Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
3
Replies

WDS & PEAP

andrew_ho
Level 1
Level 1

‎01-28-2007 06:13 PM - edited ‎07-03-2021 01:32 PM

Hi,

I am using Cisco ACS and Cisco AP AIR-AP1231G-A-K9. They are configured so that client can be authenticated using PEAP. However, as soon as join the AP to WDS. It stops working and no clients can now be authenticated by PEAP.

000066: *Mar 1 00:52:26.875 UTC: %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated

000067: *Mar 1 00:52:34.468 UTC: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0013.ce55.7876 Reason: Previous authentication no longer valid

000068: *Mar 1 00:52:35.077 UTC: %DOT11-7-AUTH_FAILED: Station 0013.ce55.7876 Authentication failed

Any suggestions? Thanks.

Andrew

Labels:
0 Helpful
3 Replies 3

Rob Huffman
Hall of Fame
Hall of Fame

‎01-29-2007 05:46 AM

Hi Andrew,

This certainly looks like a problem between the WDS and the ACS Server. Have a look at the following;

Wireless Domain Services Configuration

In order to use WDS, you must designate one AP or the WLSM as the WDS. A WDS AP must use a WDS user name and password to establish a relationship with an authentication server. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS AP. The WLSM must have a relationship with the authentication server, even though WLSM does not need to authenticate to the server.

Other APs, called infrastructure APs, communicate with the WDS. Before registration occurs, the infrastructure APs must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication.

One or more client server groups on the WDS define client authentication.

When a client attempts to associate to an infrastructure AP, the infrastructure AP passes the credentials of the user to the WDS for validation. If the WDS sees the credentials for the first time, WDS turns to the authentication server to validate the credentials. The WDS then caches the credentials, in order to eliminate the need to return to the authentication server when the same user attempts authentication again.

From this doc;

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

Hope this helps!

Rob

0 Helpful

andrew_ho
Level 1
Level 1
In response to Rob Huffman

‎01-29-2007 04:03 PM

Hi,

Actually in my production environment, I have WDS with ACS for LEAP authentication working for a long time. When I recently want to migrate LEAP users to use PEAP, I couldn't get it to work.

ACS is configured with PEAP support. As soon as change the client to PEAP, the authentication fails but I can't see any "Failed Attempt" in ACS. But if I remove the WDS config from the AP, PEAP works and I can see the "Passed Attempt" in ACS. The AP IOS is also the latest. I wonder if PEAP can actually work with WDS? Thanks.

Andrew

0 Helpful

andrew_ho
Level 1
Level 1
In response to andrew_ho

‎01-29-2007 07:31 PM

Problem fixed. All SSID configured in the Infrastructure APs must be specified under the "wlccp authentication-server client" config in the WDS. Otherwise, the WDS will not contact ACS; instead it will pick the "Permanant Local" list and hence the authentication will fail.

Andrew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card