Cannot Associate 1532 Bridges in Non-Root role

Hello,
Can someone please tell me what I am missing and why I cannot bring up 2 bridges in "Root" and "Non-Root" roles?
I have similarly configured bridges in a Root / Non-Root role several times before with older AP's and never had any issues... although it was always just 1 SSID, 1 Vlan, and no subinterfaces...
The only way I was able to get these 2 bridges to associate was to put the Non-Root bridge into a Workgroup Bridge role and then *BANG* everything worked perfectly. I tried getting rid of the authentication and tried using the Parent command but neither helped. Prior to entering Station Role Workgroup Bridge, the only message I would receive was showing on the Non-Root side and all it said was:
*Mar 1 07:27:13.867 GMT: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No Response
*Mar 1 07:27:28.891 GMT: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Rcvd response from 544a.0005.8030 channel 3 2815
What am I missing or what have I incorrectly configured on my Non-Root config?
Bridges are both 1532i with the Autonomous Image 15.2(4)JB5
Attached are the configs prior to changing the Non-Root AP to a station role of Workgroup Bridge.
Thanks!

Hi,
This should work with multiple sub-interfaces.
Few more suggestions
1. Remove this from your BRIDGE SSID & check
mobility network-id 1
This is only require when you configure L3 roaming & WDS in place.
http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/8103-ap-faq.html
2. Try to set WPA version 2 & only AES encryption.
Also try to Associate your Bridges using Open Auth first (as shown in my blog post initial section) & then try to add security.
HTH
Rasika
**** Pls rate all useful responses ****

Similar Messages

1300 Root-Bridge and Non-Root Bridge setup

I have two 1300s that I am trying to set up as Root Bridge and Non-Root Bridge, however, everytime i specify one of them as a Non-Root bridge, the radio0 interface becomes disabled. The only option that i am able to pick that enables the radio0 interface is "Access Point", which is what am trying to avoid it being.
Can anybody help me figure out how to go about this

A non-root's radio will show as disabled if it cannot find the root AP to associate to. Make sure you have "infrastructure-ssid" configured under the SSID on both the root and non-root bridges. Also depending on code versions you may have to configure the distance command under the radio interface on the root.

Root-Bridge and Non-Root Bridge Support

I was wondering if the ISR Routers (Cisco 1811w) support the root-bridge and non-root-bridge feature. If not is there another device apart from the 1310 and 1410 bridges that support this feature?
Thank You,
VT

Hi VT,
The ISR AP supports both of these roles;
Access Point Link Role Flexibility
Access Point Link Role Flexibility allows access point radios to operate in a combination of radio roles,
such as access point root, bridge root (with or without clients), bridge nonroot (with or without clients).
This provides a more flexible deployment scheme to support the various applications requirement. Note
that the ISR AP does not support access point repeater and WGB.
Wireless Non-Root Bridge
The wireless non-root bridge allows the access point radio to operate as the remote node in a point to
point or point to multi-point network.
Wireless Root Bridge
The wireless root bridge role provides support for both point-to-point or point to multi-point bridging.
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/release/notes/rn1800xj.html
Hope this helps!
Rob

Non-root bridges associating with each other.

We have a point to multi-point bridge setup with 3 BR1310s. One is set to be a root bridge and the other two are set to be non-root bridges. From past experience (not to mention Cisco documentation) I would expect the 2 non-roots to associate to the root. What is happening is that one of the non-roots associates with the root and the other non-root associates with the first non-root. The good bit is that everything still works, the puzzling bit is why this is happening, the bridges are physically in a V pattern so there's no reason for the second non-root to behave as it is, even if we force it off the first non-root it just jumps right back in there again. Bridges are all running 12.3.4-JA.

Configurations of both non-root bridges attached. I've just found out that the customer has mounted the second non-root bridge in such a way that there is probably no line of site to the root bridge (failing to follow clear instructions!) which explains why we can't get it to associate with the root bridge but doesn't explain how it can associate with the other non-root. The only thing I can think of is that both are "non-root with clients" and the second bridge is being accepted as a client rather than a bridge.

[Solved] Non-root user cannot access mounted ntfs filesystem

Hi -,
i have a dualboot system (arch/xfce + win7) and i use a ntfs partition /dev/sda2 to store files i use with both operating systems. I added the partition to fstab and it gets mounted, but i cannot access it with my non-root user. With root it works fine...
My fstab:
# cat /etc/fstab
# /etc/fstab: static file system information
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs nodev,nosuid 0 0
LABEL=home /home ext4 defaults 0 1
LABEL=root / ext4 defaults 0 1
LABEL=swap swap swap defaults 0 0
/dev/sda2 /media/sda2 ntfs defaults 0 2
Is there any option that allows all users to use the mounted device? Or how is this usually done ...
Last edited by muzzel (2012-05-30 20:39:58)

See: NTFS-3G for important setup information.
My fstab line looks like:
/dev/sdb1 /media/Win_USB ntfs-3g uid=1000,gid=users,fmask=113,dmask=0022 0 0
This sets up some important parameters which the NTFS-3G Wiki Page covers. Basically, "ntfs" is only a basic driver and is built into the kernel. "ntfs-3g" is a much better, and less disk-eating, driver that you should install and use if you need the drive in Linux any more than occasionally. My fstab line makes my user (1000) the owner and the masks lets me write and etc to it. When you install NTFS-3G it is automatically used when you use the mount command to mount NTFS drives. In fstab, as above, you would specify it explicitly.
You can find your own user number by entering "id" at a terminal.

1310 Root Bridge will not Authenticate with 350 Non Root Bridge

I've exhausted myself solving this issue.
I have a 1310 set as a root bridge using WEPS. I have a 350 set as a non root bridge/without clients, also using WEPS (they both use the same SSID)
The 350 will not authenticate to the 1310. After doing a Carrier Busy Test, it is clear the 350 see's the 1310 with signal strengh of 100 percent.
(I have a test lab setup in my office)
If I make the 350 the Root Bridge and the 1310 the Non Root, The 1310 will authenticate to the 350.
I hoping someone else has seen this problem and can enlighten me.
Thank you.

I have successfully configured a 1310 Bridge as a Root Bridge and a BR350 Bridge and a Non Root Bridge/with Clients. I also had to force the 1310 to operate at 11MB only.
As soon as I make the BR350 Bridge a Non Root Bridge/without Clients, the authentication is dropped between the two.
I was hoping I could transition to the 1310 one unit at a time since I have over a dozen 350's to replace.

Cannot associate between non-root to root on 1300 Bridge

I installed 4 1300 Bridges, point to multipoint configuration. One bridges is acting as root whereas the other 3 are non-root. The SSID are locked down manually. None of these non-root can associate to the root, I noticed that the wireless interface is (hardware/software) are down eventhough I enabledit. When I changed the non-root to become root, the wireless interface went up. This doesn't make sense. Pls help. Thanks.

I'm sure you have checked the required parameters needed to connect your non-root bridges, i.e. distance is set for the root, pwr settings, no encryption set for now. I've seen this issue as well on the 1310 with no solution from Cisco. It works well in a PP link. Try to establish the PP link between one bridge first. Leave the SSID as tsunami and broadcast it. Make sure you can associate with one of the non-root when you set it up for client association. I'm sure the radio is fine, but this can verify that.

7920 associates to root bridge but not to non-root bridge

I have 7920s using open authentication with WEP128 cipher. I have two 1300 root AP's (with client support) and three non-root AP's (also client support) in the same lab area. The root AP's and non-Root AP's associate and link to each other no problem. However, the 7920's will only associate with the Root APs. If I power down the root APs, the 7920s show "no AP found". I've verified SSID and WEP128 keys. I've also noted that the root AP does have a channel specified under dot11radio0 but the non-roots do not. Do the 7920's just scan for any channel until it finds an association or do I need to specify a channel in the non-root bridges?
Thanks,
Mike.

With static WEP, the authentication is happening at the AP level. Will want to ensure non-root is associated to a root though otherwise the interface may be in "reset" state.
The 7920 will look at these 2 as individual APs regardless of channel. Non-roots should have the same channel as the root, otherwise will not be able to communicate.

Can a wireless router (station role non-root) associate to 2 APs ?

can a wireless router (as station role non-root) associate to 2 simultaneous APs ?
say something like this on an 18xx router:
dot11 ssid firstAP
dot11 ssid secondAP
interface Dot11Radio0/1/1
ssid firstAP
ssid secondAP
what I want is something like two virtual-radios/VLANs/whatever with two independent outside routes; say:
ip address dhcp for ssid firstAP
ip address dhcp for ssid secondAP
where firstAP is my AP and secondAP is a near free hot-spot AP (authentication open)

Nice idea but unfortunatelty it won't work. You can only associate one radio to a single infrastructure device at any one time.

1230AG non-root bridge not associating

Hello everyone,
I am new at setting up root and non-root bridges. I am trying to set-up three 1230ag devices.
One as the root and the othe two as non-root, I copied the config txt from the root and
copied that into the two I am going to use for the non-root. That way the ssid's are the
same. When I set the role to non-root the radio is not enabled and I get a message saying
Interface Dot11Radio0,cannot associate:No Response
Does any know what I am doing wrong, and how to fix it
Thanks

The radio interface will go down in response to being configured as a non-root bridge, so that much is working. But there must be a configuration error if it won't associate. Can you post the configs so we can review them?
Are the bridges mounted, or are they on your desk?

Wireless Bridge error with AIR-BR1310G-E-K9,cannot associate: No response

Hi Guys,
I have to do a wireless bridge with 2 AIR-BR1310G-E-K9. I configure 1 AP root bridge and 1 AP non-root bridge, with the same SSID.
But on the AP non-root bridge, the interface dot11 radio don't change it state to up and give this error: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No Response.
I don't why it doesn't work. Even if i try a configuration which it already work on a site, it doesn't work to.
So I ask to me if there is a problem with internal antenna?
If I configure the 2 AP to access point role with 2 different ssid, I can see the 2 ssid but with a weak signal.
This AP can work without external antennas?
Thanks for your help

Hi Jerome,
The 1310 definitely can work with the internal antenna but... is the AP mounted somewhere? Some mounting options imply an external antenna as they position the internal antenna toward the wall...

1602 AP - Workgroup Bridge Cannot Associate to Parent AP

Hi All,
For a few weeks now, I have been trying to connect a Cisco 1602 standalone AP to our unified wireless network as a workgroup bridge. Eventually this AP is to be moved to another wireless network where I will need it to run in universal workgroup bridge mode (for non Cisco wireless networks), so I just want to get this working in the office before I take it elsewhere and try to get that to work, as the configuration will be similar.
So far I've been unable to get this 1602 AP to associate to our network. The particular SSID I'm trying to set up is a BYO style SSID, normally if you connect a device you provide your Active Directory username / password and your laptop / phone / whatever connects. I know the username is fine because if I use it on another device it's not a problem.
The AP keeps repeating this message: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating. Cisco.com tells me that this is to do with MFP, however I've changed a number of MFP settings in the SSID and this seems to have made no difference.
I'm thinking this is a problem with authentication or association. I have a question, why do I need to input Radius server information into the config (eap_methods)? When you connect a regular device to this SSID it doesn't require any Radius server settings in order to connect, I don't understand why the AP needs these settings. Also, when authenticating to AD, do you need to include the domain name as part of the username?
Wireless isn't my strong point unfortunately. Is anyone able to help with this? Config and log is below. Many thanks.
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname WGB-AP
logging buffered 10000
logging rate-limit console 9
enable secret 5 xxxx
aaa new-model
aaa user profile userprofilename
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid BYO
authentication open eap eap_methods
authentication shared eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
dot1x credentials MyCreds
dot1x eap profile EAPTLS
infrastructure-ssid
ids mfp client optional
eap profile EAPTLS
method mschapv2
method peap
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-88743315
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-88743315
revocation-check none
rsakeypair TP-self-signed-88743315
crypto pki trustpoint WGB-PEAP
enrollment terminal
subject-name CN=username
revocation-check none
rsakeypair manual-keys 1024
crypto pki certificate chain TP-self-signed-88743315
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38383734 33333135 301E170D 39333033 30313030 30383234
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D383837 34333331
3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BB10
F5361E52 A573FE8A 247142AD CF53D762 38F7BB42 7E723B2B 5C78100E 7F312442
3BE63A8B 7E826758 3F2914D0 4BBC93A6 CCACA795 927514E7 74561589 444D03BA
C20B80D8 85E52A18 C3B287BF 4A1EEF83 B43DD673 12BF075F 7CA038C0 C31F1FB4
F75C3F86 C09DC703 FB05676B 16B86754 F0F11D4D 36B61F81 DF15C02A 9C410203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 14999B3B 7F4B10FA B95CC90B D7218636 39280AFE 4E301D06 03551D0E
04160414 999B3B7F 4B10FAB9 5CC90BD7 21863639 280AFE4E 300D0609 2A864886
F70D0101 05050003 81810076 27E215C4 C105C66D 15124645 D3F4A538 F977A95F
7AF0FF05 648D41A4 A796F9CB CC6327FF 726DA1D6 290CD438 C2111DF8 208B92B5
63B09FEC 1CA334F7 A4607E71 18EBCB44 0A175BEE 30689849 B4D9222E 7EB1C1DB
F36BDDD3 3F5514A6 8A006A8A A113A44D 7337B6D8 7860AA25 EBAD5588 8543DF88
9E6A3D62 6E875372 277B57
quit
crypto pki certificate chain WGB-PEAP
dot1x credentials MyCreds
username DOMAIN\AD-USER
password AD Password
username Cisco password 7 00271A150754
username DOMAIN\AD-USER
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid BYO
antenna gain 0
stbc
beamform ofdm
station-role workgroup-bridge
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption mode ciphers aes-ccm tkip
ssid BYO
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
no ip address
no ip route-cache
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host xxxx auth-port 1812 key 7 xxxx
radius-server vsa send accounting
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
transport input all
end
Jan 5 14:34:30.636: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:36:23.730: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:36:42.730: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:38:19.833: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:39:33.901: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:40:49.948: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:42:10.123: %SYS-5-CONFIG_I: Configured from console by console
Jan 5 14:42:42.031: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No Response
Jan 5 14:42:46.031: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:43:06.058: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating
Jan 5 14:45:18.173: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: Associating

With PEAP there is a certificate being used on the radius server for securing the first phase (outer tunnel). In this scenario the access-point acts like a dot1x client, so like any other client it has to validate the certificate the radius server uses. Therefor the root certificate (and intermediates, if being used) needs to be installed on the access-point.
I never configured an WGB in this way, so I fired on my lab to see if I could get it to work. Sadly I did not manage to get it to work properly, I'm running into "EAP session timed out" messages in ACS (my radius server). I did also ran into the MFP issue, but as long as you configure MFP as optional on the network side, it should work. Because of the CCIE exam, I'm running old AirOS software on the WLC and also the software on the access-point I tested this configuration on (2600) is not that new. So it could be that I ran into a bug testing this, so I would advise you to run the latest software on your 1600. There are WGB related bugs fixed not so long ago. This configuration is supported since IOS 15.2.2(JA) and higher.
If I look at your configuration you still need to actually install the certificate, the trustpoint is empty. Besides that the following configuration changes needs to be made:
eap profile EAPTLS
no method mschapv2
method peap
dot11 ssid BYO
authentication open eap PEAP
   no authentication shared eap eap_methods
authentication network-eap PEAP
authentication key-management wpa version 2
dot1x credentials MyCreds
dot1x eap profile EAPTLS
   no infrastructure-ssid
   no ids mfp client optional
For more information look at this document.

Non-root is not associate with root

I am working to setup the non-root associate with root. I have checked every configuration from the root are the same as non-root. Accept it set to non-root.
- It is the same VLAN, SSID, authentication is open. I have encryption from both sides are the same.
It is still not associated. What else should I check from the non-root to get association? Please give me some helps
I am really appreciated that.
The root configuration:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname Root_Bridge
no logging console
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
resource policy
clock timezone MST -7
clock save interval 24
ip subnet-zero
ip domain name Bridge
ip ssh time-out 60
ip ssh version 2
no dot11 igmp snooping-helper
dot11 vlan-name Management vlan 51
dot11 vlan-name User vlan 11
dot11 ssid LOCALBRIDGE
   vlan 51
   authentication open
   infrastructure-ssid
dot11 network-map
crypto pki trustpoint TP-self-signed-4076113752
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4076113752
revocation-check none
rsakeypair TP-self-signed-4076113752
crypto pki certificate chain TP-self-signed-4076113752
certificate self-signed 01
30820261 308201CA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303736 31313337 3532301E 170D3032 30333031 30303030
33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373631
31333735 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B329 87F691CA 1107EC3A 9EF4676D 2F96A7E4 42DBB88F 426D78C1 0E9E09A0
8F5EA9A1 DF88C33A A0DF128A E13E6E59 E9232487 0F5C953C 274DF314 1F48544F
E213D232 85B1E45A 4D186A9E FF9581E6 3E471891 16B627B6 CB3D8F01 BCFF89E0
77E8EA44 0E255F75 BFF1299A B3198E9B 61B3056B 8F365D98 2A8D463E F3122C47
B80D0203 010001A3 81883081 85300F06 03551D13 0101FF04 05300301 01FF3032
0603551D 11042B30 29822737 3332385F 42726964 67652E64 61766973 2D6D6F6E
7468616E 2E616363 2E64732E 61662E6D 696C301F 0603551D 23041830 1680145F
9DB7F2A6 BD563ACB 429F6938 6AF9D336 69139F30 1D060355 1D0E0416 04145F9D
B7F2A6BD 563ACB42 9F69386A F9D33669 139F300D 06092A86 4886F70D 01010405
00038181 00372387 521D029A FAE2F579 73EDCF3B FDF262EE 5DF6154E 5469A5BD
6630E5FD C8A1311A A24493D4 D1856862 8979692B CDFE65D7 29E97B60 FCC37584
A27FA332 9CC5F175 2EDC871C D41BA4F5 A50634DE 75210305 47240D4F A30D0046
532F68ED 569CE374 98C5F53D A417CFBF 3A93C98A D399B06E A73E61AB D4889452
0B695B54 86
quit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 128bit 7 E99521751C16125A7754722A6B72 transmit-key
encryption key 2 size 128bit 7 1857F02303182327EA1A9242A53B
encryption key 3 size 128bit 7 FE1CF103855EBB2763224F129556
encryption key 4 size 128bit 7 19A03A5D596B029A01C208EF1C0F
encryption mode ciphers wep128
encryption vlan 11 key 1 size 128bit 7 419258EC0B7E6C7413C571760B67 transmit-key
encryption vlan 11 key 2 size 128bit 7 AB3C5B091B37223F39306B1F7442
encryption vlan 11 key 3 size 128bit 7 3E1CF103855EBB2763224F129556
encryption vlan 11 key 4 size 128bit 7 E858C5382B5D5E372A6C0438604C
encryption vlan 11 mode wep mandatory
encryption vlan 51 key 1 size 128bit 7 90792B34ACD2C8D18A0B7AF3AC68 transmit-key
encryption vlan 51 key 2 size 128bit 7 72063EA2FEF03A39E5468E92A7C5
encryption vlan 51 key 3 size 128bit 7 8607AEADB49EE0B7E4529770D9AE
encryption vlan 51 key 4 size 128bit 7 F60210B48CB39887A59255187D6D
encryption vlan 51 mode wep mandatory
ssid LOCALBRIDGE
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
packet retries 128
station-role root
rts threshold 4000
rts retries 128
cca 87
concatenation
distance 5
beacon period 20
infrastructure-client
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
no snmp trap link-status
bridge-group 11
interface Dot11Radio0.51
encapsulation dot1Q 51 native
no ip route-cache
no snmp trap link-status
bridge-group 1
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
no snmp trap link-status
bridge-group 11
interface FastEthernet0.51
encapsulation dot1Q 51 native
no ip route-cache
no snmp trap link-status
bridge-group 1
interface BVI1
ip address 192.168.0.5 255.255.255.0
no ip route-cache
no ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging history informational
snmp-server view dot11view ieee802dot11 included
snmp-server community PUBLICSTRING RW
snmp-server chassis-id Bridge
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server enable traps envmon
snmp-server host 192.168.9.10 PUBLICSTRING
tacacs-server host 192.168.6.100
tacacs-server host 192.168.4.100
tacacs-server directed-request
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 protocol ieee
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
line vty 5 15
access-class 111 in
end
The non-root configuration:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Bridge
logging console informational
logging monitor informational
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
aaa session-id common
resource policy
clock timezone MST -7
clock save interval 24
ip subnet-zero
ip domain name Bridge
no dot11 igmp snooping-helper
dot11 activity-timeout bridge default 3600
dot11 vlan-name Management vlan 51
dot11 vlan-name User vlan 11
dot11 ssid LOCALBRIDGE
   vlan 51
   authentication open
   infrastructure-ssid
dot11 network-map
no crypto provisioning petitioner
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 128bit 7 E99521751C16125A7754722A6B72 transmit-key
encryption key 2 size 128bit 7 1857F02303182327EA1A9242A53B
encryption key 3 size 128bit 7 FE1CF103855EBB2763224F129556
encryption key 4 size 128bit 7 19A03A5D596B029A01C208EF1C0F
encryption mode ciphers wep128
encryption vlan 11 key 1 size 128bit 7 419258EC0B7E6C7413C571760B67 transmit-key
encryption vlan 11 key 2 size 128bit 7 AB3C5B091B37223F39306B1F7442
encryption vlan 11 key 3 size 128bit 7 3E1CF103855EBB2763224F129556
encryption vlan 11 key 4 size 128bit 7 E858C5382B5D5E372A6C0438604C
encryption vlan 11 mode wep mandatory
encryption vlan 51 key 1 size 128bit 7 90792B34ACD2C8D18A0B7AF3AC68 transmit-key
encryption vlan 51 key 2 size 128bit 7 72063EA2FEF03A39E5468E92A7C5
encryption vlan 51 key 3 size 128bit 7 8607AEADB49EE0B7E4529770D9AE
encryption vlan 51 key 4 size 128bit 7 F60210B48CB39887A59255187D6D
encryption vlan 51 mode wep mandatory
ssid LOCALBRIDGE
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
packet retries 128
station-role non-root bridge
rts threshold 4000
rts retries 128
cca 87
concatenation
beacon period 20
infrastructure-client
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
no snmp trap link-status
bridge-group 11
interface Dot11Radio0.51
encapsulation dot1Q 51 native
no ip route-cache
no snmp trap link-status
bridge-group 1
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
no snmp trap link-status
bridge-group 11
interface FastEthernet0.51
encapsulation dot1Q 51 native
no ip route-cache
no snmp trap link-status
bridge-group 1
interface BVI1
ip address 192.168.0.10 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community PUBLICSTRING RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server enable traps envmon
snmp-server host 192.168.9.10 PUBLICSTRING
tacacs-server host 192.168.6.100
tacacs-server host 192.168.4.100
tacacs-server directed-request
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 protocol ieee
bridge 1 route ip
bridge 11 protocol ieee
line con 0
line vty 0 4
end

what happens if you go completely open, no WEP?
and I wouldn't use WEP, it's very breakable.
Steve

Wireless Root Bridge - Non Root Bridge

I've been reading a lot about bridge configuration for wireless AP but i cannot make it work the following scenario:
PC -- ethernet port --> Non-Root-Bridge -----------> Root Bridge ---------> Switch
vlan111                     native 18 - vlan111           native 18 - vlan111      vlan native 18,111
Its pinging fine between switch and Non-Root. But when i put vlan111 on Non-Root the two AP's stop responding to the network.
What am i doing wrong? Plz i need some help!! I have two 1242.
------------------------ Root Config ----------------------
dot11 syslog
dot11 vlan-name JGS111 vlan 111
dot11 vlan-name JGS18 vlan 18
dot11 ssid WGB
   vlan 18
   authentication open
   guest-mode
   infrastructure-ssid
username Cisco password 7 047802150C2E
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid WGB
station-role root bridge
infrastructure-client
interface Dot11Radio0.18
encapsulation dot1Q 18 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio0.111
encapsulation dot1Q 111
no ip route-cache
bridge-group 111
bridge-group 111 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.18
encapsulation dot1Q 18 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0.111
encapsulation dot1Q 111
no ip route-cache
bridge-group 111
bridge-group 111 spanning-disabled
interface BVI1
ip address 10.1.8.50 255.255.255.0
no ip route-cache
ip default-gateway 10.1.8.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
------------- Non-Root-Bridge -------------
ot11 syslog
dot11 vlan-name JGS111 vlan 111
dot11 vlan-name JGS18 vlan 18
dot11 ssid WGB
   vlan 18
   authentication open
   guest-mode
   infrastructure-ssid
username Cisco password 7 14341B180F0B
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid WGB
station-role non-root bridge
infrastructure-client
interface Dot11Radio0.18
encapsulation dot1Q 18 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio0.111
encapsulation dot1Q 111
no ip route-cache
bridge-group 111
bridge-group 111 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.18
encapsulation dot1Q 18 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0.111
encapsulation dot1Q 111
no ip route-cache
bridge-group 111
bridge-group 111 spanning-disabled
interface BVI1
ip address 10.1.8.51 255.255.255.0
no ip route-cache
ip default-gateway 10.1.8.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip

Try this:
interface Dot11Radio0.18
encapsulation dot1Q 18 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.111
encapsulation dot1Q 111
no ip route-cache
bridge-group 111
bridge-group 111 subscriber-loop-control
bridge-group 111 block-unknown-source
no bridge-group 111 source-learning
no bridge-group 111 unicast-flooding
bridge-group 111 spanning-disabled
interface FastEthernet0.18
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.111
encapsulation dot1Q 111
no ip route-cache
bridge-group 111
no bridge-group 111 source-learning
bridge-group 111 spanning-disabled
Make sure your switchort is setup similar
interface GigabitEthernet0/7
description 1242 AP Bridge
switchport trunk encapsulation dot1q
switchport trunk native vlan 18
switchport trunk allowed vlans 18,111
switchport mode trunk
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

1242 Root or Non-Root Bridge

Greetings,
I have a small network that uses 1242 APs for clients machines. Our wired WAN link can be unreliable, so I would like to configure one of the 1242s as a bridge and connect it to one of the many wireless networks we have in our neighborhood.
I understand the 1242 APs can also operate in a bridge mode that could allow us to connect our network to one of these other wireless LANs. A couple of questions:
-Does the remote WLAN have to be a compatible cisco device in order for the 1242 to be able to bridge successfully?
-Which 'Role in Radio Network' do I choose for our 1242?
-How do I see what the SSIDs of the remote WLANS are and enter the relevant passwords (WEP, WPA, 802.1x, or WPA2)
-If this is not possible, what is the right device to use to connect our LAN to a remote WLAN without being able to control the hardware at 'both' ends of the bridge.
TIA

Can you please provide me with a network topology of what it is you would like to achieve. If you want the radio interfaces to associate to one another, then it is recommended to have them on the same channel, but for roaming instances, it is recommended that you have then at least 5 channels apart on the g radio so as to avoid any interference.
The 802.11A radios on the APs would be configured as bridges (one as
a "root" and the other two as "non-root") and the 802.11G radios
would service clients. Only one of the APs would require wired
connectivity in this scenario, as long as all of the APs are
communicating to each other on the 802.11A side. An important
consideration is that the 802.11A radios that are configured as "non-
root bridges" need only to communicate with the 802.11A radio that is
configured as the "root bridge". It is not necessary for the "non-
root bridges" to see each other. However, it is imperative that the
802.11A radio that is configured as the "root bridge" be able to
communicate with BOTH of the 802.11A "non-root" bridges. Therefore,
the antennas you choose for the devices is important.

Cannot Associate 1532 Bridges in Non-Root role

Similar Messages

Maybe you are looking for