Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
585
Views
0
Helpful
2
Replies

Local RADIUS Server and WDS authentication...

tmoffett
Cisco Employee
Cisco Employee

‎08-06-2005 07:40 AM - edited ‎07-04-2021 11:01 AM

I understand that the local radius server supports up to 50 users.

Question: Is 50 users synonymous with 50 NASs? I only need one username/pw, but have 54 access points that need to authenticate.

In this scenario, is the AP still a NAS, or just a RADIUS client?

I have WLSE 2.11, 54 1200 series access points that need to run WDS, but no ACS server to authenticate.

Can I get by with 54 access points authenticating to the local RADIUS server, or is it a hard limit on the number of NASs that can be defined?

Also, do I really need to define an AP as the WDS, shutting down it's radios?

I read somewhere that there was a limit to the number of access points in a WDS domain that a WDS AP could support with it's radios on...

Thanks in advance!

Labels:
0 Helpful
2 Replies 2

scottmac
Level 10
Level 10

‎08-06-2005 01:55 PM

I don't know if the 50 unit limit applies to NAS, but I suspect it does.

Regardless, it would not be a good idea or good design to use the AP for this level of activity. The Local RADIUS process in the AP is to provide higher-level authentication/authorization to smaller setups.

Regarding having to shut down the radios for the WDS controller AP: With the radios off, the AP can support 60 member APs; with the radio on, it can support 30.

I would also consider both of those numbers much higher than the practical limit (think "Marketing"). Those numbers are likely to be for networks with minimal auth/auth & roaming (clients that authenticate, associate, and stay put for most of their connected life).

You would be much better off using a "real" RADIUS server (or MS IAS) and, depending on your networking traffic patterns and usage, using a WLSM (which also requires a 6500 series switch with a Sup720). Cisco offers a "bundle" switch specifically for WLSM and, in terms of network quality and troubleshooting frustration, is well worth the price.

If, for whatever reason, you can't use the Microsoft RADIUS, there's freeRADIUS, which can run under Unix or Linux (I don't think it's been ported to DOS or Windows yet). It's not too hard to set up, supports certificates ... it's a full-blown RADIUS, and it's free. You can put Linux on an older PC and be much better off than trying to add an additional 16 tons of load to the (already pretty busy) AP microcontroller.

Good Luck

Scott

0 Helpful

tmoffett
Cisco Employee
Cisco Employee

‎08-07-2005 03:31 AM

Thanks, I appreciate the reply. I was also under the understanding that MS IAS didn't support LEAP authentication, which is required for WDS auth?

If you search for "WDS IAS" in the discussion forums, you will find a message stasting that IAS doesn't support LEAP.

That doesn't mean it's a valid statement, but it led me to believe it was.

The customer does have an IAS server running, authenticating WLAN clients VIA PEAP/MS-CHAP V2...

Thanks!

Tim

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card