 

Device#configure crypto pki trustpoint ca-server-name import certificate

The console terminal uses TFTP to import a certificate and the WGB tries to get the approved certificate from the TFTP. The filename to be written is appended with the .crt extension.

Step 7

Use the show crypto pki trustpoint command to view the trustpoint summary. 

Device#show crypto pki trustpoint

Step 8

Use the show crypto pki trustpoint trustpoint-name certificate command to view the content of the certificates that are created for a trustpoint. 

Device#show crypto pki trustpoint trustpoint-name certificate

SSID configuration

SSID configuration consists of the following two parts:

  1. Create an SSID profile

  2. Configuring Radio Interface for Workgroup Bridges

Create an SSID profile

Choose one of these authentication protocols to configure the SSID profile:

  1. Open authentication

  2. PSK authentication

    • PSK WPA2 authentication

    • PSK Dot11r authentication, and

    • PSK Dot11w authentication.

  3. Dot1x authentication

Configure an SSID profile using open authentication

Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open command to configure an SSID profile using open authentication. 

Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication open

Configure an SSID profile using PSK authentication

Choose one of these authentication protocols to configure an SSID profile using PSK authentication:

  • configure an SSID profile using PSK WPA2 authentication

  • configure an SSID profile using PSK Dot11r authentication, and

  • configure an SSID profile using PSK Dot11w authentication .

Configure an SSID profile using PSK WPA2 authentication

Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2 command to configure an SSID profile using PSK WPA2 authentication. 

Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management wpa2
Configure an SSID profile using PSK Dot11r authentication

Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r command to configure an SSID profile using PSK Dot11r authentication. 

Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11r
Configure an SSID profile using PSK Dot11w authentication

Use the configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w command to configure an SSID profile using PSK Dot11w authentication 

Device#configure ssid-profile ssid-profile-name ssid SSID_name authentication psk preshared-key key-management dot11w

Configure an SSID profile using Dot1x authentication

Use the configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}} command to configure an SSID profile using Dot1x authentication. 

Device#configure ssid-profile ssid-profile-name ssid radio-serv-name authentication eap profile eap-profile-name key-management { dot11r | wpa2 | dot11w { optional | required}}
Configure an SSID profile using Dot1x EAP-PEAP authentication

Here is an example that shows the configuration of an SSID profile using Dot1x EAP-PEAP authentication:

Device#configure dot1x credential c1 username wgbusr password cisco123456
Device#configure eap-profile p1 dot1x-credential c1
Device#configure eap-profile p1 method peap
Device#configure ssid-profile iot-peap ssid iot-peap authentication eap profile p1 key-management wpa2

Configuring Radio Interface for Workgroup Bridges

  • From the available two radio interfaces, before configuring WGB mode on one radio interface, configure the other radio interface to root-ap mode.

    Map a radio interface as root-ap by entering this command:

    # configure dot11radio radio-interface mode root-ap

    Example

    # configure dot11radio 0 mode root-ap

    Note
    When an active SSID or EAP profile is modified, you need to reassociate the profile to the radio interface for the updated profile to be active.

  • Map a radio interface to a WGB SSID profile by entering this command:

    # configure dot11radio radio-interface mode wgb ssid-profile ssid-profile-name

    Example

    # configure dot11radio 1 mode wgb ssid-profile psk_ssid

  • Configure a radio interface by entering this command:

    # configure dot11radio radio-interface{ enable | disable }

    Example

    # configure dot11radio 0 disable

    Note

    After configuring the uplink to the SSID profile, we recommend you to disable and enable the radio for the changes to be active.

Note

Only one radio or slot is allowed to operate in WGB mode.

Configuring Workgroup Bridge Timeouts

The timer configuration CLIs are common for both WGB and uWGB. Use the following commands to configure timers:

  • Configure the WGB association response timeout by entering this command:

    # configure wgb association response timeout response-millisecs

    The default value is 5000 milliseconds. The valid range is between 300 and 5000 milliseconds.

  • Configure the WGB authentication response timeout by entering this command:

    # configure wgb authentication response timeout response-millisecs

    The default value is 5000 milliseconds. The valid range is between 300 and 5000 milliseconds.

  • Configure the WGB EAP timeout by entering this command:

    # configure wgb eap timeout timeout-secs

    The default value is 3 seconds. The valid range is between 2 and 60 seconds.

  • Configure the WGB bridge client response timeout by entering this command:

    # configure wgb bridge client timeout timeout-secs

    Default timeout value is 300 seconds. The valid range is between 10 and 1000000 seconds.

Flex Antenna Band Configuration

Flex antenna band configuration is supported on IW6300, ESW6300, and WP-WiFi6.

Use the following command to set antenna band to dual or single:
# configure wgb antenna band mode {dual|single}
Use the following command to check if WGB antenna band is set successfully:
# show configuration | inc Band

For WP- WiFi6, use the following command to check WGB antenna band set by GPIO values. For single band: GPIO_34 : 0, GPIO_35 : 1. For dual band: GPIO_34 : 1, GPIO_35 : 0. 

# show capwap client config | inc GPIO
GPIO_34                            : 1
GPIO_35                            : 0

Note

IW6300 and ESW6300 do not support to check GPIO values.