Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

WDS & PEAP

Hi,

I am using Cisco ACS and Cisco AP AIR-AP1231G-A-K9. They are configured so that client can be authenticated using PEAP. However, as soon as join the AP to WDS. It stops working and no clients can now be authenticated by PEAP.

000066: *Mar 1 00:52:26.875 UTC: %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated

000067: *Mar 1 00:52:34.468 UTC: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0013.ce55.7876 Reason: Previous authentication no longer valid

000068: *Mar 1 00:52:35.077 UTC: %DOT11-7-AUTH_FAILED: Station 0013.ce55.7876 Authentication failed

Any suggestions? Thanks.

Andrew

3 REPLIES
Hall of Fame Super Red

Re: WDS & PEAP

Hi Andrew,

This certainly looks like a problem between the WDS and the ACS Server. Have a look at the following;

Wireless Domain Services Configuration

In order to use WDS, you must designate one AP or the WLSM as the WDS. A WDS AP must use a WDS user name and password to establish a relationship with an authentication server. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS AP. The WLSM must have a relationship with the authentication server, even though WLSM does not need to authenticate to the server.

Other APs, called infrastructure APs, communicate with the WDS. Before registration occurs, the infrastructure APs must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication.

One or more client server groups on the WDS define client authentication.

When a client attempts to associate to an infrastructure AP, the infrastructure AP passes the credentials of the user to the WDS for validation. If the WDS sees the credentials for the first time, WDS turns to the authentication server to validate the credentials. The WDS then caches the credentials, in order to eliminate the need to return to the authentication server when the same user attempts authentication again.

From this doc;

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

Hope this helps!

Rob

Community Member

Re: WDS & PEAP

Hi,

Actually in my production environment, I have WDS with ACS for LEAP authentication working for a long time. When I recently want to migrate LEAP users to use PEAP, I couldn't get it to work.

ACS is configured with PEAP support. As soon as change the client to PEAP, the authentication fails but I can't see any "Failed Attempt" in ACS. But if I remove the WDS config from the AP, PEAP works and I can see the "Passed Attempt" in ACS. The AP IOS is also the latest. I wonder if PEAP can actually work with WDS? Thanks.

Andrew

Community Member

Re: WDS & PEAP

Problem fixed. All SSID configured in the Infrastructure APs must be specified under the "wlccp authentication-server client" config in the WDS. Otherwise, the WDS will not contact ACS; instead it will pick the "Permanant Local" list and hence the authentication will fail.

Andrew

649
Views
0
Helpful
3
Replies
CreatePlease to create content