bridge

interface-config-radio-instance

Configures the client-bridge (CB) parameters for radios with rf-mode set to bridge. When configured as a client bridge, the radio can authenticate and associate to the WLAN hosted on the infrastructure access point. After successfully associating with the infrastructure WLAN, the CB access point switches frames between its bridge radio and wired/wireless client(s) connected either to its GE port(s) or to the other radio, there by providing the clients access to the infrastructure WLAN resources.

This command configures settings that define the authentication-type and encryption-type used by the CB AP to associate and communicate with the infrastructure AP. It also configures other parameters, such as channel-dwell time, wlan ssid, etc.

Note

Note

Radios configured to form the client-bridge will not service wireless clients as their RF mode is set to bridge.

Supported in the following platforms:

Syntax

bridge [authentication-type|channel-dwell-time|channel-list|connect-through-bridges|eap|
encryption-type|inactivity-timeout|keepalive|max-clients|on-link-loss|on-link-up|ssid|
roam-criteria|wpa-wpa2]
bridge authentication-type [eap|none]
bridge eap [password|trustpoint|type|username]
bridge eap type [peap-mschapv2|tls]
bridge eap password <PASSWORD>
bridge eap username <USERNAME>
bridge eap trustpoint [ca|client] <TRUSTPOINT-NAME>
bridge eap trustpoint on-cert-expiry [continue|discontinue]
bridge channel-dwell-time <50-2000>
bridge channel-list [2.4GHz|5GHz] <LIST>
bridge connect-through-bridges
bridge encryption-type [ccmp|none|tkip]
bridge inactivity-timeout <0-864000>
bridge keepalive [frame-type [null-data|wnmp]|interval <0-36000>]
bridge max-clients <1-64>
bridge on-link-loss shutdown-other-radio <1-1800>
bridge on-link-up refresh-vlan-interface
bridge roam-criteria [missed-beacon <1-60>|rssi-threshold <-128--40>]
bridge ssid <SSID>
bridge wpa-wpa2 psk <LINE>

Parameters

bridge [authentication-type [eap|none]]
bridge Configures client-bridge related parameters on the selected radio
Note: Prior to configuring the client-bridge parameters, set the radio‘s rf-mode to bridge.
authentication-type [eap|none] Configures the authentication framework used between the client-bridge and infrastructure WLAN APs.
  • eap – Uses EAP authentication (802.1X).
  • none – Uses no authentication. This is the default setting.
    Note: If selecting EAP authentication, use the ‘bridge > eap > type‘ command to configure the type of EAP authentication to use.
bridge eap type [peap-mschapv2|tls]
bridge Configures client-bridge related parameters on the selected radio
Note: Prior to configuring the client-bridge parameters, set the radio‘s rf-mode to bridge.
eap type [peap-mschapv2|tls] If selecting EAP authentication, specify the EAP authentication type to use. The options are:
  • PEAP-MSCHAPv2 – Configures EAP authentication type as PEAP-MSCHAPv2. This mode uses a username/password for authentication of the CB AP by the RADIUS server host. This is the default setting.
    Note: If selecting this option, use the following commands to configure the username and password:

bridge > eap > username > <USER-NAME>

bridge > eap > password > <PASSWORD>

  • TLS – Configures EAP authentication type as TLS. This mode uses trustpoints (TPs) to authenticate the CB AP and RADIUS server host.
    Note: If selecting this option, use the ‘bridge > eap > trustpoint‘ command to configure the TPs used for authentication.

Ensure that the authentication-type configured on the CB AP is the same as that on the infrastructure WLAN.

bridge eap username <USERNAME>
bridge Configures client-bridge related parameters on the selected radio
Note: Prior to configuring the client-bridge parameters, set the radio‘s rf-mode to bridge.
eap username <UESERNAME> Configures username used for authentication with the RADIUS server host
  • <USERNAME> – Specify the username.
    Note: PEAP-MSCHAPv2 – For PEAP-MSCHAPv2 authentication. The username specified here should be configured in the RADIUS server policy used on the RADIUS server host.

    TLS – For TLS authentication, use the username configured in the CN field of the installed PKCS #12 client certificate.

bridge eap password <PASSWORD>
bridge Configures client-bridge related parameters on the selected radio
Note: Prior to configuring the client-bridge parameters, set the radio‘s rf-mode to bridge.
eap password <PASSWORD> If EAP authentication type is set to PEAP-MSCHAPv2, use this option to configure the password used for authentication. The password specified here should be associated with the username configured in the RADIUS server policy used on the RADIUS server host.
  • password <PASSWORD> – Specify the password.
bridge eap trustpoint [client <TRUSTPOINT-NAME>|ca <TRUSTPOINT-NAME>]
bridge Configures client-bridge related parameters on the selected radio
Note: Prior to configuring the client-bridge parameters, set the radio‘s rf-mode to bridge.
eap trustpoint If EAP authentication type is set to EAP-TLS, use this command to configure TP (trustpoint) details.

In EAP-TLS authentication, the CB AP and RADIUS server host authenticate each other using TPs. A TP contains the CA certificate and the CA-signed certificate authenticating the device. To enable TP-based authentication, both the CB AP and the RADIUS server host must use the same CA as the certifying authority.

client <TRUSTPOINT-NAME> Configures the Client-TP name (this is the TP installed on the CB AP). When configured, the certificate installed on the CB AP is sent across a TLS tunnel and matched for authentication at the RADIUS server host.
  • <TRUSTPOINT-NAME> – Specify the TP name. This configuration is mandatory for enabling TP-based authentication of CB AP.
    Note: To view TP name, use the 'show > crypto > pki > trustpoint' command on the CB AP.
    Note: On the self of the RADIUS server host, execute the following commands:

    trustpoint > radius-server> <TUSTPOINT-NAME> - This is the RADIUS server TP name.

    trustpoint > radius-ca > <TUSTPOINT-NAME> - This is the RADIUS server TP name.

For more information, see trustpoint (device-config-mode).

ca <TRUSTPOINT-NAME> This configuration is applicable to both the EAP-TLS and PEAP-MSCHAPv2 authentication types. Configure this option only if you want to enable RADIUS server certificate validation at the client end. This configuration is not mandatory for enabling TP-based authentication of CB AP.
  • <TRUSTPOINT-NAME> – Specify the TP name (it is the TP installed on the RADIUS server host.
bridge eap trustpoint on-cert-expiry [continue|discontinue]]
bridge Configures client-bridge related parameters on the selected radio
Note: Prior to configuring the client-bridge parameters, set the radio‘s rf-mode to bridge.
eap trustpoint on-cert-expiry [continue|discontinue] If EAP authentication type is set to EAP-TLS, a CA-signed certificate is used to authenticate the CB AP and RADIUS server host to establish the wireless CB. Use this command to specify whether the wireless CB is to be continued or terminated on expiration of this certificate.
  • continue – Enables continuation of the CB even after the certificate (CA/client) has expired. When configured, this option enables automatic CA certificate deployment as and when new CA certificates are available.
  • discontinue – Terminates the CB once the certificate (CA/client) has expired.
    Note: Configure this parameter only if the CB AP and the RADIUS server host are using a crypto CMP policy for automatic certificate renewal. For more information, see Crypto-CMP Policy.
bridge [channel-dwell-time <50-2000>|channel-list [2.4GHz|5GHz] <LIST>|connect-through-bridges|
encryption-type [ccmp|none|tkip]|inactivity-timeout <0-864000>|keepalive [frame-type [null-data|wnmp]|
interval <0-36000>]|max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>|
on-link-up refresh-vlan-interface|roam-criteria [missed-beacons <1-60>|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]
bridge Configures client-bridge related parameters on the selected radio
Note: Prior to configuring the client-bridge parameters, set the radio‘s rf-mode to bridge.
channel-dwell-time <50-2000> Configures the channel-dwell time in milliseconds. This is the time the client-bridge radio dwells on each channel (configured in the channel-list) when scanning for an infrastructure WLAN.
  • <50-2000> – Specify a value from 50 -2000 milliseconds. The default is 150 milliseconds.
channel-list [2.4GHz|5GHz] <LIST> Configures the list of channels the radio scans when scanning for an infrastructure WLAN access point to associate
  • 2.4GHz <LIST> – Configures a list of channels for scanning across all the channels in the 2.4GHz radio band
  • 5GHz <LIST> – Configures a list of channels for scanning across all the channels in the 5.0 GHz radio band

The following parameter is common to both of the 2.4 GHZ and 5.0 GHz bands:

  • <LIST> – Provide the list of channels separated by commas.
connect-through-bridges Enables the client-bridge access point radio to connect to an infrastructure WLAN, which already has other client-bridge radios associated with it. The client-bridge access points, in this scenario, are said to be daisy chained together.
encryption-type [ccmp|none|tkip] Configures the encryption mode. The encryption mode specified here should be the same as that configured on the infrastructure WLAN. The options are:
  • ccmp – Uses WPA/WPA2 CCMP encryption
  • none – Uses no encryption method. This is the default setting.
  • tkip – Uses WPA/WPA2 TKIP encryption

If using CCMP or TKIP, use the ‘wpa2-wpa2‘ keyword to configure the pre-shared key (PSK).

inactivity-timeout <0-864000> Configures the inactivity timeout for each bridge MAC address. This is the time for which the client-bridge access point waits before deleting a MAC address from which a frame has not been received for more than the time specified here. For example, if the inactivity time is set at 120 seconds, and if no frames are received from a MAC address for 120 seconds, it is deleted. The default value is 600 seconds.
  • <0-864000> – Specify a value from 0 - 864000 seconds. The default is 600 seconds.
keepalive [frame-type [null-data|wnmp]| interval <0-36000>] Configures the keep-alive frame type and interval
  • frame-type – Configures the keepalive frame type exchanged between the client-bridge access point and the infrastructure access point/controller. The options are:
    • null-data – Transmits 802.11 NULL data frames. This is the default setting.
    • wnmp – Transmits Wireless Network Management Protocol (WNMP) multicast packet
  • interval <0-36000> – Configures the interval, in seconds, between successive keep-alive frame transmission.
    • <0-36000> – Specify a value from 0 - 36000 seconds. The default is 300 seconds.
max-clients <1-64> Configures the maximum number of clients that the client-bridge AP can support
  • <1-14> – Specify a value from 1 - 64. The default is 64.
on-link-loss shutdown-other-radio <1-1800> Configures the radio-link behaviour when the link between the client-bridge and infrastructure access points is lost.
  • shutdown-other-radio – Enables shutting down of the non-client bridge radio (this is the radio to which wireless-clients associate) when the link between the client-bridge and infrastructure access points is lost. When enabled, clients associated with the non-client bridge radio are pushed to search for and associate with other access points having backhaul connectivity. This option is disabled by default.
    • <1-1800> – If enabling this option, use this parameter to configure the time, in seconds, for which the non-client bridge radio is shut down. Specify a value from 1 - 1800 seconds.
on-link-up refresh-vlan-interface Configures the radio-link behaviour when the link between the client-bridge and infrastructure access points comes up.
  • refresh-vlan-interface – Enables the SVI to refresh on re-establishing client bridge link to infrastructure Access Point. And, if using a DHCP assigned IP address, causes a DHCP renew. This option is enabled by default.
roam-criteria [missed-beacons <1-60>| rssi-threshold <-128--40>] Configures the following roaming criteria parameters
  • missed-beacons <1-60> – Configures the missed beacon interval from 0 - 60 seconds. This is the time for which the CB AP waits for, after missing a beacon from the associated infrastructure AP, before roaming to another infrastructure AP. For example, if the missed-beacon time is set to 30 seconds, and if more than 30 seconds have passed since the last received beacon, the CB AP resumes scanning for another infrastructure AP. The default value s 20 seconds.
    • <1-60> – Specify a value from 1 - 60 seconds. The default is 20 seconds.
  • rssi-threshold <-128--40> – Configures the minimum signal strength, received from target AP, for the bridge connection to be maintained before roaming
    • <-128--40> – Specify a value from -128 - -40 dBm. If the RSSI value of infrastructure access point radio signals falls below the specified value, the CB AP resumes scanning for another infrastructure access point. The default is -75 dBm.
ssid <SSID> Configures the infrastructure WLAN SSID the client bridge connects to
  • <SSID> – Specify the SSID.
wpa-wpa2 psk <LINE> Configures the encryption PSK to use with the infrastructure WLAN
  • <LINE> – Enter the key
    Note: Pre-shared keys are valid only when the authentication-type is set to none and the encryption-type is set to tkip or ccmp.

    The PSK should be 8 - 32 characters in length.

Usage Guidelines EAP Authentication

Use the following commands to view client-bridge configuration:

Use the following command on the CB AP and the RADIUS server host to view installed TP details:

  1. show > crypto > pki > trustpoints

Example

Example - CB with authentication ‘none‘ and encryption ‘ccmp‘

The following example shows the basic parameters that need to be configured on the Infrastructure and the CB APs in order to enable the CB AP to associate with the Infrastructure WLAN. Note, in this example, the authentication mode is set to ‘none‘ and the encryption-type is set to ‘ccmp‘. The authentication and encryption modes used will vary as per requirement.

  1. Configure the Infrastructure WLAN:
    InfrastrNOC(config)#show running-config wlan cb-psk
       wlan cb-psk
     ssid cb-psk
     bridging-mode local
     encryption-type ccmp
     authentication-type none
     wpa-wpa2 psk 0 extreme@123
    
    InfrastrNOC(config)#
  2. Associate the ‘cb-psk‘ WLAN to the Infrastructure AP.
    InfrastrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#wlan cb-psk
  3. Confirm the Infrastructure AP‘s radio interface status.
    InfrastrAP(config)#show wireless radio
    ----------------------------------------------------------------------------------------------
    RADIO                RADIO-MAC             RF-MODE        STATE       CHANNEL    POWER #CLIENT
    ----------------------------------------------------------------------------------------------
    InfrastrAP:R1  B4-C7-99-5E-51-40   2.4GHz-wlan       Off   N/A (  smt)  0 (smt)      0
    InfrastrAP:R2  B4-C7-99-5E-1A-40   5GHz-Wlan         On   165 (  165) 17 (smt)       2
    ----------------------------------------------------------------------------------------------
    Total number of radios displayed: 2
    InfrastrAP(config)#
  4. Configure following radio parameters on the CB AP:
    ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#rf-mode bridge
    
    ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge ssid cb-psk
    
    ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge encryption-type ccmp
    
    ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge authentication-type none
    
    ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#bridge wpa-wpa2 psk extreme@123
    
    ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#show context
     interface radio2
      rf-mode bridge
      bridge ssid cb-psk
      bridge encryption-type ccmp
      bridge wpa-wpa2 psk 0 extreme@123
    ClientBridgeAP(config-device-84-24-8D-85-B2-74-if-radio2)#
    
    Note, bridge SSID, encryption-type, and authentication mode are the same as that of the Infrastructure WLAN.
  5. Confirm the CB AP‘s radio interface status.
    ClientBridgeAP#show wireless radio
    ----------------------------------------------------------------------------------------------
    RADIO                RADIO-MAC             RF-MODE        STATE       CHANNEL    POWER #CLIENT
    ----------------------------------------------------------------------------------------------
    ClientBridgeAP:R1     84-24-8D-AC-2D-B0 2.4GHz-wlan          Off   N/A (  smt)  0 (smt)       0
    ClientBridgeAP:R2     84-24-8D-AC-CC-10      bridge           On   165 (  smt) 20 (smt)       0
    ----------------------------------------------------------------------------------------------
    Total number of radios displayed: 2
    ===================================================
    ClientBridgeAP(config-device-84-24-8D-85-B2-74)#
  6. View the candidate-ap (connected Infrastructure AP‘s) details on the CB AP.
    ClientBridgeAP(config-device-84-24-8D-85-B2-74)#show wireless bridge candidate-ap
    84-24-8D-AC-CC-10 Client Bridge Candidate APs:
      AP-MAC             BAND    CHANNEL SIGNAL(dbm) STATUS
      B4-C7-99-5E-1A-40  5 GHz   165     -21         selected
    Total number of candidates displayed: 1
    Total number of client bridges displayed: 1
    =======================================================
    ClientBridgeAP(config-device-84-24-8D-85-B2-74)#
  7. View the bridge host details on the CB AP.
    ClientBridgeAP(config-device-84-24-8D-85-B2-74)#show wireless bridge hosts
    -----------------------------------------------------------------------------
    HOST MAC             BRIDGE MAC         IP             BRIDGING STATUS ACTIVITY
                                                                       (sec ago)
    -----------------------------------------------------------------------------
    84-24-8D-85-B2-74    84-24-8D-AC-CC-10 10.1.0.249      UP           00:00:07
    -----------------------------------------------------------------------------
    Total number of hosts displayed: 1
    ClientBridgeAP(config-device-84-24-8D-85-B2-74)#
Example - CB with encryption ‘CCMP‘ and authentication ‘EAP-TLS‘ using Trustpoint Client.
  1. On the Infrastructure AP,
    1. Configure WLAN as shown below.
      InfrastrAP7532(config)#show running-config wlan cb-tp
      wlan cb-tp
       ssid cb-tp
       bridging-mode local
       encryption-type ccmp
       authentication-type eap
      InfrastrAP7532(config)#
    2. Associate WLAN to the infrastructure AP radio.
      InfraStrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#show context
       interface radio2
        wlan cb-tp bss 1 primary
      InfraStrAP(config-device-B4-C7-99-5F-50-78-if-radio2)#
    3. Confirm infrastructure AP‘s radio interface status.
      InfraStrAP(config)#show wireless radio
      ----------------------------------------------------------------------------------------------
      RADIO                RADIO-MAC             RF-MODE        STATE       CHANNEL    POWER #CLIENT
      ----------------------------------------------------------------------------------------------
      InfraStrAP:R1  B4-C7-99-5E-51-40   2.4GHz-wlan       Off   N/A (  smt)  0 (smt)      0
      InfraStrAP:R2  B4-C7-99-5E-1A-40   5GHz-Wlan         On   165 (  165) 17 (smt)       2
      ----------------------------------------------------------------------------------------------
      Total number of radios displayed: 2
      InfraStrAP(config)#
  2. On the RADIUS server host,
    1. Configure the RADIUS user policy as shown below:
      RADServer(config-radius-user-pool-cb-tp)#show context
      radius-user-pool-policy cb-tp
       user admin password 0 extreme@123
      RADServer(config-radius-user-pool-cb-tp)#
      Note

      Note

      In case of EAP-TLS authentication, the username configured here should be the “common name” on the client certificate.
    2. Use this RADIUS user policy in the RADIUS server policy.
      RADServer(config-radius-server-policy-cb-tp)#show context
      radius-server-policy cb-tp
       use radius-user-pool-policy cb-tp
      RADServer(config-radius-server-policy-cb-tp)#
    3. On the self of the RADIUS server host,
      • Apply the RADIUS server policy.
        RADServer(config-device-74-67-F7-07-02-35)#use radius-server-policy cb-tp
      • Configure the trustpoint to be used to authenticate the RADIUS server host and RADIUS server CA.
        RADServer(config-device-74-67-F7-07-02-35)#trustpoint radius-server serverTP
        RADServer(config-device-74-67-F7-07-02-35)#trustpoint radius-ca serverTP
        Note

        Note

        Ensure that the trustpoint is existing and installed on the RADIUS server. Also ensure that the RADIUS server host and CB AP are using the same CA for certification.
  3. On the CB AP,
    1. Configure the mandatory parameters as shown below:
      clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#show context
       interface radio2
        rf-mode bridge
        channel smart
        power smart
        data-rates default
        no preamble-short
        bridge ssid cb-tp
        bridge encryption-type ccmp
        bridge authentication-type eap
        bridge eap username admin
        bridge eap trustpoint client clientTP
        bridge eap type tls
      clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#
      Note

      Note

      In case of EAP-TLS authentication, the username configured here should be the “common name” on the client certificate.
      Note

      Note

      Ensure that the CB AP and RADIUS server host are using the same CA for certification.
    2. If you want to enable RADIUS server certificate validation at the client end, execute the following command:
      clientbriAP(config-device-84-24-8D-DF-9A-4C-if-radio2)#trustpoint radius-ca clientTP
      Note

      Note

      This is an optional parameter that provides additional security and is applicable for EAP-TLS and PEAP-MSCHAPv2 authentication modes.

Related Commands

no (radio-interface-config-command) Removes or resets this client-bridge settings