What are the recommended steps to configure WDS on an AP.
In order to configure the Wireless Domain Services (WDS) Access Point (AP), the recommended settings are:
Radius-server timeout must be disabled. This is the number of seconds an AP waits for a reply to a RADIUS request before it resends the request. The default setting is five seconds.
Radius-server deadtime must be disabled. The RADIUS is skipped by additional requests for the duration of minutes, unless all servers are marked dead.
TKIP MIC Failure Holdoff Time is enabled by default to 60 seconds. If you enable a hold-off time, you can enter the interval in seconds. If the AP detects two Mobile Interface Card (MIC) failures within 60 seconds, it blocks all Temporal Key Integrity Protocol (TKIP) clients on that interface for the hold-off time period specified here. There is not an specific recommendation to set it to 100 unless there is a failure reported where the only solution is to increase this time. One (1) is the lowest setting.
Client Holdoff Time must be disabled by default. If you enable holdoff, enter the number of seconds that the AP must wait after an authentication failure before a subsequent authentication request is processed.
EAP or MAC Reauthentication Interval is disabled by default. If reauthentication is enabled, you can specify the interval or accept the interval given by the authentication server. If you choose to specify the interval, enter the interval in seconds that the AP waits before an authenticated client is forced to reauthenticate.
EAP Client Timeout (optional) is set to 120 seconds by default. Enter the amount of time the AP must wait for wireless clients to respond to EAP authentication requests.
These commands do not help the authentication process, and they are not needed on the WDS or the AP:
The setting radius-server attribute 32 include-in-access-req format stays there by default and it is required.
WDS is a new feature for APs in Cisco IOS Software and the basis of the Catalyst 6500 Series WLSM. WDS is a core function that enables other features like these:
Fast Secure Roaming
You must establish relationships between the APs that participate in WDS and the WLSM, before any other WDS-based features work. One of the purposes of WDS is to eliminate the need for the authentication server to validate user credentials and reduce the time required for client authentications.
In order to use WDS, you must designate one AP or the WLSM as the WDS. A WDS AP must use a WDS user name and password to establish a relationship with an authentication server. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS AP. The WLSM must have a relationship with the authentication server, even though WLSM does not need to authenticate to the server.
Other APs, called infrastructure APs, communicate with the WDS. Before registration occurs, the infrastructure APs must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication.
One or more client server groups on the WDS define client authentication.
When a client attempts to associate to an infrastructure AP, the infrastructure AP passes the credentials of the user to the WDS for validation. If the WDS sees the credentials for the first time, WDS turns to the authentication server to validate the credentials. The WDS then caches the credentials, in order to eliminate the need to return to the authentication server when the same user attempts authentication again. Examples of re-authentication include:
When the user starts up the client device
Any RADIUS-based EAP authentication protocol can be tunneled through WDS such as these:
Lightweight EAP (LEAP)
Protected EAP (PEAP)
EAP-Transport Layer Security (EAP-TLS)
EAP-Flexible Authentication through Secure Tunneling (EAP-FAST)
MAC address authentication can also tunnel to either an external authentication server or against a list local to a WDS AP. The WLSM does not support MAC address authentication.
The WDS and the infrastructure APs communicate over a multicast protocol called WLAN Context Control Protocol (WLCCP). These multicast messages cannot be routed, so a WDS and the associated infrastructure APs must be in the same IP subnet and on the same LAN segment. Between the WDS and the WLSE, WLCCP uses TCP and User Datagram Protocol (UDP) on port 2887. When the WDS and WLSE are on different subnets, a protocol like Network Address Translation (NAT) cannot translate the packets.
An AP configured as the WDS device supports up to 60 participating APs. An Integrated Services Router (ISR) configured as the WDS devices supports up to 100 participating APs. And a WLSM-equipped switch supports up to 600 participating APs and up to 240 mobility groups. A single AP supports up to 16 mobility groups.
Note: Cisco recommends that the infrastructure APs run the same version of IOS as the WDS device. If you use an older version of IOS, the APs might fail to authenticate to the WDS device. In addition, Cisco recommends that you use the latest version of the IOS. You can find the latest version of IOS in the Wireless downloads page.
Technical product specification / features
Configure / Configuration issues
Release notes / product overview / data sheet / FAQ
Hello, We've installed virtual WLC using AIR_CTVM-K9_8_10_151_0.ova file. The installation and basic configuration of the WLC is done successfully.We'd like to add a lightweight AP 2700 to the vWLC but the AP stuck in downloading state.&nbs...
Hi community,I've been receiving many complaints from users that were unable to connect to the corporate WLAN with PEAP-TLS (but also on BYOD SSID with PEAP).After investigating I found all those sites where with AP3702. Digging into debugs, I've checked ...
Hi forum, Do you have experience in implementing EWC-AP (91xx series with 17.5.x IOS-XE) as Master AP in a network with AP2802 (Aire-OS 8.3.150) as subordinates? Or with similar versions of OS. I experience that the AP2802 fails during image up...
Hi,My outdoor AP 1552 is unable to join WLC 2504 below are the log messages i am seeing on the console of AP.*Jun 24 09:19:12.107: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER*Jun 24 09:19:22.107: %CAPWAP-3-ERRORLOG: Go join a capwap cont...
Our architects need the RAL color code of actual outdoor APs. If it not fits, the APs should be painted. As I understood right, we then we will loose warrently.All I found so far, outdoor APs have Cisco Medium Gray color. Cisco Medium Gray 2 (anothe...