Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Wireless Security with ACS


We have an Wireless implementation with Aironet 1240 and 1200 AP's. The security is done with WEPkey 128bits, and Mac-Authentication against an Central ACS Server, but I've a problem with the timing of authentication. Every time we roaming from on AP to another, the authentication is going again to the Central ACS. Is there a possibility of keeping the authentication even when roaming? do you have any example of configs? I guess the possibility is Fast Secure Roaming, but could you help me out?

Best Regards,

Jorge Sousa

Hall of Fame Super Red

Re: Wireless Security with ACS

Hi Jorge,

You are right in thinking that using a WDS in conjunction with Fast Secure Roaming is probably the best way to go. Here are some startup docs;

Configuring WDS, Fast Secure Roaming, and Radio Management

Understanding WDS

When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management. If you use a switch as the WDS device, the switch must be equipped with a Wireless LAN Services Module (WLSM). An access point configured as the WDS device supports up to 60 participating access points. A WLSM-equipped switch supports up to 300 participating access points.

Fast, secure roaming provides rapid reauthentication when a client device roams from one access point to another, preventing delays in voice and other time-sensitive applications.

Access points participating in radio management forward information about the radio environment (such as possible rogue access points and client associations and disassociations) to the WDS device. The WDS device aggregates the information and forwards it to a wireless LAN solution engine (WLSE) device on your network.

Role of the WDS Device

The WDS device performs several tasks on your wireless LAN:

Advertises its WDS capability and participates in electing the best WDS device for your wireless LAN. When you configure your wireless LAN for WDS, you set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes off line, one of the backup WDS devices takes its place.

Authenticates all access points in the subnet and establishes a secure communication channel with each of them.

Collects radio data from access points in the subnet, aggregates the data, and forwards it to the WLSE device on your network.

Registers all client devices in the subnet, establishes session keys for them, and caches their security credentials. When a client roams to another access point, the WDS device forwards the client's security credentials to the new access point.

Participating Access Points Supported by WDS Devices

Access point that also serves client devices


Access point with radio interfaces disabled


WLSM-equipped switch


Role of Access Points Using the WDS Device

The access points on your wireless LAN interact with the WDS device in these activities:

Discover and track the current WDS device and relay WDS advertisements to the wireless LAN.

Authenticate with the WDS device and establish a secure communication channel to the WDS device.

Register associated client devices with the WDS device.

Report radio data to the WDS device.

From this good doc;

Wireless Domain Services Configuration

Wireless Domain Services FAQ

What is WDS and Why Do I Need It?

Hope this helps!


Community Member

Re: Wireless Security with ACS

Do we really need to have WLSE?

Hall of Fame Super Red

Re: Wireless Security with ACS

Hi Jorge,

The WLSE is not a must, it is optional :)

Q. What is the role of Wireless LAN Solution Engine (WLSE) in a WDS-enabled wireless LAN (WLAN) network?

A. APs and, optionally, Cisco client devices or Cisco-compatible client devices take radio frequency (RF) measurements within a single subnetwork. Cisco SWAN WDS aggregates the measurements and forwards the measurements to CiscoWorks WLSE for analysis. With these measurements as a basis, CiscoWorks WLSE can:

Detect rogue APs and interference from other devices

Provide assisted site surveys

Support WLAN self-healing for optimal channel and power-level setting

Hope this helps!


CreatePlease to create content