Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
18
Replies

WDS uses LEAP between AP's, but I want WPA for my clients

Gustavo Novais
Level 1
Level 1

‎11-09-2004 12:34 PM - edited ‎07-04-2021 10:08 AM

Hello, I have a WLSE which I want to use for enhanced radio management of my network. I don't care about fast roaming. For that I need a WDS enabled AP, which authenticates all others, and itself, through LEAP.

I wish my wireless clients use WPA with LEAP for authentication. On the tests I'm doing, I can only associate clients properly to the AP if using LEAP or Open not with WPA, if WDS is enabled on the AP.

If I disable WDS I can authenticate with success WPA w/ LEAP, and all other EAP types. Why is that?

I think the problem is related with the mecanism used for fast reassociation (CCKM) that tunnels all authentication through the WDS AP, which only understands CCKM. How can I bypass that and still have WPA (on a separate vlan) and WDS?

Labels:
0 Helpful
18 Replies 18

dewman03
Level 1
Level 1

‎11-09-2004 09:44 PM

HM, you have your encryption set to do tkip only,

and you set wpa to mandatory, can clients authenticate>?

encryption [vlan vlan-id] mode ciphers tkip

authentication key-management wpa

That would force them to use wpa, or no connection at all

Also, what are the client cards? CIsco, or other manufacture? What 3rd party software are you using for LEAP?

What IOS ver your AP running?

12.3(2)JA, is comming out soon.

The release notes were posted today (NOV 9)

Good reading

0 Helpful

Gustavo Novais
Level 1
Level 1
In response to dewman03

‎11-10-2004 08:17 AM

hello,

I am forcing clients to use wpa just like the commands you've shown on your reply.

The wireless card I'm using is the proxim 8470-Wd, which is Cisco Compatible. I don't know if it supports CCKM, but it does support LEAP. With WDS, it LEAP authenticates perfectly, but when I configure WPA, using LEAP as auth scheme, with WDS enabled, the AP does not authenticate the client.

Are you suggesting to use authentication key-management WPA cckm, in order to allow both?

Like that I will only LEAP authenticate (if the client supports CCKM )without WPA?

I didn't try it with PEAP, but I think I shouldn't have any problems

Thanks for the 12.3(2)JA tip!

Gustavo

0 Helpful

dixho
Level 6
Level 6
In response to Gustavo Novais

‎11-10-2004 05:05 PM

If you do not configure WDS, can the wireless clients associate with WPA and LEAP?

I would like to know if this problem is related to WDS or not. I am not sure if Proxim 8470-wd is CCX compliant or not. From the following link, I do not find it:

http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html

You need CCXv2 complaince for LEAP + WPA.

0 Helpful

Gustavo Novais
Level 1
Level 1
In response to dixho

‎11-11-2004 02:37 AM

Yes, they can, I tested the situation being associated myself.

I associate with WPA/LEAP and then turn on WDS - The AP deauthenticates me instantly.

Are you saying that with a CB21 card I shouldn't have any problems?

Unfortunatey I don't have any...

Either way, thanks for your help.

0 Helpful

dixho
Level 6
Level 6
In response to Gustavo Novais

‎11-11-2004 09:52 AM

The key here is that IAS does not support LEAP.

If you configure LEAP or LEAP+WPA on the CB21AG and the WDS AP points to the IAS server for client authentications, it does not work. When an infrastructure AP receives an authentication request from the CB21AG, the infrastrucre AP relays the request to the WDS AP, which in turn follow the request to the IAS. IAS will send the 802.1x types it support. As IAS does not support LEAP, the CB21AG and IAS cannot agree on a common 802.1x types. Thus, the authentication will fail.

In my last response, I meant that you configure a 802.1x type supported by IAS (e.g. PEAP-MS CHAP v2). You can do it.

0 Helpful

Gustavo Novais
Level 1
Level 1
In response to dixho

‎11-11-2004 11:05 AM

Sorry, my mistake, didn't say which kind of server I was using. I'm using Cisco ACS 3.2.3.

No IAS involved.

Either Way, I said that I could authenticate LEAP, with or with out WPA.

The problem is that when I authenticate pure LEAP with WDS everything is fine, but not WPA/LEAP with WDS.

Unfortunately I don't have the CB21AG, to test if the problem is related to CCXv2 extensions.

Thanks for your help

0 Helpful

dixho
Level 6
Level 6
In response to Gustavo Novais

‎11-11-2004 03:43 PM

How do you configure the ADU? You need to choose WPA->LEAP, not 802.1x->LEAP.

Also, you need to configure ciphers->tkip in the AP and make WPA as mandatory in SSID Manager.

If the wireless adapter is CCXv2 compliant, the wireless adapter should able to associate with LEAP+WPA.

0 Helpful

Gustavo Novais
Level 1
Level 1
In response to dixho

‎11-12-2004 02:06 AM

Even with WDS enabled on the AP?

I am choosing wpa->leap

and I'm configuring the AP ok.

When I do sh dot11 assoc all-cli on the AP I see that I'm associated using WPA, not having WDS enabled

If it should be able to associate, using WPA+LEAP, being CCXv2, then probably the card I'm using is NOT ccxv2 compliant.

Unfortunately I'm stuck, cause I don't have any card CCXv2 compliant for sure.

But that alerts me for the problem that besides the clients having to support WPA, there's the restriction, (if you are right and the problem is related to CCXv2) of the clients having also CCXv2 compatible cards.

I cannot enforce that restriction, so, I'll try other authentication schemes, (authentication key management) that supposedly work with WDS and WLSE.

Thank you for your help

Gustavo

0 Helpful

dixho
Level 6
Level 6
In response to Gustavo Novais

‎11-12-2004 02:20 PM

I think that wireless clients do not know WDS at all. They know WPA and 802.1x types. I doubt that enable or disable WDS on the AP makes any difference.

My problem is the other around. I do not have any non-ccx v2 compliant clients which allows me to configure WPA and LEAP. Thus, I cannot test it. I do have a Linksys WPC55 which is CCXv1 compliant. However, it does not allow me to configure WPA + LEAP.

0 Helpful

mcnaz-yeo
Level 1
Level 1
In response to dixho

‎11-13-2004 05:43 AM

Hi dixho,

Can CCXv2 compliant abke to work with eap-fast+wpa. Thanks

Regards

Mc

0 Helpful

dixho
Level 6
Level 6
In response to mcnaz-yeo

‎11-13-2004 12:46 PM

No. EAP-FAST is a requirements of CCXv3. Please go to the following URL on CCX requirements:

http://www.cisco.com/en/US/partners/pr46/pr147/program_additional_information_new_release_features.shtml

0 Helpful

mcnaz-yeo
Level 1
Level 1
In response to dixho

‎11-13-2004 03:23 PM

I dont see any CCX V3,on your URL. I persume is internal info. can you provide me the date when will be available

Regards

Mc

0 Helpful

dixho
Level 6
Level 6
In response to mcnaz-yeo

‎11-13-2004 03:52 PM

I think that CCXv3 information is available soon. I was told that the CCX information is being updated. Please go back to the link later.

0 Helpful

etmarcof
Level 3
Level 3
In response to mcnaz-yeo

‎11-13-2004 03:54 PM

Hi,

Regarding PEAP-MS-CHAPv2 is supported in V2 or V3?

I only saw PEAP-GTC. in doc.

BR

Mc

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card