Since I just spent the better part of a weekend to finally get this working, here’s a nasty little bug that took forever to track down: Starting from 8.10.150.0 if you want some older Cisco accesspoints connect to your network in WGB mode, you need to tweak your security setting a little bit otherwise they just wont connect: “cannot associate: EAP authentication failed” is one of the various not exactly helpful error messages you’re probably very familiar at this point if you found this post…
Cisco actually points to it in their documentation, but of course that was the last place I looked at: config wlan security wpa akm psk pmkid {enable | disable} wlan_id
That is, if you want have a WGB connect to your wlan 3:
config wlan disable 3
config wlan security wpa akm psk enable 3
config wlan security wpa akm psk pmkid enable 3
config wlan enable 3Once that’s set, just configure your WGB like you usually would – for example:
dot11 ssid yourssid
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii yourpresharedkeyinterface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid yourssid
station-role workgroup-bridge
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-floodingWith PMK ID set, a 2600 Series or even something as old as a 1131AG would connect like it’s supposed to.