This is a customer who already have deployed WEP and are a few months away from deploying WPA.
My question is how does WDS work in WEP environment given that WEP does not have any Authentication mechanism. The whole idea of WDS is that the wireless user's credentials are cached in the WDS (AP or WLSE). With WEP, there is no such thing as user credentials.
We have tried to configure one AP as the WDS and the other 5 APs as WDS clients, but the user stays connected to the original AP even when he roams to another AP.
Hence the question: has anyone actually got WDS to work with WEP? If so, any tips will be much appreciated.
Wireless Domain Services. A device providing WDS on the wireless LAN maintains a cache of credentials for clients that are capable of using CCKM (Cisco Centralized Key Management). When a CCKM-capable client roams from one access point to another, WDS forwards the client's credentials to the new access point with the multicast key
We must understand that First AP is the one whos signals are going to be repeated or extended using the other APs.
The clints will always be connected to main AP only, since u are just increasing the AP to increase the coverage only.
This is correct , we cannot use WPA with WDS.
You can use LEAP for more mobility and scalibility ..
You should absolutely be able to use WDS with WEP. I wouldn't say you get nothing out of this. The WDS still maintains a table of mobile nodes in its "domain". This information gets pushed up to the WLSE for real-time client tracking. You can also get dynamic radio management. What you won't get is CCKM, which is a mechanism for fast, secure roaming in an 802.1x authentication environment.
"Wireless Domain Services. A device providing WDS on the wireless LAN maintains a cache of credentials for clients that are capable of using CCKM (Cisco Centralized Key Management). When a CCKM-capable client roams from one access point to another, WDS forwards the client's credentials to the new access point with the multicast key."
--> Not exactly. No credentials are cached. The WDS maintains a set of encryption keys and client context. The CCKM-capable client has the same keys and context locally. When the CCKM-capable client roams, it uses these keys and client context to dynamically generate a new encryption key. The WDS does the same thing and hands it off to the new AP. This way, a new session key is dynamically generated without having to re-auth the client with the RADIUS server.
"We cannot use WPA with WDS."
--> This is wrong! You can absolutely use WPA with WDS. WDS is EAP-type agnostic. The challenge is which supplicants/clients support CCKM. CCXv1, 2 only requires support for CCKM with LEAP. CCXv3 adds EAP-FAST. CCXv4 adds EAP-TLS, PEAP, etc.
"You can use LEAP for more mobility and scalability"
--> Don't use LEAP if you can avoid it. LEAP was great technology 5 years ago. But the ASLEAP tool is out there and that can be used to steal credentials. LEAP requires enforcing strong passwords. Good luck with that.
Wireless Domain Services (WDS). An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the WDS access point forwards the client's credentials to the new access point with the multicast key. Only two packets pass between the client and the new access point, greatly shortening the reassociation time.
I read this from cisco website only , you can check it ,
And for WPA i only know that ,encryption can be used with 802.11 Wireless Distribution System (WDS) links between bridges or repeaters, but only with static keys configured into the APs at both ends of the WDS link. In practical terms, this means that WDS can only be used with Wired Equivalent Privacy (WEP), because WEP allows direct configuration of static keys. Wi-Fi Protected Access (WPA) did away with static encryption keys, using a 4-way key handshake to derive dynamic encryption keys based either on a Preshared Secret Key (WPA-PSK) or a master key delivered via 802.1X.
But i suppose that is old concept now, with 802.11i draft WPA is supported by WDS in both infrastructure and ad-hoc modes ....
After the infrastructure is working, add your WEP SSID/VLANs to the APs. And you should be done.
WDS doesn't cache credentials. In 802.11i/WPA/WPAv2 and CCKM environments, it stores client master key caches. You're right in that with WEP, WDS gives you marginal benefits for roaming. But WDS is also acting as a centralized control entity for its "domain" of APs. It's also tracking clients and collecting radio data for the WLSE.
"We have tried to configure one AP as the WDS and the other 5 APs as WDS clients, but the user stays connected to the original AP even when he roams to another AP."
--> Maybe I'm missing something, but this doesn't make sense. If the user roams, how is he still "connected" to the original AP? By definition, when a client roams, it disconnects from its current AP and connects to a new AP. Roaming decisions are ALWAYS made by the client device. Why clients roam typically depends on the vendor implementation, so your mileage may vary. It's usually based on signal strength, signal quality, too many retries, etc. As long as the client is happy with the current quality of connection, it won't roam even if there's a potentially better connection. I've seen many environments, particularly test beds, where APs are deployed fairly densely and the client can walk all over a building and never "roam" to a new AP, even when there are physically closer APs. One can argue this is actually a good thing.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...