Rajan Parmar is a wireless expert and working for the Cisco's Technical Assistance Center (TAC) team providing reactive technical support to majority of Cisco’s premium customers and partners. In this document Rajan has explained how to Implement WDS in a step-by-step approach.
In the WDS setup, the users may be authenticated either via some external radius server or via internal local radius server(within the WDS AP), but the wds and infra aps must be authenticated from the Local Radius Server, within the WDS server.
In order to create a SWAN architecture, the first devices to configure are the Wireless Domain Services (WDS) access points. If there is more than one WDS access point, makes sure all the devices are configured. WDS access points are devices that have been chosen to run the WDS software services and are logically inline between the infrastructure access points and the higher-level management devices, such as CiscoWorks Wireless LAN Solution Engine (WLSE) and Cisco Secure Access Control Server (ACS). The WDS AP forwards aggregated information to the CiscoWorks WLSE.
There must be one WDS access point per segment in a SWAN topology. One WDS AP can support 30 infrastructure access points and may support up to 60 access points if not serving 802.11 traffic. While the WDS AP may optionally support wireless clients, it is not recommended because the WDS for a wireless network collects information from the client devices and infrastructure access points. This information is manipulated by the WDS access point; the time stamps are collated; and it is pushed upstream one more layer to the CiscoWorks WLSE.
The whole Cisco SWAN infrastructure is secured through the use of a RADIUS server. Therefore, in order for the network to be secured the RADIUS server must be configured.
First, click Server Manager in the left menu bar. Under Corporate Servers, choose RADIUS from the drop-down menu. Next, under Current Server List enter the IP address of the authentication server in the Server field. Specify the Shared Secret and the ports.
Click Apply to create the definition and populate the drop-down lists. Under Default Server Priorities, set the EAP Authentication type Priority 1 field to the server IP address. Note that multiple servers may be configured to provide fault tolerance. To activate the changes, click Apply at bottom of page
WDS resides on one or more access points within a Layer 2 network. An access point running WDS can register approximately 30 access points. At the same time, it can operate as a typical access point. For example, clients can associate to it separately from any WDS services.
To enable WDS globally on an access point, complete these steps.
First, select the Settings tab on the Wireless Services menu of WDS. Select the Use this AP as Wireless Domain Services check box. Next, enter a priority value in the Wireless Domain Services Priority field. Multiple access points use this setting to determine which device provides WDS for its VLAN (or IP subnet). The access point with the highest value (from 1 to 255 with 255 being the highest priority) becomes the primary WDS. All others are backups to the primary in the event that the primary becomes disabled or unavailable. Once you have enabled them globally, specific WDS features are configurable.
Cisco LEAP is also used to authenticate infrastructure APs and the CiscoWorks WLSE.To configure LEAP from the Server Group List pane, choose the RADIUS server used to provide authentication services to the WDS and infrastructure access points or, by highlighting New, create a new Server Group. This can be the same as the RADIUS server that provides authentication services to wireless LAN clients.Under Use Group For, click the Infrastructure Authentication radio button. Infrastructure here refers to all access points that will be providing WDS or registering with a WDS. Under SSID settings, click the appropriate radio button to specify which service set identifiers (SSIDs) this configuration should be applied to. Under Group Server Priorities, choose the server for this Server Group. You must add a server in Security > Servers in order for the server to show up in the Group Server Priority list.
Because Cisco Centralized Key Management (CCKM) operates inline between authenticated access points and the authenticator (the RADIUS server), all client authentications that registered access points go through the WDS access point. Although CCKM supports clients that authenticate using Cisco LEAP, many other types of authentication can be passed to the RADIUS server by the infrastructure access points.
To accommodate all client authentication types, select the Client Authentication radio button in the Use Group For area, and check the check box for every authentication type that will be passed through this WDS to a RADIUS server.
To be sure to apply the appropriate SSID and VLAN assignment, select the Any Authentication check box, and under SSID Settings, click the Apply to all SSIDs radio button. The configuration will then cover all potential cases.
Cisco SWAN Fast Secure Roaming supports clients that authenticate using Cisco LEAP or EAP-FAST. To enable this, a change in both the Encryption Manager and SSID Manager must be made. First, make the changes under SECURITY > Encryption Manager.
Choose Security > Encryption Manager. The Encryption Manager screen is displayed. Then, select the VLAN number from the drop-down menu.
Click the Cipher radio button. From the drop-down menu, choose one of the cipher modes in the Cisco Aironet access point setup screen for the specific VLAN on which this service is offered. Click Apply to save.
The next step is to configure Fast Secure Roaming for the SSID Manager by selecting SECURITY > SSID Manager.From the current SSID list, select the SSID you would like to modify.Click the SSID Manager button on the menu. Under Authentication Settings, check the Open Authentication check box and choose With EAP from the drop-down menu. Check the Network EAP check box.
Under Authenticated Key Management, choose Mandatory or Optional from the drop-down menu and check the CCKM check box. Both of these settings are VLAN specific and must be configured for each VLAN on which CCKM is desired.
aaa new-model radius-server host <IP_ADDR_WDS> auth-port 1812 acct-port 1813 key 7 120A0014000E18 aaa group server radius rad_mac server <IP_ADDR_WDS> auth-port 1812 acct-port 1813 ! ! wlccp ap username ap1 password 7 0207140A ! dot11 ssid MacSSID authentication open mac-address mac_methods interface Dot11Radio0 ssid MacSSID station-role root access-point ! f interface BVI1 ip address <IP_ADDR_INFRA_AP> 255.255.255.0 no ip route-cache ! ! !
aaa new-model ! radius-server host 192.168.28.20 auth-port 1812 acct-port 1813 key <> ! aaa group server radius rad_mac server 192.168.28.20 auth-port 1812 acct-port 1813 ! wlccp ap username ap1 password <> ! dot11 ssid MacSSID authentication open mac-address mac_methods interface Dot11Radio0 ssid MacSSID station-role root access-point ! interface BVI1 ip address 192.168.28.10 255.255.255.0 !
aaa new-model radius-server host 192.168.28.20 auth-port 1812 acct-port 1813 key <> aaa group server radius rad_mac server 192.168.28.20 auth-port 1812 acct-port 1813 ! aaa authentication login method_InfrastructureAuthentica group InfrastructureAuthentication aaa authentication login method_ClientAuthentication group ClientAuthentication ! wlccp authentication-server infrastructure method_InfrastructureAuthentication aaa group server radius InfrastructureAuthentication server 192.168.28.20 auth-port 1812 acct-port 1813 wlccp authentication-server client mac method_ClientAuthentication aaa group server radius ClientAuthentication server 192.168.28.20 auth-port 1812 acct-port 1813 ! wlccp wds priority 255 interface BVI1 ! dot11 ssid MacSSID authentication open mac-address mac_methods interface Dot11Radio0 ssid MacSSID station-role root access-point ! interface BVI1 ip address 192.168.28.20 255.255.255.0 ! radius-server local nas 192.168.28.20 key <> user user password <> user ap1 password <> !