WLSE and AAA questions

dopenfield · ‎02-09-2005

Implementing SWAN from scratch and few questions, training class not until next month...

I'm using one ACS server to provide all of the AAA functions at this point. Do I need to enter (on WLSE) the same info for each of the 5 different AAA Server types (IP address, Username, Password, Shared Secret) and a different port for each entry ?

Related question if using TACACS to Authenticate/Authorize Administrative users and RADIUS to Authenticate Client do I need separate entries on the ACS server (one for TACACS and one for RADIUS) for each AP?

For the APs authenticating to WDS can I just use one ID on the ACS or will I need a separate ID for each AP?

Thanks

thomas.chen · ‎02-15-2005

For the first 2 questions the answer is yes, you have to enter the details separately for both TACAS+ and RADIUS servers.

gwcrook · ‎02-17-2005

In SWAN the AP's are of 2 types the WDS and the Infrastructure AP's. The WDS AP, username and password are entered into ACS, the WDS uses RADIUS authentication.

The Infrastructure AP's, usernames and passwords are entered into ACS, they use TACACS(CiscoIOS) authentication. Any WiFi Clients that associate with the Infrastructure AP have their authentication requests forwarded to the WDS which proxies the requests through the ACS. In short the AP's are entered only one time into ACS as TACACS authentication the WDS is entered one time as RADIUS authentication.

"For the APs authenticating to WDS can I just use one ID on the ACS or will I need a separate ID for each AP?"

You can use one username and password in which case you would enter multiple IP's or a wildcard in the network group AAA client setup. The IP of each AP would have to be entered or a wildcard.You would enter the username and password one time. Beacuse WDS uses RADIUS and Infrastructure AP's use TACACS you must have a seperate entry for the WDS.

I hope this helps

Gerry