Hi Kristian and Sebastiaan @Kristian: I mainly used this document from Cisco, it is showing the WGB with EAP-TLS in an unified environment, but the root ap configuration is simple anyway:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example091 86a00809637dd.shtml Attached you find my example configurations for the root ap and the wgb. For the import of the certificates, these commands are essential: 1. Trustpoint configuration crypto pki trustpoint {Trustpoint Name} enrollment terminal pem fqdn none subject-name CN={Hostname} revocation-check none rsakeypair manual-key 2048 ! 2. Dot1x credentials and profile dot1x credentials eap-tls username {Hostname} pki-trustpoint {Trustpoint Name} ! eap profile eap-tls method tls ! 3. CA certificate import crypto pki authenticate {Trustpoint Name} 4. User certificate request generation crypto pki authenticate {Trustpoint Name} 5. User certificate import crypto pki import {Trustpoint Name} certificate If you have any questions, just ask ;-) @Sebastiaan: This is the radio configuration, so it should be CCMP and not TKIP: interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid wgb-eap-tls ! station-role workgroup-bridge bridge-group 1 bridge-group 1 spanning-disabled ! I am using this IOS version: Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(8)JEA3, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 21-Nov-07 13:59 by ccai ROM: Bootstrap program is C1240 boot loader BOOTLDR: C1240 Boot Loader (C1240-BOOT-M) Version 12.4(13d)JA, RELEASE SOFTWARE (fc2) Regards Dominic > Von: "Sebastiaan Noppe (Europe)" <[email protected]> > Datum: Mon, 10 Jan 2011 11:51:48 +0100 > An: <[email protected]> > Betreff: Re: [CCIE Wireless] WGB with EAP-TLS and CCKM (Stalder Dominic) > > Hey, > > I'm finding these outputs conflicting. > To my knowledge, when you are performing AES-CCMP, there is no concept of > TSC's. PN's are used. > I suppose you are encrypting the radio's using TKIP ? > Would it be possible to show the Dotradio config ? > What SW are you running on the bridges ? > > Regards, > > Sebastiaan > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kristján > Ólafur Eðvarðsson > Sent: 09 January 2011 23:57 > To: [email protected] > Subject: [CCIE Wireless] WGB with EAP-TLS and CCKM (Stalder Dominic) > > Interesting stuff Dominic. > I have always slightly worried that they want to > to do EAP-TLS client on a WGB. Do you have any docmuentation > on of you get the Certfificate on the WGB ? > > regards. Kristjan > > Today's Topics: > > 1. WGB with EAP-TLS and CCKM (Stalder Dominic) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 5 Jan 2011 17:41:26 +0000 > From: Stalder Dominic <[email protected]> > To: "[email protected]" > <[email protected]> > Subject: [CCIE Wireless] WGB with EAP-TLS and CCKM > Message-ID: <c94a6bd6.29f6%[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Hi there > > I was just playing around and tried to configure a WGB with EAP-TLS and CCKM. > If I use the following configuration without CCKM, all works great: > > dot11 ssid wgb-eap-tls > authentication open eap eap_methods > authentication network-eap eap_methods > authentication key-management wpa > > If I change it to CCKM, after the reauth timeout it re-connects the WGB and > shows the message at the bottom: > > wlccp ap username d password 7 050F020B25 > wlccp authentication-server infrastructure eap_methods > wlccp authentication-server client any eap_methods > ssid wgb-eap-tls > wlccp wds priority 255 interface BVI1 > > dot11 ssid wgb-eap-tls > authentication open eap eap_methods > authentication network-eap eap_methods > authentication key-management cckm > > Jan 5 17:33:10.971: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, > Associated To AP root 003a.9927.57b0 [EAP-TLS CCKM] > Jan 5 17:33:11.008: %DOT11-4-CCMP_REPLAY: AES-CCMP TSC replay was detected on > a packet (TSC 0x2) received from 003a.9927.57b0. > Jan 5 17:33:11.108: %DOT11-4-CCMP_REPLAY: AES-CCMP TSC replay was detected on > a packet (TSC 0x2) received from 003a.9927.57b0. > > @Cisco it says: AES-CCMP TSC replay was indicated on a frame. A replay of the > AES-CCMP TSC in a received packet almost indicates an active attack. > > > I do not attack my own network ;-) Does anybody know what the problem could > be? > > Regards > Dominic > -------------- next part -------------- > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
root.cfg
Description: root.cfg
wgb.cfg
Description: wgb.cfg
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
