Accepted Solutions
ok, so to start at the begining.
WDS is used by the Cisco AP when you are doing 802.1x authentications. 802.1x defines three pieces the AAA server(ACS/IAS/NPS etc), the Authenticator ( AP, WLC) and the client.
If you are doing 802.1x and do not use WDS, every time the client roams to a new AP, it will do a full 802.1x authentication, generate new keys and then be on it's merry way. The problem with this is, the full 802.1x could break any current connections the client has, if there is an error, or a delayed response.
With WDS, you configure one AP as the 'Master' for that WDS Domain. Now when a client connects to any AP, the AP transmits the user credentials to the 'Master' via WLCCP, and the 'Master' does the authentication with the AAA server. Now when the client roams, the AP checks with the Master, and if the keys are still valid, a 4-way handshake happens and the client goes it's merry way.
Hopefully that makes sense so far.
On to the groups.
aaa group server radius rad_eap
by using aaa groups, you are able to select which AAA server or servers you want to send that type of authentication to.
For the group above, rad_eap, this is the list of servers that we are going to send Radius Authentications to. For rad_mac, this would be the group that we are going to send Radius MAC authentications to.
You can name these groups what ever you want. But make sure they are something that you can see and easily recognize what the group is for. I personally like to leave it at the default the AP generates. For the WLCCP authentication-server client, it is the same. When the AP receives a request via WLCCP to authenticate a client, what group does it use. The flow is the same.
The next piece:
aaa authentication login eap_methods group rad_eap
This piece tells the AP, that when the SSID is configured for eap_methods, to go and use the server list rad_eap. So as a brief example/explanation.
dot11 ssid Test1234
authentication open eap eap_methods
authentication key-management wpa
In the Test1234 we are doing an EAP type, which one doesn't matter at this point as the EAP is negotiated between the client and the server, and for this SSID we are to look at the login group eap_methods, which would referrence the server list rad_eap.
So why do we have the ability to specifiy different server lists? Well, what if you want to support different EAP types, or different domains of PKI infrastructures? But to keep it simple for now, lets go with different EAP Types. IAS/NPS only support PEAP and EAP-TLS. But let's say you have some clients that are running an old Cisco card and can only do EAP-Fast. Well your IAS can't do it, but the ACS you have can. So what you would do, is conifgure the ACS for EAP-Fast and configure an SSID to use a different group. Let's say we are going to use group eap_fast.
So we would have
aaa group server radius rad_eap
192.168.1.5 auth 1812 acct 1813
!
aaa group server radius eap_fast
192.168.1.6 auth 1645 acct 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login eap_fast group eap_fast
Then the SSID:
dot11 ssid Test1234
authentication open eap eap_methods
authentication key-management wpa
!
dot11 ssid TestFast
authentication open eap eap_fast
authentication key-management wpa
!
Now, any client that is connecing to Test1234, will use group rad_eap and the server at 192.168.1.5.
Any client that is connecting to TestFast, will use group eap_fast and the server at 192.168.1.6.
Again, I hope this is making sense.
Moving to the Debugs.
Your best friend here, are the Aironet Command References.
debug wlccp ap {mn | rm [statistics | context | packet] | state | wds-discovery}
as well as your show WLCCP commands
show wlccp
theser were pulled from
http://www.cisco.com/en/US/docs/wireless/access_point/12.4_3g_JA/command/reference/cr43main.html
The above link also lists out the various other debugs that you can run on the AP.
If you want more on WDS and SWAN, there is a book out there for the SWAN Infrastructure
Steve
