AAA · Wireless

Deploying Cisco Wireless Domain Services (WDS)

ap-wds

Wireless Domain Services (WDS) is a service that can be configured on Cisco autonomous Access Points (AP), where a single AP is nominated to handle authentication requests for all attached APs. The benefits of this include caching of user credentials to speed up authentication and improve client roaming between APs.The AP running the WDS server runs a RADIUS service which is used to authenticate the connected infrastructure APs. This service can also be configured to handle client authentication, however in this example an external RADIUS server is used.

The control messages sent between the WDS AP and infrastructure APs uses the multicast protocol Wireless LAN Context Control Protocol (WLCCP). These multicast messages cannot be routed, so all participating APs must be on the same subnet.

Setup details

Local radius server password, used by NAS objects: AP1, AP2 an0ther_passw0rd
RADIUS server password Rad1us
WLCCP AP username ‘wds’ wdspassw0rd
AP1 (local radius-server) 10.83.5.105
AP2 10.83.5.110
AP3 10.83.5.111
RADIUS server 10.83.5.128

WDS AP Configuration

Two AAA RADIUS server groups are configured:

  • ‘local_radius’ will handle NAS authentication for the connecting infrastructure APs
  • ‘ext_radius’ is used for user authentication
These groups are referred to in separate ‘aaa authentication’ methods, which are individually referred to by separate ‘wlccp authentication-server’ statements, one for infrastructure and one for clients.

!
aaa new-model
!
aaa group server radius local_radius
server 10.83.5.105 auth-port 1812 acct-port 1813
!
aaa group server radius ext_radius
server 10.83.5.128 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group ext_radius
aaa authentication login infra_methods group local_radius
aaa authorization network default group sown-radius
!
dot11 ssid TESTNET
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
guest-mode
!
interface Dot11Radio0
!
ssid TESTNET
!
radius-server local
nas 10.83.5.105 key an0ther_passw0rd
nas 10.83.5.110 key an0ther_passw0rd
nas 10.83.5.111 key an0ther_passw0rd
user wds nthash wdspassw0rd
!
radius-server host 10.83.5.105 auth-port 1812 acct-port 1813 key an0ther_passw0rd
radius-server host 10.83.5.128 auth-port 1812 acct-port 1813 key Rad1us
!
wlccp ap username wds password wdspassw0rd
wlccp authentication-server infrastructure infra_methods
wlccp authentication-server client any eap_methods
ssid TESTNET
wlccp wds priority 200 interface BVI1
!

Infrastructure AP configuration

A single RADIUS server group ‘local_radius’ is configured and used by the ‘aaa authentication’ method ‘infra_methods’ to handle both client authentication and WLCCP infrastructure authentication.

!
aaa new-model
!
aaa group server radius local_radius
server 10.83.5.105 auth-port 1812 acct-port 1813
!
aaa authentication login infra_methods group local_radius
!
dot11 ssid TESTNET
authentication open eap infra_methods
authentication network-eap infra_methods
authentication key-management wpa cckm
guest-mode
!
interface Dot11Radio0
!
ssid TESTNET
!
radius-server host 10.83.5.105 auth-port 1812 acct-port 1813 key an0ther_passw0rd!
wlccp ap username wds password wdspassw0rd
wlccp ap wds ip address 10.83.5.105
wlccp authentication-server infrastructure infra_methods
!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s