1140 AP need fast roam and authentication with Microsoft IAS

Unanswered Question

I have 6 access points and I am trying to get them to do fast roam.  I also would like authentication for internal users against the Active Directory IAS server.  I finally determined that I needed to configure and AP with Radius to get the APs to connect for WDS.  I now have all the APs registered to the master AP for WDS.

What do I need to do next to get the rest working.  I also have 2 vlans.  One for public access and the other for internal.

Do I need to create a second connection to the IAS server with a shared key and does it have to be done on each AP

Do I need to setup the same SSID's on all the APs or just on one and it will propogate out?

Do the SSID's have to point to second Radius server for IAS if that is even needed.

Any help would be great.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
George Stefanick Tue, 12/29/2009 - 12:43

Are you using a WLC? I notice you mentioned WDS and 1140 ? I dont think the 1140 can do autnomous yet ...

I am not that strong in the wireless area.  Not sure what WLC is.  I do have WDS and

it is up and running and all 5 other APs are registered to it.  If there is a better way I am all ears.  I am trying to get 2 wireless LANs working one private and one public.  I have all the routing and ACLs working.  I then need fast roaming between APs



George Stefanick Tue, 12/29/2009 - 13:11

When you log into your WDS how do you do it GUI and CLI ? In either method do a show ver in the CLI or in the GUI when you log on does it say wireless lan controller ?

Aaron Leonard Thu, 12/31/2009 - 08:04

So, if you have aIOS APs set up with a WDS, then to successfully achieve Fast Secure Roaming (FSR), here are the bits you need:

  • a RADIUS server that supports your wireless EAP type (IAS will do)
  • clients that support an FSR flavor that is compatible with the FSR flavors that aIOS WDS supports

aIOS WDS supports the following FSR flavors:

  • CCKM with dWEP, WPA or WPA2
  • WPA2 "Sticky" PMKID caching (but not "Opportunistic")

Now, the next trick is to find out what FSR method(s) if any your clients support, and make them do that.  This depends on your clients.  For example:

  • The 7921/7925 support:
    • CCKM with WPA but not with dWEP or WPA2 (though CCKM+WPA2 is coming soon)
    • WPA2 "Sticky"
  • XP + current Intel PROSet support:
    • CCKM with dWEP and WPA but not with WPA2
    • WPA2 "Sticky"

Some day, I suppose everyone will support the IEEE 802.11r "FT" standard, and all this mishegoss will be a thing of the past.



Thank you for ther reply, I got it working yesterday.

Here was the solution.

I had to create a Radius server on one of the APs and point it at itself.  Then I created user accounts for each ap and added them on the AP radius server using LEAP.  I created the user accounts on the other APs and enabled SWAN.  That at a high level allowed me to get all the APs registered on the WDS server.  Seems IAS doesn't support LEAP.  I also had to create a server group for infrastructure.  One key in the Cisco do that I missed is the radius server need 1812 and 1823 ports not the usual.

Once that was working, I had to create a new server group for the clients and then tied it to my SSIDs.  Then create a radius user on the IAS server so that the WDS server could connect.  I then had a radius ploicy and set the clients to use EAP and CHAP v2 and they were able to login and authenticate against the Active Directory and roaming worked.

I know this is a high level, but let me know if you need any details.  guess the Wireless Lan server would have been easier.



This Discussion



Trending Topics - Security & Network