This document describes How to configure a Cisco IOS AP to operate as a "WDS Master AP" which authenticates infrastructure AP's using LEAP authentication, via a local RADIUS server configuration. This document does not cover using a WLAN Service Module or using the WDS for radio management; only AP and Client authentication.
We will start by preparing the AP for a local RADIUS server role, adding applicable radius “clients”, such as the WDS master and other participating infrastructure APs. We will also tell our AP's, including the master, what radius server hosts it needs to communicate with and necessary attributes. If you are authenticating Clients to an external server, we can designate that in the configuration since the IOS AP local RADIUS is limited to MAC, LEAP, or EAP-FAST authentication. We will also specify a username used for LEAP authentication that will be added to all AP's, master and infrastructure, for performing local EAP authentication at the WDS Master.
AP with Cisco IOS Software Release 12.3(2)JA2 or later.
For external client authentication: Cisco ACS, Microsoft 2003 running IAS or 2008 R2 running NPS.
Current Configuraiton on AP
We are presuming for the AP(s) the following current config...
External NPS Server
WDS Master Configuration
[Turn on AAA feature set]
(config)# aaa new-model
[Create AAA server groups for Infrastructure and Client authentication. These will be referenced by our AAA login lists]
(config)# aaa group server radius Infrastructure
(config-sg-radius)# server 10.10.10.xx auth-port 1812 acct-port 1813
(config)# aaa group server radius Client
(config-sg-radius)# server 10.10.20.yy auth-port 1812 acct-port 1813
[Set AAA login lists, infrastructure and client, to use groups created above. These lists will be referred to by the SSID for the open and network-eap authentication]
(config)# aaa authentication login method_Infrastructure group Infrastructure
(config)# aaa authentication login method_Client group Client
[Configure AP for local RADIUS server to authenticate other WDS infrastructure AP's via LEAP]
(config)# radius-server local
[Remove other authentication methods as we will use LEAP for our infrastructure authentication and NPS will be handling our client's authentication]
(config-radius)# no authentication eapfast
(config-radius)# no authentication mac
[Define RADIUS client devices and shared secret: External RADIUS server, WDS Infrastructure APs and the local WDS Master AP. We are using the shared secret of “Cisco” for the WDS side]
(config-radius)# nas 10.10.10.xx key 0 Cisco
(config-radius)# nas 10.10.20.yy key 0 Cisco
[Create username/password for LEAP authentication f WDS APs. Username: Cisco / Password: TEST]
(config-radius)# user Cisco password TEST
[Define RADIUS server hosts, ports, and shared secret that the WDS master will use]
This should be a question with an obvious answer but the Google Gods haven't been clear. I'm trying to determine which image I need for a 3702i access poing with the master controller AP (mobility express) running 8.8.125 but can't seem to find anything o...
Here is the complete boot capture: If I interrupt the boot, I can tftpboot at the (RNAQ-C7) # prompt a new ap1g4 file as part.bin to the device with no change. #====================== Connected 6:07 PM 10/18/2019 ====================...
Hello,Since we upgraded connections between our buildings we will use central WLC (5520) on our central location. There is around 1500APs on all locations which will be adopted to that WLC.My concern is that when I use local mode, I got my traffic do...
I have a guest network set up that is completely isolated from production, the intent being that visitors are issued a username and can go out to the Internet while they are visiting. I'd like to fix one thing: The visitor connects to the wireless network...
I have a WLC 3504 and it works well with my first network attempt- I had set up a guest network. Clients connected to it receive an IP address and can access the internet. This network is isolated from our production environment, but was almost as easy as...