Root bridge to nonroot bridge communications can be secured with LEAP authentication and Cisco TKIP. It is strongly recommended that you use this or IPSec VPN over bridged links to secure the data traffic.
Examples 12-22 and 12-23 provide a deployment example for securing the root to nonroot bridged link using LEAP/with Cisco TKIP configuration. Example 12-22 shows a root bridge configuration in which LEAP authentication is enabled to authenticate the nonroot bridges. As shown in the example, Cisco TKIP is enabled to provide data confidentiality and to protect data integrity between the root and nonroot bridges.
ROOT-BRIDGE(config)#int dot11Radio 0 ROOT-BRIDGE(config-if)#ssid bridgedLink ! Enable LEAP authentication and specify the LEAP list name "LEAP-AUTH" ROOT-BRIDGE(config-if-ssid)#authentication network-eap LEAP-AUTH ! Enable infrastructure mode association with the non-root bridges ROOT-BRIDGE(config-if-ssid)#infrastructure-ssid ROOT-BRIDGE(config-if-ssid)#exit ! Enable encryption parameters ROOT-BRIDGE(config-if)#encryption mode wep mandatory mic key-hash ! Enable broadcast key rotation for every 900 seconds (15 minutes) ROOT-BRIDGE(config-if)#broadcast-key change 900 ROOT-BRIDGE(config-if)#exit ! Configure radius server parameters for EAP authentication ROOT-BRIDGE(config)#aaa new-model ! Specify Radius server information ROOT-BRIDGE(config)#radius-server host 10.10.10.5 auth-port 1812 acct-port 1813 key tmelab ! Specify EAP authentication servers ROOT-BRIDGE(config)#aaa group server radius rad-eap ! Specify 10.10.10.5 server as an EAP authentication server ROOT-BRIDGE(config-sg-radius)#server 10.10.10.5 auth-port 1812 acct-port 1813 ROOT-BRIDGE(config-sg-radius)#exit ! Specify rad-eap group of servers to be used for LEAP authentication ROOT-BRIDGE(config)#aaa authentication login LEAP-AUTH group rad-eap ! Configure miscellaneous radius server parameters ROOT-BRIDGE(config)#radius-server attribute 32 include-in-access-req format %h ROOT-BRIDGE(config)#radius-server vsa send accounting ROOT-BRIDGE(config)#end
Example 12-23 shows the nonroot configuration in which LEAP authentication is enabled to protect the bridged link to the root bridge. Note that you must specify LEAP authentication credentials (username and password) on the nonroot bridge. Even though it is not explicitly configured in Example 12-23, Cisco TKIP is negotiated as the cipher when the bridged link is initially "brought up" between the root and nonroot bridges. (This is because the root bridge is configured with Cisco TKIP.)
NR-BRIDGE1(config)#int dot11Radio 0 NR-BRIDGE1(config-if)#ssid bridgedLink ! Enable LEAP authentication and specify the LEAP list name "LEAP-AUTH" NR-BRIDGE1(config-if-ssid)#authentication network-eap LEAP-AUTH ! Enable infrastructure mode association with the root bridge NR-BRIDGE1(config-if-ssid)#infrastructure-ssid ! Specify username and password for LEAP authentication NR-BRIDGE1(config-if-ssid)#authentication client username nonRoot1 password 0 tmelab NR-BRIDGE1(config-if-ssid)#end
The same debug commands for the EAP/802.1x authentication on the AP can be used on the root bridge to debug the nonroot bridge authentication problems.