Work Group Bridge Configuration on WAP551 and WAP561 Access Points

Available Languages

Download Options

PDF (813.1 KB)
View with Adobe Reader on a variety of devices
ePub (839.9 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (388.1 KB)
View on Kindle device or Kindle app on multiple devices

Updated:December 12, 2018

Document ID:SMB4410

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Work Group Bridge Configuration on WAP551 and WAP561 Access Points

Objective

This article explains how to configure the work group bridge on WAP551 and WAP561 access points.

The work group bridge feature enables the Wireless Access Point (WAP) to bridge traffic between a remote client and the wireless LAN that is connected with the work group bridge mode. The WAP device associated with the remote interface is known as an access point interface, and the one associated with the wireless LAN is called an infrastructure interface. This feature is recommended to be used when the WDS feature is not possible to use since the WDS feature is a preferred bridge solution for the WAP551 and WAP 561. When the workgroup bridge feature is enabled, the WDS bridge feature does not work. To see how WDS Bridge is configured look up the article Wireless Distribution System (WDS) Bridge Configuration on WAP551 and WAP561 Access Points .

Applicable Devices

• WAP551
• WAP561

Software Version

• v1.0.4.2

Configure Work Group Bridge

Note: To be able to enable work group bridge clustering must be enabled in the WAP. If it is disabled then you need to Disable Single Point Setup which in turn enables clustering. All WAP devices that take part in the Workgroup bridge must have common settings for radio, IEEE 802.11 mode, Channel Bandwidth, and Channel (audio not recommended). To ensure these settings in all devices are same look up the radio settings. To configure these settings refer to the article Radio Settings on WAP551/WAP561.

Step 1. Log in to the web configuration utility and choose Wireless > Work Group Bridge. The Work Group Bridge page opens:

Step 2. In the Work Group Bridge Mode field, check Enable to enable the work group bridge feature.

Step 3. This step is needed only for WAP561. Click either the Radio1 or Radio 2 radio button to choose one of the radio interfaces. Ignore this step for WAP551 which has only one radio interface. To find out which radio is set up and with what parameters look up radio settings. To configure these settings refer to the article Radio Settings on WAP551/WAP561.

Step 4. In the SSID field, enter the Service Set Identifier (SSID) name for the infrastructure client interface or the upstream access point (AP).

Tip: You can also click the Arrow icon beside the SSID field to scan for similar neighbor SSIDs. This is enabled only if AP Detection is enabled in Rogue AP Detection (it is disabled by default). Refer to the article Rogue Access Point (AP) Detection on WAP561 and WAP551 to enable Rogue AP detection.

Step 5. Choose the type of security to authenticate as a client station on the upstream WAP device (Infrastructure Client Interface) from the drop-down list in the Security field in the Infrastructure Client Interface section. The possible choices are given below.

• None — Open or no security. This is the default value. If you choose this skip to the Configure VLAN ID and Access Point Interface section.

• Static WEP — Static WEP is the minimal security and can support up to 4 keys of length 64 to128 bits. The same key must be used in all nodes.

• WPA Personal — WPA Personal is more advanced compared to WEP and can support keys of length 8 to 63 characters. The encryption method is RC4 for WPA and Advanced Encryption Standard (AES) for WPA2. WPA2 is recommended as it has a more powerful encryption standard.

• WPA Enterprise — WPA Enterprise is the most advanced and recommended security. It uses Protected Extensible Authentication Protocol (PEAP) in which each and every wireless user under WAP is authorized with individual usernames and passwords that can even support AES encryption standards. It also uses Transport Layer Security (TLS) in addition to PEAP, in which each and every user also needs to provide an additional certificate to gain access. The encryption method is RC4 for WPA and Advanced Encryption Standard (AES) for WPA2.

Note: Based on what IEEE 802.11 mode is chosen, the availability of the above options may vary.

Step 6. Based on which option you chose in Step 5 click one of the option links and follow the appropriate procedure . You do not need to configure any of these procedures if you chose None.

Step 7. In the VLAN ID field, enter the VLAN ID for the infrastructure client interface.

Step 8. In the Status field, check Enable to enable bridging on the access point interface.

Step 9. In the SSID field, enter the Service Set Identifier (SSID) name for the access point interface.

Step 10. (Optional) If you want the downstream SSID (Access Point Interface SSID) to be broadcasted, check Enable in the SSID Broadcast field. It is enabled by default.

Step 11. Choose the type of security to authenticate downstream client stations to the WAP device (Access Point Interface) from the Security drop-down list. The possible values are:

• None — Open or no security. This is the default value. Skip Step 12 through Step 15 if you choose this. Jump to Step 16.

• Static WEP — Static WEP is the minimal security and can support up to 4 keys of length 64 to128 bits. Follow the Configure Static WEP section. Skip to Step 16.

• WPA Personal — WPA Personal is more advanced compared to WEP and can support keys of length 8 to 63 characters. The encryption method is either Temporal Key Integrity Protocol (TKIP) or Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP). WPA2 with CCMP is recommended as it has a more powerful encryption standard, Advanced Encryption Standard (AES) compared to the TKIP that uses only a 64-bit RC4 standard.

Timesaver: Carry out Step 12 through Step 15 only if you have chosen WPA Personal in Step 11.

Step 12.Check appropriate box(es) to choose WPA Version. You may select both WPA and WAP2 in different WAP clients have different WPA version.

Step 13. Check on appropriate box(es) to choose cipher suites. You select both TKIP and CCMP(AES).

Step 14. Enter the shared WPA key in the Key field. The key may include alphanumeric characters, upper and lower case characters and special characters.

Step 15. Enter the desired key refresh interval in Broadcast Key Refresh Rate field. This is the interval in which the group key should be refreshed for all the WAP clients.

Step 16. Choose the type of MAC filtering you wish to configure for access point interface from the MAC Filtering drop-down list. When enabled, users are granted or denied access to the WAP based on the MAC address of the client they use. The possible values are:

• Disabled — All clients can access the upstream network. This is the default value.

• Local — The set of clients that can access the upstream network is restricted to the clients specified in a locally defined MAC address list.

• Radius — The set of clients that can access the upstream network is restricted to the clients specified in a MAC address list on a RADIUS server.

Step 17. In the VLAN ID field, enter the VLAN ID for the access point client interface.

Note: To allow the bridging of packets, the VLAN configuration for the access point interface and wired interface should match that of the infrastructure client interface.

Step 18. Click Save to save the settings.

Configure Static WEP

Carry out the following steps if you chose to configure Static WEP as your authentication security type.

Step 1. When you choose Static WEP some additional fields appear. From the drop-down list in the Transfer Key Index field, choose a key index. Available values are 1,2,3, and 4. The default value is 1. The key index is different for different WLAN. The devices connected to a pirticular WLAN must have the same key index. This key is used to encrypt data for communication.

Step 2. In the Key Length field, choose either the 64 bits radio or button or 128 bits radio button. This specifies the length of the key used.

Step 3. Click on either the ASCII radio button or the HEX radio button to choose the key type in the Key Type field. WEP keys are usually in hex.

Step 4. Enter up to four WEP keys in the next four fields marked as 1,2,3, and 4 under the WEP Key field. This is a string entered as the key. The length of the key varies on the length and type of the key. The required length is indicated beside the WEP Key field. The WEP Key strings must match in all the WAP nodes (AP and Clients) and must be places in the same field. This means if string 1 is key 1 in one device, string 1 must also be key 1 in the other devices in the work group bridge.

Click here to continue with the configuration.

Configure WPA Personal

Carry out the following steps if you chose to configure WPA Personal as your authentication security type.

Step 1. Check either WPA or WPA2 to choose the version of WPA. Usually WPA is chosen only if none of the WAPs involved support WPA2. Otherwise WPA 2 is recommended.

Step 2. Enter the shared WPA key in the Key field. The key may include alphanumeric characters, upper and lower case characters, and special characters.

Click here to continue with the configuration.

Configure WPA Enterprise

Carry out the following steps if you chose to configure WPA Enterprise as your authentication security type.

Step 1. If you chose WPA Enterprise, check either WPA or WPA2 to choose the version of WPA. Usually WPA is chosen only if none of the WAPs in the bridge system support WPA2. WPA 2 is the more advanced and recommended one.

Step 2. Click the appropriate radio button to choose between the two EAP Methods.

• PEAP — Protected EAP. It relies on TLS but avoids the installation of digital certificates on every client. Instead it provides authentication through a username and password. Carry out Step 3 through Step 5.

• TLS — Authentication through exchange of digital certificates. Requires you to carry out Step 3 through Step 7.

Step 3. Regardless of which method you have chosen in Step 1, enter a username in the Username field.

Step 4. Regardless of which method you have chosen in Step 1, enter a password in the Password field.

Step 5. If you have chosen PEAP click here to continue with the configuration. If you have chosen TLS go to the Step 6.

Step 6. If you chose TLS, click on either the HTTP or the TFTP radio button to choose between the two transfer mode to download a Certificate File for TLS authentication.

• HTTP — Download through a web server or from PC.

– Choose File — Click to select a certificate file. It has to be a certificate type file with extension .pem, .pfx etc. Otherwise file upload will be unsuccessful.

• TFTP — Download from a file server. Need to carry out Steps.

– Filename — Enter the name of the certificate file in the Filename field.

– TFTP Server IPv4 Address — Enter the IP address of the TFTP server.

Note: The Certificate File Transfer field shows whether there is a certificate present in the WAP, and the Certificate Expiration Date field shows the expiration date of the present certificate.

Step 7. Click Upload.

Click here to continue with the configuration.

Revision History

Revision	Publish Date	Comments
1.0	12-Dec-2018	Initial Release

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)