A workgroup bridge (WGB) is an Access Point (AP) mode to provide wireless connectivity to wired clients that are connected to the Ethernet port of the WGB AP. A WGB connects a wired network over a single wireless segment by learning the MAC addresses of its wired clients on the Ethernet interface and reporting them to the WLC through infrastructure AP using Internet Access Point Protocol (IAPP) messaging. The WGB establishes a single wireless connection to the root AP, which in turn, treats the WGB as a wireless client.

Universal WGB (uWGB) is a complementary mode of WGB feature that acts as a wireless bridge between the wired client connected to uWGB and wireless infrastructure including Cisco and non-Cisco wireless network. One of the wireless interface is used to connect with the access point. The radio MAC is used to associate AP.

Starting from Cisco IOS XE Dublin 17.11.1, WGB is supported on the Cisco Catalyst IW9167E Heavy Duty Access Points.

This section provides limitations and restrictions for WGB and uWGB modes.

• The WGB can associate only with Cisco lightweight access points. The universal WGB can associate to a third party access point.

• In a Meraki wireless infrastructure that uses WPA1 security, uWGB do not associate with any SSIDs.

• Speed and duplex are automatically negotiated based on the capabilities of the locally connected endpoint and cannot be manually configured on the AP’s wired 0 and wired 1 interfaces.

• Per-VLAN Spanning Tree (PVST) and packets are used to detect and prevent loops in the wired and wireless switching networks. WGB transparently bridge STP packets. WGB can bridge STP packets between two wired segments. Incorrect or inconsistent configuration of STP in the wired segments can cause WGB wireless link to be blocked by the connected switch(es) to Access Point or WGB. This could cause WGB to disconnect from AP or AP disconnection to Controller to drop, and wired clients not receiving IP addresses, as STP begins to block switch port in the wired network. If administrator needs to disable bridging of STP between the wired segments by the WGB, we recommend disabling the STP on the directly connected switches in the wireless network.

• The following features are not supported for use with a WGB:

  • Idle timeout

  • Web authentication

• With Layer 3 roaming, if you plug a wired client into the WGB network after the WGB has roamed to another controller (for example, to a foreign controller), the wired client’s IP address displays only on the anchor controller, not on the foreign controller.

• When you deauthenticate a WGB record from a controller, all of the WGB wired clients’ entries are also deleted.

• These features are not supported for wired clients connected to a WGB:

  • MAC filtering

  • Link tests

  • Idle timeout

• Associating a WGB to a WLAN that is configured for Adaptive 802.11r is not supported.

• WGB supports IPv6 only when IPv4 is enable. But there is no impact on WGB wired clients IPv6 traffic.

• WGB management IPv6 does not work after WGB uplink association is completed. WGB can get an IPv6 address when the association is successful. But IPv6 ping will not be passed from or to WGB. SSH from wireless or wired client to WGB management IPv6 is not working. The workaround to bypass the pingable issue is to re-enable IPv6, even though IPv6 has already been enabled and the IPv6 address has been assigned.

• uWGB mode does not support SSH connecting to itself.

• uWGB mode supports neither TFTP nor SFTP. For software upgrade, you should perform it from WGB mode. For more information, see uWGB Image Upgrade.

• uWGB does not support host IP service. Some functions, such as image upgrade via radio uplink and remote management via SSH session, are not supported.

• For IW9167EH WGB/uWGB mode, the packet retries [N] drop command does not work in IOS XE Release 17.11.1.

• DFS channels are supported on IW9167EH WGB/uWGB from Release 17.13.1.

• Only Dot11Radio 0 and Dot11Radio 1 interfaces can be used as wireless uplink on IW9167EH WGB/uWGB.

• When the infrastructure AP operates on a non-DFS (Dynamic Frequency Selection) channel and changes its channel bandwidth, the WGB stays connected to the infrastructure AP using the original channel bandwidth.

  To make sure the WGB connects to the AP with the correct channel bandwidth. Use wireless client mac-address <wgb-wireless-client-mac-address> deauthenticate command on the wireless controller to deauthenticate the WGB wireless client.

It is required to set a strong password for WGB/uWGB after first login. The username and strong password should follow these rules:

1. Username length is between 1 and 32 characters.

2. Password length is between 8 to 120 characters.

3. Password must contain at least one uppercase character, one lowercase character, one digit, and one punctuation.

4. Password can contain alphanumeric characters and special characters (ASCII decimal code from 33 to 126), but the following special characters are not permitted: " (double quote), ' (single quote), ? (question mark).

5. Password cannot contain three sequential characters.

6. Password cannot contain three same characters consecutively.

7. Password cannot be the same as or reverse of the username.

8. New password must have at least four different characters compared to the current password.

For example, by default, the credential is

• username: Cisco

• password: Cisco

• enable password: Cisco

To reset the credential with the following strong password:

• username: demouser

• password: DemoP@ssw0rd

• enable password: DemoE^aP@ssw0rd

User Access Verification
Username: Cisco
Password: Cisco

% First Login: Please Reset Credentials

Current Password:Cisco
Current Enable Password:Cisco
New User Name:demouser
New Password:DemoP@ssw0rd
Confirm New Password:DemoP@ssw0rd
New Enable Password:DemoE^aP@ssw0rd
Confirm New Enable Password:DemoE^aP@ssw0rd

% Credentials changed, please re-login

[*04/18/2023 23:53:44.8926] chpasswd: password for user changed
[*04/18/2023 23:53:44.9074]
[*04/18/2023 23:53:44.9074] Management user configuration saved successfully
[*04/18/2023 23:53:44.9074]


User Access Verification
Username: demouser
Password: DemoP@ssw0rd
APFC58.9A15.C808>enable
Password:DemoE^aP@ssw0rd
APFC58.9A15.C808#

Note	In above example, all passwords are displayed in plain text for demonstration purpose. In real case, they are hidden by asterisks (*).

For a WGB to join a wireless network, you need to configure specific settings on the WLAN and related policy profile on the controller.

Follow these steps to configure the Cisco Client Extensions option and set the support of Aironet IE in the WLAN:

1. Enter WLAN configuration submode. The profile-name is the profile name of the configured WLAN.

   #wlan profile-name

2. Configure the Cisco Client Extensions option and set the support of Aironet IE on the WLAN.

   #ccx aironet-iesupport

   Note	Without this configuration, WGB is not able to associate to AP.

Follow these steps to configure WLAN policy profile:

1. Enter wireless policy configuration mode.

   #wireless profile policy profile-policy

2. Assign the profile policy to the VLAN.

   #vlan vlan-id

3. Configure WGB VLAN client support.

   #wgb vlan

The typical WGB configuration involves the following steps:

1. Create an SSID profile.

2. Configure radio as workgroup, and associate the SSID profile to the radio.

3. Turn on the radio.

WGB uplink supports various security methods, including:

• Open (unsecured)

• PSK

• Dot1x (LEAP, PEAP, FAST-EAP, TLS)

Note

Ensure that the below configuration order is followed when EAP-TLS security is desired on the WGB: Configure the device username/password, NTP server, hostname, and valid IP address. Create trustpoints and import the certificates using your preferred method. (Optional) Configure the dot1x credentials. Create the EAP profile and map the method, trustpoint name and dot1x credentials (optional). Bind the EAP profile to the SSID profile. Bind the SSID profile to the preferred radio.

The following is an example of Dot1x FAST-EAP configuration:

configure dot1x credential demo-cred username demouser1 password Dem0Pass!@
configure eap-profile demo-eap-profile dot1x-credential demo-cred
configure eap-profile demo-eap-profile method fast
configure ssid-profile demo-FAST ssid demo-fast authentication eap profile demo-eap-profile key-management wpa2
configure dot11radio 0 mode wgb ssid-profile demo-FAST
configure dot11radio 0 enable

The following sections provide detailed information about WGB configuration.

The universal WGB is able to interoperate with non-Cisco access points using uplink radio MAC address, thus the universal workgroup bridge role supports only one wired client.

Most WGB configurations apply to uWGB. The only difference is that you configure wired client’s MAC address with the following command:

configure dot11 <0|1 > mode uwgb <uwgb_wired_client_mac_address > ssid-profile <ssid-profile >

The following is an example of Dot1x FAST-EAP configuration:

configure dot1x credential demo-cred username demouser1 password Dem0Pass!@
configure eap-profile demo-eap-profile dot1x-credential demo-cred
configure eap-profile demo-eap-profile method fast
configure ssid-profile demo-FAST ssid demo-fast authentication eap profile demo-eap-profile key-management wpa2
configure dot11radio 0 mode uwgb fc58.220a.0704 ssid-profile demo-FAST
configure dot11radio 0 enable

The following sections provide detailed information about uWGB configuration.

To convert from WGB to uWGB, use the following command:

#configure dot11radio <0 |1 > mode uwgb <WIRED_CLIENT_MAC > ssid-profile <SSID_PROFILE_NAME >

To convert from uWGB to WGB, use the following command. This conversion involves a reboot of the AP.

#configure Dot11Radio 1 mode wgb ssid-profile <SSID_PROFILE_NAME>

 This command will reboot with downloaded configs.
 Are you sure you want continue? [confirm]

IW9167EH is equipped with dual 5G radios. Only the first 5G (radio 1) can be used as uplink. With proper configuration, the second 5G can accelarate scanning in roaming.

Note	This feature is supported only on WGB mode, and is not supported on uWGB mode.

To enable this feature, use the following command:

#configure dot11radio 2 mode scan

When the assistant scanning feature is enabled, the second radio keeps scanning configured SSID based on the channel list. By defualt, the channel list contains all supported 5G channels (based on reg domain).

You can also configure the channel list explicitly, using the following command:

#configure wgb mobile station interface dot11Radio 1 scan <channel> [add|delete]

By default, candidate AP entries in scanning table ages out in 1200 ms. You can adjust the timer by the following command:

#configure wgb scan radio 2 timeout
  <1-5000>  Scanning ap expire time

Note	AP selection algorithm picks candidate with best RSSI from the scanning table. In some cases, the RSSI values are out-of-date. This can lead to a failed roaming.

Note	It is recommended to make the second 5G radio (antenna port 5-8) have the same antenna installation as the first 5G radio (antenna port 1-4).

Check the scanning table by using the following command:

#show wgb scan
Best AP expire time: 5000 ms

************[ AP List ]***************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:E2:4F     84     136       1531
FC:58:9A:15:DE:4F     37     136       41

***********[ Best AP ]****************
BSSID                RSSI   CHANNEL   Time
FC:58:9A:15:DE:4F    37     136       41

Two new LED patterns are added to IW9167EH WGB mode:

• When WGB is in disassociated state, the System LED is blinking RED.

• When WGB makes association to parent AP, System LED turns to solid GREEN.

On day 0, you should assign proper country code to the WGB/uWGB with -ROW reg domain. WGB will load corresponding power table after rebooting.

To assign country code, use the following command:

#configure countrycode
  Supported ROW country codes:
  GB VN

  WORD  Select one of above ROW country codes.

Note	After the ROW country code is configured, if you want to change the configuration to another country, you need to perform a factory reset first, and then configure the new country code.

IW9167EH supports indoor deployment for -E domain and GB in -ROW domain .

For outdoor mode, the IW9167EH 5G radio supports channels 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140. When indoor deployment is enabled, 5G radio supports channels 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140.

To configure indoor mode, use the configure wireless indoor-deployment enable command.

To disable indoor mode, use the configure wireless indoor-deployment disable command.

#configure wireless indoor-deployment
  disable  Disable indoor deployment
  enable   Enable indoor deployment

You can check the indoor or outdoor mode by using the show controllers Dot11Radio [1|2] command. In the command output, "-Ei" means the indoor mode is enabled, and "-E" means indoor mode is disabled, as shown in the following examples. The CLI output also shows the supported channels.

#show controllers Dot11Radio [1|2]
…
Radio Info Summary:
=======================
Radio: 5.0GHz
Carrier Set: (-Ei)  ( GB )
Base radio MAC: FC:58:9A:15:B7:C0
Supported Channels:
36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140

#show controllers Dot11Radio [1|2]
…
Radio Info Summary:
=======================
Radio: 5.0GHz
Carrier Set: (-E)  ( GB )
Base radio MAC: FC:58:9A:15:B7:C0
Supported Channels:
100 104 108 112 116 120 124 128 132 136 140

Use the following command to configure the threshold duration and signal strength to trigger reconnecting. Default value is: period 20s and threshold -70db.

# configure wgb mobile period <time> <rssi-threshold>

Use the following command to configure beacon miss count to trigger reconnecting. Default value is 10.

# config wgb beacon miss-count <count>

Use the following command to configure max packet retry to trigger reconnecting. Default value is 64.

# configure wgb packet retries <retry-count>

Use the following command to configure the static roaming channel:

# configure wgb mobile station interface dot11Radio <slot_id> scan <channel_id> add

Use the following command to delete the mobile channel:

# configure wgb mobile station interface dot11Radio <slot_id> scan <channel_id> delete

Use the following command to scan all channels:

# configure wgb mobile station interface Dot11Radio 1 scan all

You can upload the working configuration of an existing WGB to a server, and then download it to the new deployed WGBs.

To upload the configuration to a server, use the following command:

#copy configuration upload <sftp:|tftp://> ip-address [directory] [file-name]

To download a sample configuration to all WGBs in the deployment, use the following command:

#copy configuration download <sftp:|tftp://> ip-address [directory] [file-name]

The access point will reboot after the copy configuration download command is executed. The imported configuration will take effect after the rebooting.

Use the show run command to check whether the AP is in WGB mode or uWGB mode.

• WGB:

  #show run
  AP Name              : APFC58.9A15.C808
  AP Mode              : WorkGroupBridge
  CDP State            : Enabled
  Watchdog monitoring  : Enabled
  SSH State            : Disabled
  AP Username          : admin
  Session Timeout      : 300
   
   
  Radio and WLAN-Profile mapping:-
  ====================================
  Radio ID    Radio Mode    SSID-Profile                    SSID
            Authentication
  --------------------------------------------------------------------------------
  --------------------------
  1           WGB           myssid                          demo
            OPEN
   
   
  Radio configurations:-
  ===============================
  Radio Id             : NA
     Admin state       : NA
     Mode              : NA
  Radio Id             : 1
     Admin state       : DISABLED
     Mode              : WGB
     Dot11 type        : 11ax
  Radio Id             : NA
     Admin state       : NA
     Mode              : NA
   

• uWGB:

  #show run
  AP Name              : APFC58.9A15.C808
  AP Mode              : WorkGroupBridge
  CDP State            : Enabled
  Watchdog monitoring  : Enabled
  SSH State            : Disabled
  AP Username          : admin
  Session Timeout      : 300
   
   
  Radio and WLAN-Profile mapping:-
  ====================================
  Radio ID    Radio Mode    SSID-Profile                    SSID
            Authentication
  --------------------------------------------------------------------------------
  --------------------------
  1           UWGB          myssid                          demo
            OPEN
   
   
  Radio configurations:-
  ===============================
  Radio Id             : NA
     Admin state       : NA
     Mode              : NA
  Radio Id             : 1
     Admin state       : DISABLED
     Mode              : UWGB
     Uclient mac       : 0009.0001.0001
     Current state     : WGB
     UClient timeout   : 0 Sec
     Dot11 type        : 11ax
  Radio Id             : NA
     Admin state       : NA
     Mode              : NA
  

Use the show wgb dot11 associations command to verify the configuration of WGB and uWGB.

• WGB:

  #show wgb dot11 associations
  Uplink Radio ID : 1
  Uplink Radio MAC : 00:99:9A:15:B4:91
  SSID Name : roam-m44-open
  Parent AP Name : APFC58.9A15.C964
  Parent AP MAC : 00:99:9A:15:DE:4C
  Uplink State : CONNECTED
  Auth Type : OPEN
  Dot11 type : 11ax
  Channel : 100
  Bandwidth : 20 MHz
  Current Datarate (Tx/Rx) : 86/86 Mbps
  Max Datarate : 143 Mbps
  RSSI : 53
  IP : 192.168.1.101/24
  Default Gateway : 192.168.1.1
  IPV6 : ::/128
  Assoc timeout : 100 Msec
  Auth timeout : 100 Msec
  Dhcp timeout : 60 Sec

• uWGB:

  #show wgb dot11 associations
  Uplink Radio ID : 1
  Uplink Radio MAC : 00:09:00:01:00:01
  SSID Name : roam-m44-open
  Parent AP MAC : FC:58:9A:15:DE:4C
  Uplink State : CONNECTED
  Auth Type : OPEN
  Uclient mac : 00:09:00:01:00:01
  Current state : UWGB
  Uclient timeout : 60 Sec
  Dot11 type : 11ax
  Channel : 36
  Bandwidth : 20 MHz
  Current Datarate (Tx/Rx) : 77/0 Mbps
  Max Datarate : 143 Mbps
  RSSI : 60
  IP : 0.0.0.0
  IPV6 : ::/128
  Assoc timeout : 100 Msec
  Auth timeout : 100 Msec
  Dhcp timeout : 60 Sec