Setting up a Cisco aironet bridge

Setting up a Cisco Aironet bridge should be simple but the webinterface is slow and can issue commands that can not be processed (like changing the priority for processing EAP requests). I gave up on the Cisco supplied tutorial (can be found here) and set it up through the CLI myself. A good FAQ concerning the Aironet hardware and setup can be found here.

I configured 2 Aironet 1310 outdoor antennas to act as a wireless bridge between 2 LAN’s. In Europe the allowed transmit power is far more strict than in the USA so any other antenna than the integrated antenna (like the parabolic dish) will output too much power. I therefore used the (AIR-BR1310G-E-K9)¬†model with the integrated antenna in an autonomous setup ¬†(required for bridge functions) to replace the current EnGenius EOC-5610 (discontinued, succeeded by the 5611) antenna that I found to be unreliable. The mounting kit (AIR-ACCRMK1300=) is advised if you plan on using it outdoors, the mounting materials are made out of aluminum and it comes with clear instructions and enough cabling to get you started.

Some stuff you want to know. While most cheap wireless antennas use a proprietary PoE standard over Ethernet, the Aironet uses a proprietary PoE injector over coax. The advantage is that you can mount the power injector inside while placing only the antenna itself outside. The power injector is included with the antenna.

Onwards with the configuration. I used the example from Cisco (mentioned before) to set up a simple WEP encryption with Cisco’s LEAP authentication. I configured one AP as a root bridge and used the built-in RADIUS server for LEAP authentication (why oh why isn’t this part of the default IOS?). The non-root bridge connects to the AP and authenticates itself with LEAP after which the connection is made. I didn’t use VLAN to keep things simple (there’s only 1 subnet to bridge anyway).

The root bridge configuration:

hostname ap_root

!

enable secret 5 <secret>

!

ip subnet-zero

!

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.0.0.1 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

!

dot11 ssid cisco

authentication network-eap eap_methods

infrastructure-ssid

!

!

!

username cisco privilege 15 password 7 <password>

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit 7 <wepkey> transmit-key

encryption mode wep mandatory

!

ssid cisco

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2437

station-role root bridge

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

hold-queue 80 in

!

interface BVI1

ip address 10.0.x.x 255.255.255.0

no ip route-cache

!

ip default-gateway 10.0.x.x

ip http server

ip http authentication local

no ip http secure-server

ip radius source-interface BVI1

!

radius-server local

no authentication eapfast

no authentication mac

nas 10.0.0.1 key 7 <radiussecret>

user nonroot nthash 7

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 key 7 <radiussecret>

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

!

end

I added the ip http authentication local line as the web interface will stop working otherwise.

Now for the non-root bridge:

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap_nonroot

!

enable secret 5 <secret>

!

ip subnet-zero

!

!

no aaa new-model

!

dot11 ssid cisco

authentication network-eap rad_eap

authentication client username cisco password 7 <password>

infrastructure-ssid

!

!

!

username ciscoadmin privilege 15 password 7 <password>

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 128bit 7 <wepkey> transmit-key

encryption mode wep mandatory

!

ssid cisco

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role non-root bridge

bridge-group 1

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

hold-queue 80 in

!

interface BVI1

ip address 10.0.x.x 255.255.255.0

no ip route-cache

!

ip http server

ip http authentication local

no ip http secure-server

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

I only forced 1 MBit setting to be required. The AP will automatically try to negotiate a higher speed. After you got it all right you’ll be able to ping the other AP:

64 bytes from 10.0.x.x: icmp_seq=570 ttl=255 time=2.421 ms

64 bytes from 10.0.x.x: icmp_seq=571 ttl=255 time=2.339 ms

64 bytes from 10.0.x.x: icmp_seq=572 ttl=255 time=2.307 ms

64 bytes from 10.0.x.x: icmp_seq=573 ttl=255 time=2.271 ms

64 bytes from 10.0.x.x: icmp_seq=574 ttl=255 time=2.977 ms

64 bytes from 10.0.x.x: icmp_seq=575 ttl=255 time=2.347 ms

These numbers are inside, I have yet to mount them.

About these ads

2 Responses to Setting up a Cisco aironet bridge

  1. Mike says:

    #1… WEP key? Seriously? For a bridge that will be passing LAN traffic?

    #2 I don’t see how this is any different than the Cisco guides… but nice try.

    • Sander says:

      It’s WEP with LEAP. I’m planning to upgrade it to WPA2 with MAC authentication but I haven’t found the time yet.

      As for the comparison with Cisco own guide, I ran into a number of difficulties using their suggested method of configuring it through the web interface, hence why I posted a full config.

      Update: I recently managed to setup this link with WPA2 encryption but the Aironet does not support this in hardware and link performance dropped to 40 ms.

Follow

Get every new post delivered to your Inbox.

Join 411 other followers

%d bloggers like this: