cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
0
Helpful
6
Replies

DHCP and WDS

eallan
Level 1
Level 1

Currently I am trying to get WDS setup on a test subnet. My current problem is that I am not able to authenticate thru my WDS master on any secure Vlans. I am able to get thru on an unsecure visitor vlan and also gain a DHCP IP address on it.

This is not the case on the secure vlans. The client devices state that they are tyring to get an IP address. They are running with EAP WPA+TKIP and MAC authentication. I am using WinXP for my client device OS. Any help is appreciated.

6 Replies 6

smahbub
Level 6
Level 6

If WDS/WLCCP is configured, all radius servers for EAP and MAC authentication in infrastructure APs are ignored.

Assume that all infrastructure APs are configured for EAP and/or MAC authentication. If a mobile node (i.e. wireless client) tries to associate to an infrastructure AP, the infrastrcuture AP just ignores the radius settings on EAP and MAC authentication. It sends the authentication request to the WDS AP using WLCCP protocol. The WDS AP relays the authentication request to the radius server, which is defined by the wlccp authentication-server client commands. Thus, only need to define WDS AP as AAA NAS clients in the radius server.

I removed the ACS servers from the infrastructure AP and the client does authenticate its MAC to the ACS server and the server states that it is AUTH ok. The client never finishes authentication at this point. I do not get any errors on the ACS or WDS master. I do see a client failed message on the infrastructure AP. Any other ideas would be great.

Hi,

Please check the communication between your WDS AP and ACS server, then between AP and ACS server by using test aaa command

Regards,

Shailendra

I tested on my test setup and it will not work. My ACS server shows that that user is AUTH OK but it does not get to the WDS. I think the problem is coming from the fact that we have Vlan1 shut off for security purposes and BVI1 only likes to talk on that Vlan. My WDS master does authenticate with its BVI1 address to the ACS server. I have tried several configurations of sub interface IP addressing and cannot get it work. WDS will not work with out BVI1 enabled. Currenlty we are not using BVI1 on the production AP's and they work fine. Is there way to get WLCCP to use a subinterface and not BVI1?

BVI 1 is not tied to a particular VLAN. You should always use BVI 1 to set the IP address of the AP. You can bridge BVI 1 to any sub-interface (which would have the encapsulation set for a particular VLAN). You should not use VLAN 1 for any production traffic.

I tested the communication with the aaa server and it would only talk to it not back. I also was working with TAC on this issue and they helped by finding that I needed to set the native Vlan on my access layer SW that the AP is hooked to. This made the WDS communicate like is should. Thanks for all your help.

Review Cisco Networking for a $25 gift card