Monday, April 5, 2010

Cisco WDS Configuration

Configuring WDS is fairly straightforward, given an understanding of the concepts explained in my last post, Cisco WDS Overview.

First, configure one or multiple WDS master devices:
  1. Set the WDS client username and password (the master will authenticate itself as a client):
    wlccp ap username username password password

  2. Set the AAA method list to authenticate WDS client access points. The method list may include the local RADIUS server on the master access point, if enabled.
    wlccp authentication-server infrastructure aaa-method-list

  3. Set the AAA method list(s) to authenticate wireless clients. Multiple commands may be entered to specify different method lists depending on the authentication type used (EAP, LEAP), and SSIDs may optionally be specified under each list to restrict their application. If no SSIDs are specified under a list, then it applies to all SSIDs.
    wlccp authentication-server client { any | eap | leap } aaa-method-list
         [ ssid ssid-name ]

  4. Set the WDS master priority. The higher priority is elected as the active master. Values range from 1 - 255.
    wlccp wds priority value interface BVI1

  5. Optionally, set the wireless network management server of the WLSE:
    wlccp wnm ip address ip-address

  6. Optionally, set the WDS master to WDS only mode to prevent wireless client associations:
    wlccp wds mode wds-only

Second, configure the WDS client access points:
  1.  Set the WDS client username and password:
    wlccp ap username username password password

  2. Optionally, specify the WDS master address instead of waiting for multicast advertisements. If the specified WDS master does not respond, the WDS client reverts to listening for multicast advertisements.
    wlccp ap wds ip address ip-address

Verify WDS operation:
  •  Check the status of the WDS master, connected WDS client APs, and authenticated wireless clients (mobile nodes):
    show wlccp wds [ ap | mn ]

  • Check the status of the WDS client:
    show wlccp ap

Here is a simple WDS master configuration with two SSIDs. SSID "ccie" serves wireless clients using a central AAA server defined in the method list "eap_cisco". SSID "bridge" serves a non-root bridge using the local RADIUS server on the WDS master for authentication.

wlccp ap username wds password mysecret
wlccp authentication-server infrastructure eap_local
wlccp authentication-server client eap eap_cisco
  ssid ccie
wlccp authentication-server client leap eap_local
  ssid bridge
wlccp wds priority 250 interface BVI1
 
Verification of the WDS master:

Root#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [bridge] :

MAC Address    IP address  Device     Name    Parent State
0017.df96.0a50 10.10.10.62 11g-bridge Nonroot self   EAP-Assoc

Root#show wlccp wds ap
HOSTNAME MAC-ADDR       IP-ADDR     STATE
Nonroot  0017.df96.0a50 10.10.10.62 REGISTERED
Root     0016.c7d2.32be 10.10.10.51 REGISTERED

Root#show wlccp wds mn
MAC-ADDR       IP-ADDR     Cur-AP         STATE
0017.df96.0a50 10.10.10.62 0016.c7d2.32be REGISTERED

Here is an example WDS client configuration:

wlccp ap username wds password mysecret

Verification on the WDS client:

Nonroot#show wlccp ap
WDS = 0016.c7d2.32be, 10.10.10.51
state = wlccp_ap_st_registered
IN Authenticator = 10.10.10.51
MN Authenticator = 10.10.10.51

Andrew

13 comments:

  1. You're welcome! Thanks for reading my blog.

    ReplyDelete
  2. How many users can connect to a WDS with a standalone AP running the WDS?

    With the command "wlccp ap eap profile" can it change it so that the AP uses something like mschapv2 to authenticate to the WDS instead of LEAP?


    thanks!

    ReplyDelete
  3. There is no WDS imposed limit on the number of clients supported. It is more a function of AP hardware capabilities, client radio types (11a/b/g/n), and the environment (interference, noise, etc.).

    The wlccp ap eap profile does not work with access points acting as WDS masters. I believe it only works with WLSE WDS masters, but am not certain and have not tested that scenario.

    Andrew

    ReplyDelete
  4. Hi thanks for this very interesting article.
    I just got three Cisco Aironet 1200series APs from Ebay. I set on up with WPA-PSK but i thought i might be a nice setup if i can get a WDS up and running(main goal is fast roaming). I want to configure one of them as the master device that is also serving clients but from my understanding there is no way to use wpa in such a setup. Is that true or am i completely wrong? It would be nice if you could point me into the right direction. Thanks in advance for answering my newbee question. Cheers Ingo.

    ReplyDelete
  5. Yes, you can configure the WDS Master to also serve clients. In my configuration notes for the master above, simply skip step 6. However, if a WDS master AP is serving wireless clients, keep in mind that only 30 WDS client APs can be supported.

    Also, the benefit of fast roaming is really more for 802.1X enabled networks. You won't gain much if you are only using WPA-PSK.

    Thanks for reading,
    Andrew

    ReplyDelete
  6. It is possible to create a Cisco WDS Configuration with no authentication server? only with APs? thank you

    ReplyDelete
  7. Yes, you set this command to reference a AAA method list that only includes the local RADIUS server running on the AP:

    wlccp authentication-server infrastructure aaa-method-list

    Andrew

    ReplyDelete
  8. Hi,

    I am attempting to set up a WDS using 1262 series access points as the WDS APs.

    I have found this message:

    %LEAPCL-3-TIMEOUT: AP Timed out authenticating to the WDS



    Below are of the configurations of the WDS-AP:


    aaa group server radius rad_eap
    server 10.10.10.1 auth-port 1812 acct-port 1813

    ...

    aaa authentication login eap_methods group rad_eap

    ...

    radius-server local
    nas 10.10.10.1 key 7 151F0E0F0C2F27
    group default
    ssid TEST-01
    !
    user wds_eap nthash 7 1447305F5F5C727F727F6660734052305350057D000B0259524F420D0C0677050C group default
    !

    ...

    radius-server host 10.10.10.1 auth-port 1812 acct-port 1813 key 7 151F0E0F0C2F27

    ...

    wlccp ap username wds_eap password wds_eap
    wlccp authentication-server infrastructure eap_methods
    wlccp authentication-server client leap eap_methods
    wlccp wds priority 250 interface BVI1



    AP-1262N#sh wlccp wds
    MAC: ccef.488d.0831, IP-ADDR: 10.10.10.1 , Priority: 250
    Interface BVI1, State: Administratively StandAlone - ACTIVE
    AP Count: 0 , MN Count: 0


    AP-1262N#sh wlccp ap
    WDS = ccef.488d.0831, 10.10.10.1
    state = wlccp_ap_st_leap_auth
    IN Authenticator = 10.10.10.1



    Sir, Can You Help Me ?

    ReplyDelete
    Replies
    1. You might try removing the "group default". It looks like that group is only tied to the SSID, so it may not allow the user to authenticate for WDS since it is in that group. Otherwise it looks accurate.

      Andrew

      Delete
  9. Hi, and thank you for all your nice posts, explaining cisco features!

    We are in the process of setting up around 20 Cisco Aironet 1040 AP's, that will handle several different VLANS and SSID - we have no controller. We have a Windows NPS server as our RADIUS server. My question here is how exactly we should go about deploying WDS in this setup. As i understand we need to enable local RADIUS on one access point, to do the AAA stuff for AP's since NPS cannot do this with user name and passwords - is this correct or is there a smarter way?

    Also, the VLAN that will use CCKM (with WDS) can that only be done with LEAP and not EAP-TSL?
    ̈́
    We have looked at the post: https://supportforums.cisco.com/docs/DOC-25343 - is that the way to do it?

    Hope my questions are understandable! :)

    Thanks for your expert advice.

    Benjamin

    ReplyDelete
    Replies
    1. Hi Benjamin,
      Yes, you will need to support LEAP for AP authentication to the WDS Master. This can be local RADIUS on an AP, or an external RADIUS server that supports LEAP.

      The VLAN that supports CCKM for wireless clients can use any authentication method, EAP-TLS included. It simply depends on your client and RADIUS server both support the EAP type chosen.

      Cheers,
      Andrew

      Delete