Re: Do I understand WDS correctly?

tgregory9 · ‎09-01-2005

Hi all..

Ok, i've been trying to get WDS working with my WLSE.

I'm not sure if I understand correctly.. our laptop clients currently authenticate via another system but I have a WLSE which I want to use to manage the radio network, signal strength/stats/etc.

Am I right in thinking that the main WDS AP needs to authenticate with Radius via the WLSE before all the AP's will start sending data to the WDS and then to the WLSE? :((

I've got my Radius server configured on the WDS access point and the other APs are seeing it, as when I issue the "show wlccp wds ap" command I get the following:

WIG-ap01#sh wlccp wds ap

MAC-ADDR IP-ADDR STATE LIFETIME

0013.6086.2ced 192.168.94.3 AUTH IN PROGRESS -

0012.80fd.0790 192.168.94.14 AUTH IN PROGRESS -

0013.6086.2cb2 192.168.94.2 AUTH IN PROGRESS -

0012.d922.a237 192.168.94.11 AUTH IN PROGRESS -

I cannot get it any further than "AUTH IN PROGRESS"

Here is some of the Radius config on the WDS AP

aaa group server radius iauth01

server <IP ADD REMOVED> auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap

!

aaa group server radius rad_acct

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_iauth01 group iauth01

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 network-map

negated

radius-server host <IP removed> auth-port 1645 acct-port 1646 key xxxx

radius-server timeout 30

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

wlccp authentication-server infrastructure method_iauth01

wlccp wds priority 128 interface BVI1

wlccp wnm ip address <ip removed>

Please help, I know im a n00b.. but the lack of documentation with this is really screwing me.

Thanks

Tim

colin.mccrory · ‎09-01-2005

Tim,

Each AP needs to authenticate to the WDS to operate.

You need to add the following on the AP's to get them to connect to the WDS via the radius server:-

Create a user on your radius server say WDS_AP.

Next add the following to all AP's including the WDS:-

wlccp ap username WDS_AP password *****

If you need to authenticate EAP clients you will need additional commands.

rmushtaq · ‎09-01-2005

Yes, the main WDS AP need to be authenticated via the radius server to WLSE, before RM related things can be used in WLSE. Are you using local radius server on the AP or external CiscoSecure ACS?. What IOS version is running on the WDS AP?.

tgregory9 · ‎09-06-2005

Thanks for the replies guys..

I've managed to get it to send stuff to the radius server which also authenticates with the AD, however the radius server is rejecting me because im using a "unknown authentication type" its windows radius server.

My friend has double checked my config on my AP's and Radius and WDS is setup fine.. we are wondering if you use a standard radius server? or does it have to be a Cisco ACS or a AP with the local radius server running...

Many thanks

Tim

tgregory9 · ‎09-06-2005

Sorted!

Didn't realise you couldn't use any Radius server,,, got an AP configured with the Local radius server and all the APs authenticated to the WDS no problem!