Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Configuring WDS with cisco 1242 APs

Hi Guys,


I'm using two cisco 1242 AG access points to configure WDS feature. I've named the accesspoints as AP1(acts as WDS) and AP2. Since I've only two accesspoints, I've configured the AP1 to act both as a WDS and as a regular accesspoints.


Further I'm using the local radius server within the AP1 to authenticate both clients and infrastructure accesspoints. And both APs are connected to a router (which act as a dhcp server) via a unmanageble switch and both accesspoints are getting registered with WDS.


But the issue is when I tried to connect to the configured SSID, it promts me a "authendication window" but after entering the configured username and password, i'm not getting authenticated by the AP.


I've attached the configurations of both APs to for your reference and I've used the following cisco document as a guideline to crate the WDS.

http://www.cisco.com/en/US/products/hw/wireless/ps458/products_configuration_example09186a008059a559.shtml

Can someone assist me with this regard.

Regards,

Suthakar

////////////// AP1 ///////////



ap1#sh run

Building configuration...


Current configuration : 3403 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap1

!

enable secret 5 $1$AuxA$wvJa8q/5LgU9Var9/FqGz1

!

aaa new-model

!

!

aaa group server radius rad_eap

server 196.175.100.204 auth-port 1812 acct-port 1813

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius clients

server 196.175.100.204 auth-port 1812 acct-port 1813

server 196.175.100.204 auth-port 1645 acct-port 1646

!

aaa authentication login wds-server group rad_eap

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login method_clients group clients

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

!

dot11 ssid cisco123

authentication open eap method_clients

authentication network-eap method_clients

authentication key-management wpa

guest-mode

!

power inline negotiation prestandard source

!

!

username Cisco password 7 05280F1C2243

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid cisco123

!

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid cisco123

!

no dfs band block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 196.175.100.204 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path

http://www.cisco.com...config/help/eag


ip radius source-interface BVI1

radius-server local

no authentication eapfast

no authentication mac

nas 196.175.100.204 key 7 01100F175804

user AP1242 nthash 7 025327035B5629701F6F5A3A204F442E28567F7F740C1761074454455 2240F780A

user user1 nthash 7 075D796D6B5C4C5D444A5F2F20087373716B13764325355424770B0975 702B224D

user ap1 nthash 7 14454A2A29517F737770671606315F415A59700D08717759263944087E73 767300

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 196.175.100.204 auth-port 1812 acct-port 1813 key 7 070C285F4 D06

radius-server host 196.175.100.204 auth-port 1645 acct-port 1646 key 7 00071A150 754

radius-server vsa send accounting

bridge 1 route ip

!

!

wlccp ap username ap1 password 7 105A01180E0513075D

wlccp authentication-server infrastructure wds-server

wlccp authentication-server client mac method_clients

wlccp authentication-server client eap method_clients

wlccp authentication-server client leap method_clients

wlccp authentication-server client any method_clients

wlccp wds priority 254 interface BVI1

!

line con 0

line vty 0 4

!

end


ap1#

//////////////// AP2 ////////////////



ap2#sh run

Building configuration...


Current configuration : 2558 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap2

!

enable secret 5 $1$UuwI$Do4iUfHGJDBHSDl9pjAGu/

!

aaa new-model

!

!

aaa group server radius rad_eap

server 196.175.100.204 auth-port 1812 acct-port 1813

server 196.175.100.204 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 196.175.100.204 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

!

dot11 ssid cisco123

authentication open eap eap_methods1

authentication network-eap eap_methods1

authentication key-management wpa

!

power inline negotiation prestandard source

!

!

username Cisco password 7 05280F1C2243

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid cisco123

!

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid cisco123

!

no dfs band block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 196.175.100.205 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path

http://www.cisco.com...config/help/eag


ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 196.175.100.204 auth-port 1645 acct-port 1646 key 7 030752180 500

radius-server vsa send accounting

bridge 1 route ip

!

!

wlccp ap username AP1242 password 7 045802150C2E

!

line con 0

line vty 0 4

!

end


ap2#




3 REPLIES
Cisco Employee

Configuring WDS with cisco 1242 APs

Step 1 is verifying that WDS infrastructure is correct. From there we can worry about the clients.

Can you type "show wlccp ap" and "show wlccp wds ap" ?

It should show if the 2nd AP is registered to the 1st one.

If that is all fine, we'd go with radius and aaa debugs on the WDS AP.

Configuring WDS with cisco 1242 APs

Dear Nicolas,

I've issued the both "show wlccp wds ap" and "show wlccp ap" commands and it simply shows

that the 2nd ap is getting resigstered with the 1st one. Further since i'm using the 1st ap

as to serve as both client and wds, under the 1st ap's wds configuration tab/page i can see

that both aps are getting regsitered as clients.

Anyhow let me run the "radius and aaa" debug commands and see........

Regards,

suthakar

Bronze

Re: Configuring WDS with cisco 1242 APs

When you perform the "#show wlccp wds ap" command you should see both the WDS master (ap1) and AP2 registered.

In AP1's radius-server local confiig, I show the shared key for AP2 and applicable username

nas 196.175.100.204 key 7 01100F175804

user AP1242 nthash 7 025327035B5629701F6F5A3A204F442E28567F7F740C1761074454455 2240F780A

You should also add the radius server to this list

# radius-server local

# nas 196.175.100.205 key 0

It looks like you already have the username created and set under your wlccp config

user ap1 nthash 7 14454A2A29517F737770671606315F415A59700D08717759263944087E73 767300

and

wlccp ap username ap1 password 7 105A01180E0513075D

Once you see AP1 and AP2 registered with show wlccp wds ap see what you get.

Also, on AP2, you will call the same key-management, auth, etc "eap" methods group under your SSID as used on AP1.  All of this information will hit the AP1 WDS master and use AP1s designated groups and host lists.  This is the reason you have the following commands on your master. Requests from received at the WDS slave will be forwarded to the master and handled accordingly.

wlccp authentication-server infrastructure ...

wlccp authentication-server client ...

You should not even need to declare your radius server groups, or define hosts on AP2, only the master.  Just using your wlccp command that is in place will work.

wlccp ap username AP1242 password 7 045802150C2E

1893
Views
4
Helpful
3
Replies
CreatePlease login to create content