Cisco 1240AG AP as WDS Radius Server

Unanswered Question
Aug 13th, 2009

Greetings, we have a need to deploy an autonomous wireless network which will support 7921G handsets and various client data devices, there will be 5 AP's in total, 4 x 1130AG's and 1 x 1240AG.

As we don't have the budget for Cisco ACS i would like the use the 1240AG as the radius server so that we can configure WDS and fast secure roaming, however looking at both the design guide for UC over Wireless and the 1240AG configuration guide i am having trouble defining what is best practise in terms of authentication and encryption required to support 7921G handsets and fast secure roaming in this scenario.

Would i be correct in assuming that i need to use WEP+LEAP in addition to configuring local accounts on the 1240AG AP for authenticating Infrastructure AP's and Client devices?

Any assistance would be much appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dancampb Thu, 08/13/2009 - 05:20

You could do LEAP or EAP-FAST for the authentication. I would highly recommend using CCKM. CCKM is what gives you the fast secure roaming.

exonetinf1nity Thu, 08/13/2009 - 06:12

Thank you for your reply, ive got a 1240AG in the lab and configured WDS without issue, unfortunately i am unable to select CCKM under the SSID manager, i have followed through the "Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services" guide but am unsure where im going wrong.

1. Clear AP Config

2. Set Cipher for A/G Radios to CKIP-CMIC

3. Naigate to SSID Manager

4. Create new SSID specifying Network EAP for authentication

5. Define Key Management as Mandatory and use CCKM

6. Click Apply

7. Error message "Error Key Management WPA is required for "WPA Pre-Shared Key"

Any help would be much appreciated


mborga Thu, 08/27/2009 - 03:41

Hello exonetinf1nity, I also had similar issues. CKIP-CMIC is as far as I know not recommended with WPA. Try with WPA & CCKM and Cipher TKIP (if your client support TKIP/WPA). Try to tonfigure the option in CLI instead of GUI. Finally, check with on CLI "show dot11 associations all-client" if the client which should have CCKM have CCKM for Key-Management


exonetinf1nity Thu, 08/27/2009 - 05:56

Thank you for your replies, finally got it working, configured the ciphers as TKIP and configured wpa cckm for key management under the ssid.

Problem was i missed the basic rate settings for both the A and G radios, ive now changed the basic rates to the following and it has fixed the issue, much thanks to Cisco TAC, i then found the 7921G deployment guide which states that these settings should exist in order for the handsets to operate properly, my mistake!

It should be noted though that the final configuration couldnt be applied via the web interface and only worked through the CLI, interesting :)

int dot11r0

speed basic-11.0 18.0 24.0 36.0 48.0 54.0


int dot11r1

speed basic-12.0 18.0 24.0 36.0 48.0 54.0



This Discussion