Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WDS with WEP

Is is possible to use WDS (one of six AP1230s as the primary WDS) when WEP is configured?

6 REPLIES
Green

Re: WDS with WEP

You can use it, but you won't get any benefit from it. IIRC its LEAP or EAP-FAST to get the fast secure roaming capability.

Good Luck

Scott

New Member

Re: WDS with WEP

This is a customer who already have deployed WEP and are a few months away from deploying WPA.

My question is how does WDS work in WEP environment given that WEP does not have any Authentication mechanism. The whole idea of WDS is that the wireless user's credentials are cached in the WDS (AP or WLSE). With WEP, there is no such thing as user credentials.

We have tried to configure one AP as the WDS and the other 5 APs as WDS clients, but the user stays connected to the original AP even when he roams to another AP.

Hence the question: has anyone actually got WDS to work with WEP? If so, any tips will be much appreciated.

New Member

Re: WDS with WEP

Wireless Domain Services. A device providing WDS on the wireless LAN maintains a cache of credentials for clients that are capable of using CCKM (Cisco Centralized Key Management). When a CCKM-capable client roams from one access point to another, WDS forwards the client's credentials to the new access point with the multicast key

We must understand that First AP is the one whos signals are going to be repeated or extended using the other APs.

The clints will always be connected to main AP only, since u are just increasing the AP to increase the coverage only.

This is correct , we cannot use WPA with WDS.

You can use LEAP for more mobility and scalibility ..

Regards,

Bramnha Prakash Tiwari

Bronze

Re: WDS with WEP

You should absolutely be able to use WDS with WEP. I wouldn't say you get nothing out of this. The WDS still maintains a table of mobile nodes in its "domain". This information gets pushed up to the WLSE for real-time client tracking. You can also get dynamic radio management. What you won't get is CCKM, which is a mechanism for fast, secure roaming in an 802.1x authentication environment.

You said:

"Wireless Domain Services. A device providing WDS on the wireless LAN maintains a cache of credentials for clients that are capable of using CCKM (Cisco Centralized Key Management). When a CCKM-capable client roams from one access point to another, WDS forwards the client's credentials to the new access point with the multicast key."

--> Not exactly. No credentials are cached. The WDS maintains a set of encryption keys and client context. The CCKM-capable client has the same keys and context locally. When the CCKM-capable client roams, it uses these keys and client context to dynamically generate a new encryption key. The WDS does the same thing and hands it off to the new AP. This way, a new session key is dynamically generated without having to re-auth the client with the RADIUS server.

You said:

"We cannot use WPA with WDS."

--> This is wrong! You can absolutely use WPA with WDS. WDS is EAP-type agnostic. The challenge is which supplicants/clients support CCKM. CCXv1, 2 only requires support for CCKM with LEAP. CCXv3 adds EAP-FAST. CCXv4 adds EAP-TLS, PEAP, etc.

You said:

"You can use LEAP for more mobility and scalability"

--> Don't use LEAP if you can avoid it. LEAP was great technology 5 years ago. But the ASLEAP tool is out there and that can be used to steal credentials. LEAP requires enforcing strong passwords. Good luck with that.

New Member

Re: WDS with WEP

Hi,

I said :

Wireless Domain Services (WDS). An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the WDS access point forwards the client's credentials to the new access point with the multicast key. Only two packets pass between the client and the new access point, greatly shortening the reassociation time.

I read this from cisco website only , you can check it ,

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080341e2b.html

or you can see in this document..

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804ef3e3.html

And for WPA i only know that ,encryption can be used with 802.11 Wireless Distribution System (WDS) links between bridges or repeaters, but only with static keys configured into the APs at both ends of the WDS link. In practical terms, this means that WDS can only be used with Wired Equivalent Privacy (WEP), because WEP allows direct configuration of static keys. Wi-Fi Protected Access (WPA) did away with static encryption keys, using a 4-way key handshake to derive dynamic encryption keys based either on a Preshared Secret Key (WPA-PSK) or a master key delivered via 802.1X.

But i suppose that is old concept now, with 802.11i draft WPA is supported by WDS in both infrastructure and ad-hoc modes ....

Thanks for gr8 concept sharing

Regards,

Bramnha Prakash Tiwari

Bronze

Re: WDS with WEP

I've done this many times. There's no real secret to it. First, get the WDS running and get the APs registered with it using the guidelines in this doc:

http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_technical_reference_book09186a00803b598c.html

After the infrastructure is working, add your WEP SSID/VLANs to the APs. And you should be done.

WDS doesn't cache credentials. In 802.11i/WPA/WPAv2 and CCKM environments, it stores client master key caches. You're right in that with WEP, WDS gives you marginal benefits for roaming. But WDS is also acting as a centralized control entity for its "domain" of APs. It's also tracking clients and collecting radio data for the WLSE.

You said:

"We have tried to configure one AP as the WDS and the other 5 APs as WDS clients, but the user stays connected to the original AP even when he roams to another AP."

--> Maybe I'm missing something, but this doesn't make sense. If the user roams, how is he still "connected" to the original AP? By definition, when a client roams, it disconnects from its current AP and connects to a new AP. Roaming decisions are ALWAYS made by the client device. Why clients roam typically depends on the vendor implementation, so your mileage may vary. It's usually based on signal strength, signal quality, too many retries, etc. As long as the client is happy with the current quality of connection, it won't roam even if there's a potentially better connection. I've seen many environments, particularly test beds, where APs are deployed fairly densely and the client can walk all over a building and never "roam" to a new AP, even when there are physically closer APs. One can argue this is actually a good thing.

336
Views
4
Helpful
6
Replies
CreatePlease login to create content