Introduction
What are the recommended steps to configure WDS on an AP.
Resolution
In order to configure the Wireless Domain Services (WDS) Access Point (AP), the recommended settings are:
- Radius-server timeout must be disabled. This is the number of seconds an AP waits for a reply to a RADIUS request before it resends the request. The default setting is five seconds.
- Radius-server deadtime must be disabled. The RADIUS is skipped by additional requests for the duration of minutes, unless all servers are marked dead.
- TKIP MIC Failure Holdoff Time is enabled by default to 60 seconds. If you enable a hold-off time, you can enter the interval in seconds. If the AP detects two Mobile Interface Card (MIC) failures within 60 seconds, it blocks all Temporal Key Integrity Protocol (TKIP) clients on that interface for the hold-off time period specified here. There is not an specific recommendation to set it to 100 unless there is a failure reported where the only solution is to increase this time. One (1) is the lowest setting.
- Client Holdoff Time must be disabled by default. If you enable holdoff, enter the number of seconds that the AP must wait after an authentication failure before a subsequent authentication request is processed.
- EAP or MAC Reauthentication Interval is disabled by default. If reauthentication is enabled, you can specify the interval or accept the interval given by the authentication server. If you choose to specify the interval, enter the interval in seconds that the AP waits before an authenticated client is forced to reauthenticate.
- EAP Client Timeout (optional) is set to 120 seconds by default. Enter the amount of time the AP must wait for wireless clients to respond to EAP authentication requests.
These commands do not help the authentication process, and they are not needed on the WDS or the AP:
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
For the infrastructure APs, there is no need to have Server Manager and Global Properties. The WDS takes care of that task. There is no need to have these settings:
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server timeout
radius-server deadtime
The setting radius-server attribute 32 include-in-access-req format stays there by default and it is required.
More Information
WDS is a new feature for APs in Cisco IOS Software and the basis of the Catalyst 6500 Series WLSM. WDS is a core function that enables other features like these:
- Fast Secure Roaming
- WLSE interaction
- Radio Management
You must establish relationships between the APs that participate in WDS and the WLSM, before any other WDS-based features work. One of the purposes of WDS is to eliminate the need for the authentication server to validate user credentials and reduce the time required for client authentications.
In order to use WDS, you must designate one AP or the WLSM as the WDS. A WDS AP must use a WDS user name and password to establish a relationship with an authentication server. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS AP. The WLSM must have a relationship with the authentication server, even though WLSM does not need to authenticate to the server.
Other APs, called infrastructure APs, communicate with the WDS. Before registration occurs, the infrastructure APs must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication.
One or more client server groups on the WDS define client authentication.
When a client attempts to associate to an infrastructure AP, the infrastructure AP passes the credentials of the user to the WDS for validation. If the WDS sees the credentials for the first time, WDS turns to the authentication server to validate the credentials. The WDS then caches the credentials, in order to eliminate the need to return to the authentication server when the same user attempts authentication again. Examples of re-authentication include:
When the user starts up the client device
Any RADIUS-based EAP authentication protocol can be tunneled through WDS such as these:
- Lightweight EAP (LEAP)
- Protected EAP (PEAP)
- EAP-Transport Layer Security (EAP-TLS)
- EAP-Flexible Authentication through Secure Tunneling (EAP-FAST)
MAC address authentication can also tunnel to either an external authentication server or against a list local to a WDS AP. The WLSM does not support MAC address authentication.
The WDS and the infrastructure APs communicate over a multicast protocol called WLAN Context Control Protocol (WLCCP). These multicast messages cannot be routed, so a WDS and the associated infrastructure APs must be in the same IP subnet and on the same LAN segment. Between the WDS and the WLSE, WLCCP uses TCP and User Datagram Protocol (UDP) on port 2887. When the WDS and WLSE are on different subnets, a protocol like Network Address Translation (NAT) cannot translate the packets.
An AP configured as the WDS device supports up to 60 participating APs. An Integrated Services Router (ISR) configured as the WDS devices supports up to 100 participating APs. And a WLSM-equipped switch supports up to 600 participating APs and up to 240 mobility groups. A single AP supports up to 16 mobility groups.
Note: Cisco recommends that the infrastructure APs run the same version of IOS as the WDS device. If you use an older version of IOS, the APs might fail to authenticate to the WDS device. In addition, Cisco recommends that you use the latest version of the IOS. You can find the latest version of IOS in the Wireless downloads page.
Problem Type
- Technical product specification / features
- Configure / Configuration issues
- Definitions
- Release notes / product overview / data sheet / FAQ
Products
Access point
Product OS
IOS
SW Features
Wireless Domain Services (WDS)
Reference
