Hello, I have a WLSE which I want to use for enhanced radio management of my network. I don't care about fast roaming. For that I need a WDS enabled AP, which authenticates all others, and itself, through LEAP.
I wish my wireless clients use WPA with LEAP for authentication. On the tests I'm doing, I can only associate clients properly to the AP if using LEAP or Open not with WPA, if WDS is enabled on the AP.
If I disable WDS I can authenticate with success WPA w/ LEAP, and all other EAP types. Why is that?
I think the problem is related with the mecanism used for fast reassociation (CCKM) that tunnels all authentication through the WDS AP, which only understands CCKM. How can I bypass that and still have WPA (on a separate vlan) and WDS?
HM, you have your encryption set to do tkip only,
and you set wpa to mandatory, can clients authenticate>?
encryption [vlan vlan-id] mode ciphers tkip
authentication key-management wpa
That would force them to use wpa, or no connection at all
Also, what are the client cards? CIsco, or other manufacture? What 3rd party software are you using for LEAP?
What IOS ver your AP running?
12.3(2)JA, is comming out soon.
The release notes were posted today (NOV 9)
I am forcing clients to use wpa just like the commands you've shown on your reply.
The wireless card I'm using is the proxim 8470-Wd, which is Cisco Compatible. I don't know if it supports CCKM, but it does support LEAP. With WDS, it LEAP authenticates perfectly, but when I configure WPA, using LEAP as auth scheme, with WDS enabled, the AP does not authenticate the client.
Are you suggesting to use authentication key-management WPA cckm, in order to allow both?
Like that I will only LEAP authenticate (if the client supports CCKM )without WPA?
I didn't try it with PEAP, but I think I shouldn't have any problems
Thanks for the 12.3(2)JA tip!
If you do not configure WDS, can the wireless clients associate with WPA and LEAP?
I would like to know if this problem is related to WDS or not. I am not sure if Proxim 8470-wd is CCX compliant or not. From the following link, I do not find it:
You need CCXv2 complaince for LEAP + WPA.
Yes, they can, I tested the situation being associated myself.
I associate with WPA/LEAP and then turn on WDS - The AP deauthenticates me instantly.
Are you saying that with a CB21 card I shouldn't have any problems?
Unfortunatey I don't have any...
Either way, thanks for your help.
The key here is that IAS does not support LEAP.
If you configure LEAP or LEAP+WPA on the CB21AG and the WDS AP points to the IAS server for client authentications, it does not work. When an infrastructure AP receives an authentication request from the CB21AG, the infrastrucre AP relays the request to the WDS AP, which in turn follow the request to the IAS. IAS will send the 802.1x types it support. As IAS does not support LEAP, the CB21AG and IAS cannot agree on a common 802.1x types. Thus, the authentication will fail.
In my last response, I meant that you configure a 802.1x type supported by IAS (e.g. PEAP-MS CHAP v2). You can do it.
Sorry, my mistake, didn't say which kind of server I was using. I'm using Cisco ACS 3.2.3.
No IAS involved.
Either Way, I said that I could authenticate LEAP, with or with out WPA.
The problem is that when I authenticate pure LEAP with WDS everything is fine, but not WPA/LEAP with WDS.
Unfortunately I don't have the CB21AG, to test if the problem is related to CCXv2 extensions.
Thanks for your help
How do you configure the ADU? You need to choose WPA->LEAP, not 802.1x->LEAP.
Also, you need to configure ciphers->tkip in the AP and make WPA as mandatory in SSID Manager.
If the wireless adapter is CCXv2 compliant, the wireless adapter should able to associate with LEAP+WPA.
Even with WDS enabled on the AP?
I am choosing wpa->leap
and I'm configuring the AP ok.
When I do sh dot11 assoc all-cli on the AP I see that I'm associated using WPA, not having WDS enabled
If it should be able to associate, using WPA+LEAP, being CCXv2, then probably the card I'm using is NOT ccxv2 compliant.
Unfortunately I'm stuck, cause I don't have any card CCXv2 compliant for sure.
But that alerts me for the problem that besides the clients having to support WPA, there's the restriction, (if you are right and the problem is related to CCXv2) of the clients having also CCXv2 compatible cards.
I cannot enforce that restriction, so, I'll try other authentication schemes, (authentication key management) that supposedly work with WDS and WLSE.
Thank you for your help
I think that wireless clients do not know WDS at all. They know WPA and 802.1x types. I doubt that enable or disable WDS on the AP makes any difference.
My problem is the other around. I do not have any non-ccx v2 compliant clients which allows me to configure WPA and LEAP. Thus, I cannot test it. I do have a Linksys WPC55 which is CCXv1 compliant. However, it does not allow me to configure WPA + LEAP.
No. EAP-FAST is a requirements of CCXv3. Please go to the following URL on CCX requirements:
I dont see any CCX V3,on your URL. I persume is internal info. can you provide me the date when will be available
I think that CCXv3 information is available soon. I was told that the CCX information is being updated. Please go back to the link later.