IOS Bridges with LEAP Authentitcation


It’s possible to have a bridge with 1200 AP’s and to have multiple vlan’s on this link.

In bridge installations, you can only have one infrastructure SSID. The infrastructure SSID must be the SSID that correlates to the Native VLAN.

To have all traffic encrypted, only the native vlan should be encrypted and created. All other allowed vlan’s will pass through :

The configuration of the Root Bridge with clients and LEAP Authentication:
Rootbridge LEAP :

aaa new-model

!
aaa group server radius rad_eap
server 192.168.5.62 auth-port 1812 acct-port 1813

aaa authentication login eap_methods group rad_eap

dot11 ssid apbridge
vlan 5
authentication network-eap eap_methods

interface Dot11Radio0
encryption vlan 5 mode wep mandatory
!
ssid apbridge
station-role root bridge wireless-clients
!
interface Dot11Radio0.5
encapsulation dot1Q 5 native
bridge-group 1

!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
!

interface FastEthernet0.5
encapsulation dot1Q 5 native
bridge-group 1
!
interface FastEthernet0.10
encapsulation dot1Q 10
bridge-group 10
!
interface BVI1
ip address 192.168.5.62 255.255.255.0
no ip route-cache
!

ip radius source-interface BVI1
!
radius-server local
nas 192.168.5.62 key 7 00071A150754
user ap1242_6 nthash 7 075A02141E593F544433582F21727D010C6160764323325724010A0B027157224A
user leap nthash 7 115C3A5D47422D5D570B78070D6B63073755435751727D0C76035D504933007905
!
radius-server host 192.168.5.62 auth-port 1812 acct-port 1813 key 7 02050D480809

The Non Root Bridge with LEAP Authentication to the Root Bridge :
dot11 ssid apbridge
vlan 5
authentication network-eap eap_methods
authentication client username ap1242_6 password 7 01100F175804
infrastructure-ssid

interface Dot11Radio0
encryption vlan 5 mode wep mandatory
ssid apbridge
!
interface Dot11Radio0.5
encapsulation dot1Q 5 native
bridge-group 1
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
!
interface FastEthernet0.5
encapsulation dot1Q 5 native
bridge-group 1
!
interface FastEthernet0.10
encapsulation dot1Q 10
bridge-group 10
!

Although there is only one SSID between the root and non-root bridge, all vlan traffic (In this case VLAN5 and VLAN10) will pass the link.

A good link :
Using VLANs with Cisco Aironet Wireless Equipment

About Joost van der Made

Me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: