IOS Wireless Domain Services (WDS) Master and Infrastructure

Document

Fri, 06/22/2012 - 23:04
Jun 22nd, 2012


Introduction

This document describes How to configure a Cisco IOS AP to operate as a "WDS Master AP" which authenticates infrastructure AP's using LEAP authentication, via a local RADIUS server configuration.  This document does not cover using a WLAN Service Module or using the WDS for radio management; only AP and Client authentication.

We will start by preparing the AP for a local RADIUS server role, adding applicable radius “clients”, such as the WDS master and other participating infrastructure APs.  We will also tell our AP's, including the master, what radius server hosts it needs to communicate with and necessary attributes.  If you are authenticating Clients to an external server, we can designate that in the configuration since the IOS AP local RADIUS is limited to MAC, LEAP, or EAP-FAST authentication.  We will also specify a username used for LEAP authentication that will be added to all AP's, master and infrastructure, for performing local EAP authentication at the WDS Master.

Minimum Requirements

AP with Cisco IOS Software Release 12.3(2)JA2 or later.

For external client authentication:  Cisco ACS, Microsoft 2003 running IAS or 2008 R2 running NPS.

Current Configuraiton on AP

We are presuming for the AP(s) the following current config...

Master

Hostname: WDSMaster

IP: 10.10.10.xx

Mask: 255.255.255.0

Gateway: 10.10.10.x

External NPS Server

IP: 10.10.20.yy

Infrastructure

Hostname:WDSInfrastructure

IP: 10.10.10.x1

Mask:  255.255.255.0

Gateway: 10.10.10.x

WDS Master Configuration

[Turn on AAA feature set]

(config)# aaa new-model

[Create AAA server groups for Infrastructure and Client authentication.  These will be referenced by our AAA login lists]

(config)# aaa group server radius Infrastructure

(config-sg-radius)# server 10.10.10.xx auth-port 1812 acct-port 1813

(config-sg-radius)# exit

(config)# aaa group server radius Client

(config-sg-radius)# server 10.10.20.yy auth-port 1812 acct-port 1813

(config-sg-radius)#exit

[Set AAA login lists, infrastructure and client, to use groups created above.  These lists will be referred to by the SSID for the open and network-eap authentication]

(config)# aaa authentication login method_Infrastructure group Infrastructure

(config)# aaa authentication login method_Client group Client

[Configure AP for local RADIUS server to authenticate other WDS infrastructure AP's via LEAP]

(config)# radius-server local

[Remove other authentication methods as we will use LEAP for our infrastructure authentication and NPS will be handling our client's authentication]

(config-radius)# no authentication eapfast

(config-radius)# no authentication mac

[Define RADIUS client devices and shared secret: External RADIUS server, WDS Infrastructure APs and the local WDS Master AP.  We are using the shared secret of “Cisco” for the WDS side]

(config-radius)# nas 10.10.10.xx key 0 Cisco

(config-radius)# nas 10.10.20.yy key 0 Cisco

[Create username/password for LEAP authentication f WDS APs.  Username: Cisco / Password: TEST]

(config-radius)# user Cisco password TEST

(config-radius)# exit

[Define RADIUS server hosts, ports, and shared secret that the WDS master will use]

(config)# radius-server host 10.10.10.xx auth-port 1812 acct-port 1813 key 0 Cisco

(config)# radius-server host 10.10.20.yy auth-port 1812 acct-port 1813 key 0 <shared key external>

[Radius Server Attributes]

(config)# radius-server attribute 32 include-in-access-req format %h

[Create SSID and specify EAP authentication, referencing our AAA login lists created earlier]

(config)# dot11 ssid WDSTEST

(config-ssid)# authentication open eap method_Client

(config-ssid)# authentication network-eap method_Client

(config-ssid)# authentication key-management wpa version 2

(config-ssid)#guest-mode

(config-ssid)#exit

[Turn on WDS and set highest priority to designate a guaranteed Master using BVI interface]

(config)#wlccp wds priority 254 interface BVI1

[Define username for AP authentication and specify WDS groups to use AAA lists]

(config)# wlccp ap username Cisco password TEST

(config)# wlccp authentication-server infrastructure method_Infrastructure

(config)# wlccp authentication-server client eap method_Client

(config-wlccp-auth)# ssid WDSTEST

(config-wlccp-auth)# end

[Check WDS Status]

# show wlccp wds ap

  HOSTNAME                           MAC-ADDR                    IP-ADDR               STATE

WDSMaster                        c471.fe33.xxxx                   10.10.10.xx         REGISTERED

# show wlccp ap

WDS = c471.fe33.xxxx, 172.16.xxx.yy

state = wlccp_ap_st_registered

IN Authenticator = 172.16.xxx.yy

MN Authenticator = 172.16.xxx.yy

WDS Infrastructure Config

[Turn on AAA feature set]

(config)# aaa new-model

[Create Identical SSID config as at the Master]

(config)# dot11 ssid WDSTEST

(config-ssid)# authentication open eap method_Client

(config-ssid)# authentication network-eap method_Client

(config-ssid)# authentication key-management wpa version 2

(config-ssid)#guest-mode

(config-ssid)#exit

[Add RADIUS host of the AP WDS Master for infrastructure and client authentication]

(config)# radius-server host 10.10.10.xx auth-port 1812 acct-port 1813 key 0 Cisco

(config)# radius-server attribute 32 include-in-access-req format %h

[Add WDS functionality and point to master WDS AP using LEAP credentials created at master]

(config)# wlccp ap wds ip address 10.10.10.xx

(config)# wlccp ap username Cisco password TEST

Master AP should now show itself and infrastructure AP "REGISTERED"

#show wlccp wds ap

HOSTNAME                           MAC-ADDR                      IP-ADDR               STATE

WDSMaster                        c471.fe33.xxxx                   10.10.10.xx         REGISTERED

WDSInfrastructure            c471.fe28.xxxx                   10.10.10.x1         REGISTERED

Reference

Wireless Domain Services Configuration


Loading.

Actions

This Document