cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Implementing WDS in a step-by-step approach

2847
Views
0
Helpful
0
Comments

 

Introduction

Rajan Parmar is a wireless expert and working for the Cisco's Technical Assistance Center (TAC) team providing reactive technical support to majority of Cisco’s premium customers and partners. In this document Rajan has explained how to Implement WDS in a step-by-step approach.

Configuration

For the WDS-AP

  1. Mark an AP as the WDS-AP.
  2. Give a Shared-Secret to this WDS-AP, by using which it will authenticate itself to the Local Radius Server, within WDS-AP.
  3. Define the IP Address of the Radius Server for the WDS-AP(in the Server Manager page of WDS-AP) [This Radius Server is the Local Radius Server , within the WDS-AP].
  4. Set the priority of that Radius Server.
  5. Go to the Local Radius of the WDS-AP, and enter the IP Address of this WDS-AP as the IP Address of a AAA client. Mark the WDS-AP also as the INFRA-AP, if you want (from within the WDS-AP).
  6. Create a username for this wds-infra ap(that is within the WDS AP). Create a profile for the infra ap's in the WDS ,and set the IP of the Local Radius server(in our case), so that the user name of the WDS-Infra AP be forwarded , for authentication, to the Local Radius Server. 
  7. Put that username in the Local Radius Server.

For the INFRA-AP

  1. Mark another AP as the INFRA-AP
  2. Give a Shared-Secret to this INFRA-AP,by using which it will authenticate itself to the Local Radius Server,within WDS-AP.
  3. Define the IP Address of the Radius Server for the INFRA-AP(in the Server Manager page of INFRA-AP). [This Radius Server is the Local Radius Server , within the WDS-AP]
  4. Set the priority of that Radius Server.
  5. Go to the Local Radius of the WDS-AP, and enter the IP Address of this INFRA-AP as the IP Address of another AAA client .
  6. Create a username for this INFRA AP.(that is outside the WDS AP)
  7. Put that username in the Local Radius Server of the WDS AP.

For the Wireless Clients

  1. A pointer(server group) in the WDS must be created to forward the client authentication requests to the Radius Server.
  2. Go to the individual Infra APs. Fill the Security -> SSID Manager, and Security -> Encryption Manager, page of each INRA-AP.

In the WDS setup, the users may be authenticated either via some external radius server or via internal local radius server(within the WDS AP), but the wds and infra aps must be authenticated from the Local Radius Server, within the WDS server.

What is WDS?

In order to create a SWAN architecture, the first devices to configure are the Wireless Domain Services (WDS) access points. If there is more than one WDS access point, makes sure all the devices are configured. WDS access points are devices that have been chosen to run the WDS software services and are logically inline between the infrastructure access points and the higher-level management devices, such as CiscoWorks Wireless LAN Solution Engine (WLSE) and Cisco Secure Access Control Server (ACS). The WDS AP forwards aggregated information to the CiscoWorks WLSE.

There must be one WDS access point per segment in a SWAN topology. One WDS AP can support 30 infrastructure access points and may support up to 60 access points if not serving 802.11 traffic. While the WDS AP may optionally support wireless clients, it is not recommended because the WDS for a wireless network collects information from the client devices and infrastructure access points. This information is manipulated by the WDS access point; the time stamps are collated; and it is pushed upstream one more layer to the CiscoWorks WLSE.

The whole Cisco SWAN infrastructure is secured through the use of a RADIUS server. Therefore, in order for the network to be secured the RADIUS server must be configured.

First, click Server Manager in the left menu bar. Under Corporate Servers, choose RADIUS from the drop-down menu. Next, under Current Server List enter the IP address of the authentication server in the Server field. Specify the Shared Secret and the ports.

Click Apply to create the definition and populate the drop-down lists. Under Default Server Priorities, set the EAP Authentication type Priority 1 field to the server IP address. Note that multiple servers may be configured to provide fault tolerance. To activate the changes, click Apply at bottom of page

WDS resides on one or more access points within a Layer 2 network. An access point running WDS can register approximately 30 access points. At the same time, it can operate as a typical access point. For example, clients can associate to it separately from any WDS services.

Enabling WDS globally on an access point

To enable WDS globally on an access point, complete these steps.

First, select the Settings tab on the Wireless Services menu of WDS. Select the Use this AP as Wireless Domain Services check box. Next, enter a priority value in the Wireless Domain Services Priority field. Multiple access points use this setting to determine which device provides WDS for its VLAN (or IP subnet). The access point with the highest value (from 1 to 255 with 255 being the highest priority) becomes the primary WDS. All others are backups to the primary in the event that the primary becomes disabled or unavailable. Once you have enabled them globally, specific WDS features are configurable.

Cisco LEAP is also used to authenticate infrastructure APs and the CiscoWorks WLSE.To configure LEAP from the Server Group List pane, choose the RADIUS server used to provide authentication services to the WDS and infrastructure access points or, by highlighting New, create a new Server Group. This can be the same as the RADIUS server that provides authentication services to wireless LAN clients.Under Use Group For, click the Infrastructure Authentication radio button. Infrastructure here refers to all access points that will be providing WDS or registering with a WDS. Under SSID settings, click the appropriate radio button to specify which service set identifiers (SSIDs) this configuration should be applied to. Under Group Server Priorities, choose the server for this Server Group. You must add a server in Security > Servers in order for the server to show up in the Group Server Priority list.

Because Cisco Centralized Key Management (CCKM) operates inline between authenticated access points and the authenticator (the RADIUS server), all client authentications that registered access points go through the WDS access point. Although CCKM supports clients that authenticate using Cisco LEAP, many other types of authentication can be passed to the RADIUS server by the infrastructure access points. 

To accommodate all client authentication types, select the Client Authentication radio button in the Use Group For area, and check the check box for every authentication type that will be passed through this WDS to a RADIUS server. 

To be sure to apply the appropriate SSID and VLAN assignment, select the Any Authentication check box, and under SSID Settings, click the Apply to all SSIDs radio button. The configuration will then cover all potential cases. 

Cisco SWAN Fast Secure Roaming

Cisco SWAN Fast Secure Roaming supports clients that authenticate using Cisco LEAP or EAP-FAST. To enable this, a change in both the Encryption Manager and SSID Manager must be made. First, make the changes under SECURITY > Encryption Manager.

Choose Security > Encryption Manager. The Encryption Manager screen is displayed. Then, select the VLAN number from the drop-down menu.

Click the Cipher radio button. From the drop-down menu, choose one of the cipher modes in the Cisco Aironet access point setup screen for the specific VLAN on which this service is offered. Click Apply to save.

The next step is to configure Fast Secure Roaming for the SSID Manager by selecting SECURITY > SSID Manager.From the current SSID list, select the SSID you would like to modify.Click the SSID Manager button on the menu. Under Authentication Settings, check the Open Authentication check box and choose With EAP from the drop-down menu. Check the Network EAP check box.

Under Authenticated Key Management, choose Mandatory or Optional from the drop-down menu and check the CCKM check box. Both of these settings are VLAN specific and must be configured for each VLAN on which CCKM is desired.

Infrastructure Client's CLI commands

aaa new-model

radius-server host <IP_ADDR_WDS> auth-port 1812 acct-port 1813 key 7 120A0014000E18
aaa group server radius rad_mac
 server <IP_ADDR_WDS> auth-port 1812 acct-port 1813
!

!
wlccp ap username ap1 password 7 0207140A
!

dot11 ssid MacSSID
   authentication open mac-address mac_methods 

interface Dot11Radio0
 ssid MacSSID
 station-role root access-point
!
f
interface BVI1
 ip address <IP_ADDR_INFRA_AP> 255.255.255.0
 no ip route-cache
!
!
!

 

Infrastructure AP's CLI commands

aaa new-model
!
radius-server host 192.168.28.20 auth-port 1812 acct-port 1813 key <>
!
aaa group server radius rad_mac
 server 192.168.28.20 auth-port 1812 acct-port 1813
!
wlccp ap username ap1 password <> 
!
dot11 ssid MacSSID
   authentication open mac-address mac_methods 

interface Dot11Radio0
 ssid MacSSID
 station-role root access-point
!
interface BVI1
 ip address 192.168.28.10 255.255.255.0
!

 

WDS Server's CLI commands
        

aaa new-model

radius-server host 192.168.28.20 auth-port 1812 acct-port 1813 key <>
aaa group server radius rad_mac
 server 192.168.28.20 auth-port 1812 acct-port 1813
!

aaa authentication login method_InfrastructureAuthentica group InfrastructureAuthentication
aaa authentication login method_ClientAuthentication group ClientAuthentication
!
wlccp authentication-server infrastructure method_InfrastructureAuthentication
aaa group server radius InfrastructureAuthentication
 server 192.168.28.20 auth-port 1812 acct-port 1813

wlccp authentication-server client mac method_ClientAuthentication
aaa group server radius ClientAuthentication
 server 192.168.28.20 auth-port 1812 acct-port 1813
!

wlccp wds priority 255 interface BVI1
!

dot11 ssid MacSSID
   authentication open mac-address mac_methods 

interface Dot11Radio0
 ssid MacSSID
 station-role root access-point
!

interface BVI1
 ip address 192.168.28.20 255.255.255.0
!

radius-server local
  
  nas 192.168.28.20 key <>
  
  user user password <>
  user ap1 password <>
!

 

Reference

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards