topic WDS infrastructure only in Wireless

WDS infrastructure only

herminator — Sun, 04 Jul 2021 16:37:46 GMT

Folks,

We have a couple of G and B radios access-points (1200 series) in 2 buildings. I want to use WDS only for the infrastructure and will have the clients to authenticate the way they do now. They authenticate directly against a radius server (eap-ttls).

I have configured a standalone WDS also with a local radius server and the use of infrastructure method.

When I configure an ap1200 to use WDS, it seems to use the WDS also for his clients to authenticate.

If I look at the WDS, I see that the AP is registered.

When I look at the wireless services summary page of the ap1200, It has his 'WDS ip address' his 'IN authenticator' and his 'MN authenticator' all to the WDS’s ip-address. The state is 'Infrastructure'.

I want to use an other 'MN authenticator' for my clients to authenticate. I don’t want accesspoints be dependent on the WDS to authenticate my clients.

Is it possible to fill in an other 'MN authenticator'?

Re: WDS infrastructure only

walruspro — Wed, 12 May 2004 10:29:11 GMT

I have the same dilemma. We´re using PEAP as client auth. One result is that in our ACS 3.2, logs -> passed/failed authentications, the "acces-divice" + "NAS-IP adress" is always the WDS-AP even though the client has connected to some other AP.

It would be nice to separate the client auth and infrastructure authentication. I have tried but WDS seem to override this and pass the authentications thru the WDS-AP.

Any suggestions?

Re: WDS infrastructure only

bruce.johnson — Sat, 15 May 2004 00:34:36 GMT

Isn't the Mobile Node authentictor responsible for Fast-Reauthentication, and shouldn't it handle re-authentication for roaming nodes only? Doesn't the initially-associated AP still handle the first EAP auth?

Re: WDS infrastructure only

kevin_miller — Thu, 20 May 2004 02:53:08 GMT

I have exactly the same problem using LEAP. WDS works, but slows down the authentication process. It works, but is noticably slower. I see no benefit for me using WDS for client authentication since I don't have roaming problems now and don't use realtime applications over wireless.

I've tried the following, but it doesn't work:

aaa group server radius wlccp_rad_infra

server 1.1.1.1 auth-port 1645 acct-port 1646

aaa authentication login wlccp_infra group wlccp_rad_infra

wlccp authentication-server infrastructure wlccp_infra

wlccp wds priority 200 interface BVI1

wlccp ap username xxx password xxx

wlccp wnm ip address 3.3.3.3

Re: WDS infrastructure only

walruspro — Thu, 20 May 2004 04:18:25 GMT

I also notice that authentication with my PEAP-clients take more time via wds.

Lets hope that Cisco make the client-authentication a module that can be detached from the wds-concept if there is a need - like in our cases. Can´t be too hard.