AP Timed out authenticating to the WDS

brogers · ‎11-16-2006

Hi,

I have WDS setup with WLSE 2.13 and ACS 4.0. I have 8 1231 access points that behave correctly. I also have 1 1130 and 1 1242. Both of these get the error "AP Timed out authenticating to the WDS." My WDS device is currently a 1231, but I have also tried making it the 1242 and 1130. In all cases they time out. Has anybody else seen this behaviour?

frankzehrer · ‎11-21-2006

Hi Brad,

be sure to have the WDS setup with the ACS like this:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

If you have forgotten to enable LEAP for the WDS device or the secrets are not equal, you get teh message that the AP could not authenticate with the WDS.

If you used the ACS as RADIUS Server then have a look into the failed authentication log. There should be wrong NAS User entries.

If you want to test the WDS Setup with an AP local RADIUS Server have a look here:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

The setup is the same like in teh forst document instad of using the Local RADIUS as LEAP authentication Server. Remember WDS needs LEAP for internal authentication issues.

Best regards,

Frank

brogers · ‎11-21-2006

LEAP is enabled. WDS work fine on all my 1231's. It just the 1242's and 1130's that seems to have this problem. I've had a TAC cas open on it for a while now and they seem puzzled by it as well.

frankzehrer · ‎11-21-2006

Hi Brad,

how many APs do you have within the WDS?

Are the APs all in the same subnet / VLAN?

Do you have a sample config of the WDS AP, a working 1231 and a 1242?

How is the setup in the ACS? Do you have "Network Device Groups" in the "Network Configuration" section?

Issue the command "debug aaa authentication" on a working and not working AP and please post the result.

Also issue the command "debug wlccp wds ap mac-address H.H.H" where H.H.H should be a mac address of an not-working AP.

Best regards,

Frank

brogers · ‎11-28-2006

There are about 10 access point on this WDS. They are all in the same subnet / VLAN. Attched are the configs you asked for. Also, we do have "Network Device Groups" setup.

frankzehrer · ‎12-01-2006

Hi Brad,

i was a bit in busy the last days.

For a first look i can?t obviously find any failure or problem.

What kind of device is the mentioned:

wlccp wnm ip address 10.240.2.41

Is it a WLSE? Are the non-working devices managed within the wnm?

On the WDS Device issue the command:

sh radius local-server statistics

Successes : 9 Unknown usernames : 0

Client blocks : 0 Invalid passwords : 0

Unknown NAS : 0 Invalid packet from NAS: 0

NAS : 10.20.30.120

Successes : 9 Unknown usernames : 0

Client blocks : 0 Invalid passwords : 0

Corrupted packet : 0 Unknown RADIUS message : 0

No username attribute : 0 Missing auth attribute : 0

Shared key mismatch : 0 Invalid state attribute: 0

Unknown EAP message : 0 Unknown EAP auth type : 0

Auto provision success : 0 Auto provision failure : 0

PAC refresh : 0 Invalid PAC received : 0

Username Successes Failures Blocks

wds 9 0 0

Do you have any other messages than "Successes"?

If yes clear the statistics with:

clear radius local-server statistics

Reload the not working AP and have a look into the statistics!

This was the first step i used to find misconfigurations.

Best reagrds,

Frank