Introduction
Following is the step by step procedure to register an Infrastructure AP with the WDS AP.
Example
In this Example the same AP is the Infrastructure AP and the WDS AP. After completion of these steps, you should have an Infra AP registered with the WDS AP.
These steps do not do anything for the clients.
Define a Radius Server
-----------------------
radius-server host 192.168.28.22 auth-port 1812 acct-port 1813 key 7 111A1C0605171F
Set the Priority for the Radius Server
--------------------------------------
aaa authentication login eap_methods group rad_eap
aaa group server radius rad_eap
server 192.168.28.22 auth-port 1812 acct-port 1813
Create a username and password for the Infrastructure AP
---------------------------------------------------------
wlccp ap username infra password 7 030D550D140E
Make the AP as the WDS Server with priority as 254
---------------------------------------------------
wlccp wds priority 254 interface BVI1
Create the Authentication Profile for Infrastructure APs
---------------------------------------------------------
wlccp authentication-server infrastructure method_AuthenticationProfileForInfraAPs
aaa authentication login method_AuthenticationProfileFor group AuthenticationProfileForInfraAPs
aaa group server radius AuthenticationProfileForInfraAPs server 192.168.28.22 auth-port 1812 acct-port 1813
Inform the Local Radius Server
that he may get authentication request from a NAS
(that we know will be the InfraAP. The InfraAP is within this AP. IP of this AP is 192.168.28.22)
-------------------------------------------------------------------------------------------------
radius-server local
nas 192.168.28.22 key 7 111A1C0605171F
Enter the username sent by the Infra AP
in the Local Radius Server, that the Infra AP will send , in its authentication request
--------------------------------------------------------------------------------------------------------------------------------
radius-server local
user infra text 7 password
Create an SSID
titled, 'SSID'. Set it for Open Authentication, and map it to VLAN 1
------------------------------------------------------------------------------------
dot11 ssid SSID
vlan 1
authentication open
authenticated via a flavor of EAP
You want the clients using SSID to get authenticated via a flavor of EAP
-------------------------------------------------------------------------
dot11 ssid SSID
vlan 1
authentication open eap eap_methods
authenticated via a MAC Authentication
You want the clients using SSID to get authenticated via a MAC Authentication:
------------------------------------------------------------------------------
dot11 ssid SSID
vlan 1
authentication open mac-address mac_methods
authenticated via a EAP and MAC Authentication
You want the clients using SSID to get authenticated via a EAP and MAC Authentication:
--------------------------------------------------------------------------------------
dot11 ssid SSID
vlan 1
authentication open mac-address mac_methods eap eap_methods
authenticated via a EAP or MAC Authentication
You want the clients using SSID to get authenticated via a EAP or MAC Authentication:
--------------------------------------------------------------------------------------
dot11 ssid SSID
vlan 1
authentication open mac-address mac_methods alternate eap eap_methods
SSID to be marked as an Infrastructure SSID
You want the SSID to be marked as an Infrastructure SSID, and to force the infrastructure clients to associate only to this SSID:
---------------------------------------------------------------------------------------------------------------------------------
dot11 ssid SSID
infrastructure-ssid
Configure username for the Infrastructure Device
-------------------------------------------------
dot11 ssid SSID
authentication client username EAPClient password 7 105E080A16001D1908
authenticated via network eap
You want the clients using SSID to get authenticated via network eap:
---------------------------------------------------------------------
dot11 ssid SSID
authentication network-eap eap_methods
data to be encrypted via WPA authenticated Key Management
You want the client's data to be encrypted via WPA authenticated Key Management:
--------------------------------------------------------------------------------
dot11 ssid SSID
authentication key-management wpa
client's to be authenticated via WPA-PSK
You want the client's to be authenticated via WPA-PSK:
------------------------------------------------------
dot11 ssid SSID
wpa-psk ascii 7 06575D72181B5F4E5D
Setting Encryption as TKIP on VLAN 1
-------------------------------------
interface Dot11Radio0
encryption vlan 1 mode ciphers tkip
Reference
Configuring WDS, Fast Secure Roaming, and Radio Management