interface-config-radio-instance
Configures the client-bridge (CB) parameters for radios with rf-mode set to bridge. When configured as a client bridge, the radio can authenticate and associate to the WLAN hosted on the infrastructure access point. After successfully associating with the infrastructure WLAN, the CB access point switches frames between its bridge radio and wired/wireless client(s) connected either to its GE port(s) or to the other radio, there by providing the clients access to the infrastructure WLAN resources.
This command configures settings that define the authentication-type and encryption-type used by the CB AP to associate and communicate with the infrastructure AP. It also configures other parameters, such as channel-dwell time, wlan ssid, etc.
Note
Radios configured to form the client-bridge will not service wireless clients as their RF mode is set to bridge.bridge [authentication-type|channel-dwell-time|channel-list|connect-through-bridges|eap| encryption-type|inactivity-timeout|keepalive|max-clients|on-link-loss|on-link-up|ssid| roam-criteria|wpa-wpa2]
bridge authentication-type [eap|none]
bridge eap [password|trustpoint|type|username]
bridge eap type [peap-mschapv2|tls]
bridge eap password <PASSWORD>
bridge eap username <USERNAME>
bridge eap trustpoint [ca|client] <TRUSTPOINT-NAME>
bridge eap trustpoint on-cert-expiry [continue|discontinue]
bridge channel-dwell-time <50-2000>
bridge channel-list [2.4GHz|5GHz] <LIST>
bridge connect-through-bridges
bridge encryption-type [ccmp|none|tkip]
bridge inactivity-timeout <0-864000>
bridge keepalive [frame-type [null-data|wnmp]|interval <0-36000>]
bridge max-clients <1-64>
bridge on-link-loss shutdown-other-radio <1-1800>
bridge on-link-up refresh-vlan-interface
bridge roam-criteria [missed-beacon <1-60>|rssi-threshold <-128--40>]
bridge ssid <SSID>
bridge wpa-wpa2 psk <LINE>
bridge [authentication-type [eap|none]]
bridge | Configures
client-bridge related parameters on the selected radio Note: Prior to configuring the
client-bridge parameters, set the radio‘s rf-mode to
bridge.
|
authentication-type [eap|none] | Configures the
authentication framework used between the client-bridge and infrastructure
WLAN APs.
|
bridge eap type [peap-mschapv2|tls]
bridge | Configures
client-bridge related parameters on the selected radio Note: Prior to configuring the
client-bridge parameters, set the radio‘s rf-mode to
bridge.
|
eap type [peap-mschapv2|tls] | If selecting EAP
authentication, specify the EAP authentication type to use. The options
are:
‘ ‘
Ensure that the authentication-type configured on the CB AP is the same as that on the infrastructure WLAN. |
bridge eap username <USERNAME>
bridge | Configures
client-bridge related parameters on the selected radio Note: Prior to configuring the
client-bridge parameters, set the radio‘s rf-mode to
bridge.
|
eap username <UESERNAME> | Configures
username used for authentication with the RADIUS server host
|
bridge eap password <PASSWORD>
bridge | Configures
client-bridge related parameters on the selected radio Note: Prior to configuring the
client-bridge parameters, set the radio‘s rf-mode to
bridge.
|
eap password <PASSWORD> | If EAP
authentication type is set to PEAP-MSCHAPv2, use this option to configure
the password used for authentication. The password specified here should be
associated with the username configured in the RADIUS server policy used on
the RADIUS server host.
|
bridge eap trustpoint [client <TRUSTPOINT-NAME>|ca <TRUSTPOINT-NAME>]
bridge | Configures
client-bridge related parameters on the selected radio Note: Prior to configuring the
client-bridge parameters, set the radio‘s rf-mode to
bridge.
|
eap trustpoint | If EAP
authentication type is set to EAP-TLS, use this command to configure TP
(trustpoint) details. In EAP-TLS authentication, the CB AP and RADIUS server host authenticate each other using TPs. A TP contains the CA certificate and the CA-signed certificate authenticating the device. To enable TP-based authentication, both the CB AP and the RADIUS server host must use the same CA as the certifying authority. |
client <TRUSTPOINT-NAME> | Configures the
Client-TP name
(this is the TP installed on the CB AP). When configured, the certificate
installed on the CB AP is sent across a TLS tunnel and matched for
authentication at the RADIUS server host.
For more information, see trustpoint (device-config-mode). |
ca <TRUSTPOINT-NAME> | This
configuration is applicable to both the EAP-TLS and PEAP-MSCHAPv2
authentication types. Configure this option only if you want to enable
RADIUS server certificate validation at the client end. This configuration
is not mandatory for enabling TP-based authentication of CB AP.
|
bridge eap trustpoint on-cert-expiry [continue|discontinue]]
bridge | Configures
client-bridge related parameters on the selected radio Note: Prior to configuring the
client-bridge parameters, set the radio‘s rf-mode to
bridge.
|
eap trustpoint on-cert-expiry [continue|discontinue] | If EAP
authentication type is set to EAP-TLS, a CA-signed certificate is used to
authenticate the CB AP and RADIUS server host to establish the wireless CB.
Use this command to specify whether the wireless CB is to be continued or
terminated on expiration of this certificate.
|
bridge [channel-dwell-time <50-2000>|channel-list [2.4GHz|5GHz] <LIST>|connect-through-bridges| encryption-type [ccmp|none|tkip]|inactivity-timeout <0-864000>|keepalive [frame-type [null-data|wnmp]| interval <0-36000>]|max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>| on-link-up refresh-vlan-interface|roam-criteria [missed-beacons <1-60>|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]
bridge | Configures
client-bridge related parameters on the selected radio Note: Prior to configuring the
client-bridge parameters, set the radio‘s rf-mode to
bridge.
|
channel-dwell-time <50-2000> | Configures the
channel-dwell time in milliseconds. This is the time the client-bridge radio
dwells on each channel (configured in the channel-list) when scanning for an
infrastructure WLAN.
|
channel-list [2.4GHz|5GHz] <LIST> | Configures the
list of channels the radio scans when scanning for an infrastructure WLAN
access point to associate
The following parameter is common to both of the 2.4 GHZ and 5.0 GHz bands:
|
connect-through-bridges | Enables the client-bridge access point radio to connect to an infrastructure WLAN, which already has other client-bridge radios associated with it. The client-bridge access points, in this scenario, are said to be daisy chained together. |
encryption-type [ccmp|none|tkip] | Configures the
encryption mode. The encryption mode specified here should be the same as
that configured on the infrastructure WLAN. The options are:
If using CCMP or TKIP, use the ‘wpa2-wpa2‘ keyword to configure the pre-shared key (PSK). |
inactivity-timeout <0-864000> | Configures the
inactivity timeout for each bridge MAC address. This is the time for which
the client-bridge access point waits before deleting a MAC address from
which a frame has not been received for more than the time specified here.
For example, if the inactivity time is set at 120 seconds, and if no frames
are received from a MAC address for 120 seconds, it is deleted. The default
value is 600 seconds.
|
keepalive [frame-type [null-data|wnmp]| interval <0-36000>] | Configures the
keep-alive frame type and interval
|
max-clients <1-64> | Configures the
maximum number of clients that the client-bridge AP can support
|
on-link-loss shutdown-other-radio <1-1800> | Configures the
radio-link behaviour when the link between the client-bridge and
infrastructure access points is lost.
|
on-link-up refresh-vlan-interface | Configures the
radio-link behaviour when the link between the client-bridge and
infrastructure access points comes up.
|
roam-criteria [missed-beacons <1-60>| rssi-threshold <-128--40>] | Configures the
following roaming criteria parameters
|
ssid <SSID> | Configures the
infrastructure WLAN SSID the client bridge connects to
|
wpa-wpa2 psk <LINE> | Configures the
encryption PSK to use with the infrastructure WLAN
|
Use the following commands to view client-bridge configuration:
show > wireless > bridge
> config
Shows the current client bridge configuration.
show > wireless > bridge
> candidate-ap
Shows the available infrastructure WLAN candidates that are found during the last scan.
show > wireless > bridge
> host
Shows the wired/wireless clients that are being bridged.
show > wireless > bridge
> statistics > rf
Shows the client bridge RF statistics.
show > wireless > bridge
> statistics > traffic
Shows the client bridge traffic statistics.
show > wireless > bridge
> certificate > status
Shows the client bridge authentication certificate status.
Use the following command on the CB AP and the RADIUS server host to view installed TP details:
show > crypto > pki >
trustpoints
Example - CB with authentication ‘none‘ and encryption ‘ccmp‘
The following example shows the basic parameters that need to be configured on the Infrastructure and the CB APs in order to enable the CB AP to associate with the Infrastructure WLAN. Note, in this example, the authentication mode is set to ‘none‘ and the encryption-type is set to ‘ccmp‘. The authentication and encryption modes used will vary as per requirement.
InfrastrNOC(config)#show running-config wlan cb-psk wlan cb-psk ssid cb-psk bridging-mode local encryption-type ccmp authentication-type none wpa-wpa2 psk 0 extreme@123 InfrastrNOC(config)#
InfrastrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#wlan cb-psk
InfrastrAP(config)#show wireless radio ---------------------------------------------------------------------------------------------- RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER #CLIENT ---------------------------------------------------------------------------------------------- InfrastrAP:R1 B4-C7-99-5E-51-40 2.4GHz-wlan Off N/A ( smt) 0 (smt) 0 InfrastrAP:R2 B4-C7-99-5E-1A-40 5GHz-Wlan On 165 ( 165) 17 (smt) 2 ---------------------------------------------------------------------------------------------- Total number of radios displayed: 2 InfrastrAP(config)#
ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#rf-mode bridge ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge ssid cb-psk ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge encryption-type ccmp ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge authentication-type none ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge wpa-wpa2 psk extreme@123 ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#show context interface radio2 rf-mode bridge bridge ssid cb-psk bridge encryption-type ccmp bridge wpa-wpa2 psk 0 extreme@123 ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)# Note, bridge SSID, encryption-type, and authentication mode are the same as that of the Infrastructure WLAN.
ClientBridgeAP#show wireless radio ---------------------------------------------------------------------------------------------- RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER #CLIENT ---------------------------------------------------------------------------------------------- ClientBridgeAP:R1 84-24-8D-AC-2D-B0 2.4GHz-wlan Off N/A ( smt) 0 (smt) 0 ClientBridgeAP:R2 84-24-8D-AC-CC-10 bridge On 165 ( smt) 20 (smt) 0 ---------------------------------------------------------------------------------------------- Total number of radios displayed: 2 =================================================== ClientBridgeAP(config-device-84-24-8D-85-B2-74)#
ClientBridgeAP(config-device-84-24-8D-85-B2-74)#show wireless bridge candidate-ap 84-24-8D-AC-CC-10 Client Bridge Candidate APs: AP-MAC BAND CHANNEL SIGNAL(dbm) STATUS B4-C7-99-5E-1A-40 5 GHz 165 -21 selected Total number of candidates displayed: 1 Total number of client bridges displayed: 1 ======================================================= ClientBridgeAP(config-device-84-24-8D-85-B2-74)#
ClientBridgeAP(config-device-84-24-8D-85-B2-74)#show wireless bridge hosts ----------------------------------------------------------------------------- HOST MAC BRIDGE MAC IP BRIDGING STATUS ACTIVITY (sec ago) ----------------------------------------------------------------------------- 84-24-8D-85-B2-74 84-24-8D-AC-CC-10 10.1.0.249 UP 00:00:07 ----------------------------------------------------------------------------- Total number of hosts displayed: 1 ClientBridgeAP(config-device-84-24-8D-85-B2-74)#
InfrastrAP7532(config)#show running-config wlan cb-tp wlan cb-tp ssid cb-tp bridging-mode local encryption-type ccmp authentication-type eap InfrastrAP7532(config)#
InfraStrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#show context interface radio2 wlan cb-tp bss 1 primary InfraStrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#
InfraStrAP(config)#show wireless radio ---------------------------------------------------------------------------------------------- RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER #CLIENT ---------------------------------------------------------------------------------------------- InfraStrAP:R1 B4-C7-99-5E-51-40 2.4GHz-wlan Off N/A ( smt) 0 (smt) 0 InfraStrAP:R2 B4-C7-99-5E-1A-40 5GHz-Wlan On 165 ( 165) 17 (smt) 2 ---------------------------------------------------------------------------------------------- Total number of radios displayed: 2 InfraStrAP(config)#
RADServer(config-radius-user-pool-cb-tp)#show context radius-user-pool-policy cb-tp user admin password 0 extreme@123 RADServer(config-radius-user-pool-cb-tp)#
Note
In case of EAP-TLS authentication, the username configured here should be the “common name” on the client certificate.RADServer(config-radius-server-policy-cb-tp)#show context radius-server-policy cb-tp use radius-user-pool-policy cb-tp RADServer(config-radius-server-policy-cb-tp)#
RADServer(config-device-74-67-F7-07-02-35)#use radius-server-policy cb-tp
RADServer(config-device-74-67-F7-07-02-35)#trustpoint radius-server serverTP
RADServer(config-device-74-67-F7-07-02-35)#trustpoint radius-ca serverTP
Note
Ensure that the trustpoint is existing and installed on the RADIUS server. Also ensure that the RADIUS server host and CB AP are using the same CA for certification.clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#show context interface radio2 rf-mode bridge channel smart power smart data-rates default no preamble-short bridge ssid cb-tp bridge encryption-type ccmp bridge authentication-type eap bridge eap username admin bridge eap trustpoint client clientTP bridge eap type tls clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#
Note
In case of EAP-TLS authentication, the username configured here should be the “common name” on the client certificate.Note
Ensure that the CB AP and RADIUS server host are using the same CA for certification.clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#trustpoint radius-ca clientTP
Note
This is an optional parameter that provides additional security and is applicable for EAP-TLS and PEAP-MSCHAPv2 authentication modes.no (radio-interface-config-command) | Removes or resets this client-bridge settings |