Showing results for 
Search instead for 
Did you mean: 

Wireless Domain Services - Authenticating Infrastructure Devices and Client Devices




WDS is a part of the Cisco Structured Wireless Aware Network (SWAN). WDS is a collection of Cisco IOS Software features that enhance WLAN client mobility, and simplify WLAN deployment and management.

What is WDS?

A. WDS is a part of the Cisco Structured Wireless Aware Network (SWAN). WDS is a collection of Cisco IOS® Software features that enhance WLAN client mobility, and simplify WLAN deployment and management. WDS is a new feature for access points (APs) in Cisco IOS Software, and the basis of the Cisco Catalyst 6500 Series Wireless LAN Services Module (WLSM). WDS is a core function that enables other features, such as:

  • Fast secure roaming (FSR)
  • Wireless LAN Solution Engine (WLSE) interaction
  • Radio management (RM)

Before the operation of any other WDS-based features, you must establish relationships between the APs that participate in WDS and the device that is configured as the WDS. One of the main purposes of WDS is to cache the user credentials as soon as the authentication server authenticates the client for the first time. On subsequent attempts, WDS authenticates the client on the basis of the cached information.

More Information

When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point, an Integrated Services Router, or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management. If you use a switch as the WDS device, the switch must be equipped with a Wireless LAN Services Module (WLSM). An access point configured as the WDS device supports up to 60 participating access points, an Integrated Services Router (ISR) configured as the WDS devices supports up to 100 participating access points, and a WLSM-equipped switch supports up to 600 participating access points and up to 240 mobility groups.

Note A single access point supports up to 16 mobility groups.

Fast, secure roaming provides rapid reauthentication when a client device roams from one access point to another, preventing delays in voice and other time-sensitive applications.

Access points participating in radio management forward information about the radio environment (such as possible rogue access points and client associations and disassociations) to the WDS device. The WDS device aggregates the information and forwards it to a wireless LAN solution engine (WLSE) device on your network.

Role of the WDS Device

The WDS device performs several tasks on your wireless LAN:

  • Advertises its WDS capability and participates in electing the best WDS device for your wireless LAN. When you configure your wireless LAN for WDS, you set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes off line, one of the backup WDS devices takes its place.
  • Authenticates all access points in the subnet and establishes a secure communication channel with each of them.
  • Collects radio data from access points in the subnet, aggregates the data, and forwards it to the WLSE device on your network.
  • Acts as a pass-through for all 802.1x-authenticated client devices associated to participating access points.
  • Registers all client devices in the subnet that use dynamic keying, establishes session keys for them, and caches their security credentials. When a client roams to another access point, the WDS device forwards the client's security credentials to the new access point. 


Table 12-1 Participating Access Points Supported by WDS Devices 

Unit Configured as WDS Device

Participating Access Points Supported

Access point that also serves client devices


Access point with radio interfaces disabled


Integrated Services Router (ISR)

100 (depending on ISR platform)

WLSM-equipped switch



In order to use WDS, you must designate one AP or the WLSM as the WDS.

A WDS AP must use a WDS user name and password to establish a relationship with an authentication server.

Other APs, called infrastructure APs, communicate with the WDS. Before registration occurs, the infrastructure APs must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication.

The infrastructure devices (WDS AP and the other APs which participate in WDS) authenticate using LEAP authentication. To authenticate the WDS AP and the infrastructure APs we need to use either the Cisco Secure ACS server or create a local Radius server on the WDS AP. Microsoft IAS server does not support LEAP and hence cannot be used to authenticate the WDS APs. 

The document Wireless Domain Services Configuration provides a configuration example to configure WDS using Cisco Secure ACS for Infrastructure AP authentication and for Client Authentication.

The document Wireless Domain Services AP as an AAA Server Configuration Example provides a configuration example for configuring an Access Point (AP) to provide Wireless Domain Services (WDS) and also perform the role of an Authentication, Authorization, and Accounting (AAA) server.

You can use this kind of setup when you do not have an external RADIUS server to authenticate infrastructure APs and client devices that participate in WDS.

Client authentications can be done using the either the Cisco Secure ACS server, Microsoft IAS server or any other third party AAA server.


Content for Community-Ad