Re: Using WDS with Windows IAS

cnj_bucks · ‎10-08-2009

We have an autonomous wireless network that is using WPA/TKIP, and authenticating back to a Windows 2003 IAS Server.

We are going to be adding wireless to other offices, and are looking at implementing WDS. I have found documenation on Cisco's site regarding WDS, but none of the documents refer using WDS with IAS. Has anyone been able to implement this?

Lucien Avramov · ‎10-08-2009

Per the doc:

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37auth.html

Some Microsoft IAS servers do not support the authenticate-only service-type attribute. Changing the service-type attribute to login-only ensures that Microsoft IAS servers recognize reauthentication requests from the access point. Use the dot11 aaa authentication attributes service-type login-only global configuration command to set the service-type attribute in reauthentication requests to login-only.

cnj_bucks · ‎10-09-2009

What I don't understand is in the configuration process of WDS. When adding an access point to WDS, it mentions entering in a username and password. Do I set this username and password as a local account on the IAS server?

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37roamg.html#wp1052310

I think I failed to mention this, but on the client side, the EAP type is PEAP that we are using. I also noticed that in order to enable 802.11N, I had to change the encryption type to WPA2/AES in order to enable the N speeds.

Peter Nugent · ‎10-12-2009

Thats the username and password to authenticate the aps to the WDS access point/device

cnj_bucks · ‎10-13-2009

I don't know where to create that account on the WDS AP. I enabled WDS on one AP, and added the server group for RADIUS authentication. I then went to another AP, enabled it to be a part of the SWAN. On that portion of the gui, I have to put in a username and password. I don't know where to create that account on my WDS AP.

dancampb · ‎10-13-2009

You need to create a local Radius server on the WDS and add the user/pwd in there. Make sure your AAA server group and aaa auth statements for WDS infrastructure point to the local radius server.

cnj_bucks · ‎10-13-2009

Thank you for the clarification about using a local server on the AP.

Is is possible to use WDS and have it authenticate it back to a Windows IAS server? Our current configuration is that we have several AP's that authenticate back to a IAS server. We are starting to roll out wireless to our branch offices so we thought WDS would be good for that. But now it looks as if we can't use WDS to authenticate back to our IAS servers, would that be correct?

We were hoping for a design where at each site we would have an access point set up as a WDS server which would then authenticate back to our IAS server at the corporate office.

dancampb · ‎10-13-2009

You can point the client authentications to the IAS server but not the infrastructure devices. The infrastructure devices authenticate to the WDS using LEAP which IAS doesn't support.

cnj_bucks · ‎10-13-2009

Thanks for your help. I guess leveraging our existing configuration isn't going to work then.

I'll have to re-read some of the documentation since it seems like from Figure 12-4 in the attached link made it look like our current configuration would work.

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37roamg.html#wp1073033