topic Aironet debuging clients and WDS issues in Wireless

Aironet debuging clients and WDS issues

jonathan — Sun, 04 Jul 2021 04:44:34 GMT

Hello fellow experts,

I want to understand what I am configuring!!!

There isnt enough detailed documents regarding deep debuging wireless clients or WDS connectivity.

Can anyone provide any video or document (not a regular cisco PDF) that can explain Commands such as:

aaa group server radius rad_eap

aaa group server radius rad_mac

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_SWAN group SWAN

wlccp authentication-server client eap method_client

wlccp authentication-server client leap method_client

aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login method_SWAN group SWAN

wlccp authentication-server client eap method_client
wlccp authentication-server client leap method_client

How about Debug commands?!

any debug client on aironet APs?

Thanks alot!!!

Jonathan

Aironet debuging clients and WDS issues

Stephen Rodriguez — Wed, 07 Mar 2012 14:52:15 GMT

ok, so to start at the begining.

WDS is used by the Cisco AP when you are doing 802.1x authentications. 802.1x defines three pieces the AAA server(ACS/IAS/NPS etc), the Authenticator ( AP, WLC) and the client.

If you are doing 802.1x and do not use WDS, every time the client roams to a new AP, it will do a full 802.1x authentication, generate new keys and then be on it's merry way. The problem with this is, the full 802.1x could break any current connections the client has, if there is an error, or a delayed response.

With WDS, you configure one AP as the 'Master' for that WDS Domain. Now when a client connects to any AP, the AP transmits the user credentials to the 'Master' via WLCCP, and the 'Master' does the authentication with the AAA server. Now when the client roams, the AP checks with the Master, and if the keys are still valid, a 4-way handshake happens and the client goes it's merry way.

Hopefully that makes sense so far.

On to the groups.

aaa group server radius rad_eap

by using aaa groups, you are able to select which AAA server or servers you want to send that type of authentication to.

For the group above, rad_eap, this is the list of servers that we are going to send Radius Authentications to. For rad_mac, this would be the group that we are going to send Radius MAC authentications to.

You can name these groups what ever you want. But make sure they are something that you can see and easily recognize what the group is for. I personally like to leave it at the default the AP generates. For the WLCCP authentication-server client, it is the same. When the AP receives a request via WLCCP to authenticate a client, what group does it use. The flow is the same.

The next piece:

aaa authentication login eap_methods group rad_eap

This piece tells the AP, that when the SSID is configured for eap_methods, to go and use the server list rad_eap. So as a brief example/explanation.

dot11 ssid Test1234

authentication open eap eap_methods

authentication key-management wpa

In the Test1234 we are doing an EAP type, which one doesn't matter at this point as the EAP is negotiated between the client and the server, and for this SSID we are to look at the login group eap_methods, which would referrence the server list rad_eap.

So why do we have the ability to specifiy different server lists? Well, what if you want to support different EAP types, or different domains of PKI infrastructures? But to keep it simple for now, lets go with different EAP Types. IAS/NPS only support PEAP and EAP-TLS. But let's say you have some clients that are running an old Cisco card and can only do EAP-Fast. Well your IAS can't do it, but the ACS you have can. So what you would do, is conifgure the ACS for EAP-Fast and configure an SSID to use a different group. Let's say we are going to use group eap_fast.

So we would have

aaa group server radius rad_eap

192.168.1.5 auth 1812 acct 1813

aaa group server radius eap_fast

192.168.1.6 auth 1645 acct 1646

aaa authentication login eap_methods group rad_eap

aaa authentication login eap_fast group eap_fast

Then the SSID:

dot11 ssid Test1234

authentication open eap eap_methods

authentication key-management wpa

dot11 ssid TestFast

authentication open eap eap_fast

authentication key-management wpa

Now, any client that is connecing to Test1234, will use group rad_eap and the server at 192.168.1.5.

Any client that is connecting to TestFast, will use group eap_fast and the server at 192.168.1.6.

Again, I hope this is making sense.

Moving to the Debugs.

Your best friend here, are the Aironet Command References.

debug wlccp ap {mn | rm [statistics | context | packet] | state | wds-discovery}

as well as your show WLCCP commands

show wlccp

theser were pulled from

http://www.cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/command/reference/cr43main.html

The above link also lists out the various other debugs that you can run on the AP.

If you want more on WDS and SWAN, there is a book out there for the SWAN Infrastructure

Steve

Aironet debuging clients and WDS issues

ESIGO1_2 — Wed, 07 Mar 2012 15:46:28 GMT

That is a GREAT breakdown Steve, thanks!

Aironet debuging clients and WDS issues

jonathan — Wed, 07 Mar 2012 16:19:18 GMT

Stephen, really much appreciated!! 

Configuring a WLC seems to be so easy while setting up a SWAN can be really challenging 

Are there any other recommendations while configuring a SWAN? Sniffer filtering or debug command that can help while configuring a SWAN (missing a command or misconfiguring the AP)?

Is there a simple debug client command "MAC" in SWAN like on the WLC?

Is there some kind of hidden detailed guide or video for configuring PEAP\EAP on IAS?

The cisco guides usually shows it all on ACS  while most of my clients have Microsoft? Sorry for all the questions… Thank you very very much for your help…

Aironet debuging clients and WDS issues

Stephen Rodriguez — Wed, 07 Mar 2012 16:32:50 GMT

well, WDS isn't that bad once you've done it a few times. It works pretty darn well, for what it is.

unfortunately the debugs for WLCCP aren't quite as simple. Debug client calls a couple of different debugs with the one command, where in IOS you have to call them seperatly.

debug wlccp wds mn

As for PEAP on IAS, http://goo.gl/Nfli3

Steve

Aironet debuging clients and WDS issues

jonathan — Wed, 07 Mar 2012 16:39:52 GMT

I have no words for your kind and quick assistance.

Stephen - Bring us world peace