×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WDS & PEAP

Unanswered Question
Jan 28th, 2007
User Badges:

Hi,


I am using Cisco ACS and Cisco AP AIR-AP1231G-A-K9. They are configured so that client can be authenticated using PEAP. However, as soon as join the AP to WDS. It stops working and no clients can now be authenticated by PEAP.


000066: *Mar 1 00:52:26.875 UTC: %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated

000067: *Mar 1 00:52:34.468 UTC: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0013.ce55.7876 Reason: Previous authentication no longer valid

000068: *Mar 1 00:52:35.077 UTC: %DOT11-7-AUTH_FAILED: Station 0013.ce55.7876 Authentication failed


Any suggestions? Thanks.


Andrew

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rob Huffman Mon, 01/29/2007 - 05:46
User Badges:
  • Super Red, 40000 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hi Andrew,


This certainly looks like a problem between the WDS and the ACS Server. Have a look at the following;


Wireless Domain Services Configuration


In order to use WDS, you must designate one AP or the WLSM as the WDS. A WDS AP must use a WDS user name and password to establish a relationship with an authentication server. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS AP. The WLSM must have a relationship with the authentication server, even though WLSM does not need to authenticate to the server.


Other APs, called infrastructure APs, communicate with the WDS. Before registration occurs, the infrastructure APs must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication.


One or more client server groups on the WDS define client authentication.


When a client attempts to associate to an infrastructure AP, the infrastructure AP passes the credentials of the user to the WDS for validation. If the WDS sees the credentials for the first time, WDS turns to the authentication server to validate the credentials. The WDS then caches the credentials, in order to eliminate the need to return to the authentication server when the same user attempts authentication again.


From this doc;


http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml


Hope this helps!

Rob

andrew_ho Mon, 01/29/2007 - 16:03
User Badges:

Hi,


Actually in my production environment, I have WDS with ACS for LEAP authentication working for a long time. When I recently want to migrate LEAP users to use PEAP, I couldn't get it to work.


ACS is configured with PEAP support. As soon as change the client to PEAP, the authentication fails but I can't see any "Failed Attempt" in ACS. But if I remove the WDS config from the AP, PEAP works and I can see the "Passed Attempt" in ACS. The AP IOS is also the latest. I wonder if PEAP can actually work with WDS? Thanks.


Andrew

andrew_ho Mon, 01/29/2007 - 19:31
User Badges:

Problem fixed. All SSID configured in the Infrastructure APs must be specified under the "wlccp authentication-server client" config in the WDS. Otherwise, the WDS will not contact ACS; instead it will pick the "Permanant Local" list and hence the authentication will fail.


Andrew

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode