AAA Clients in a WDS infrastructure

ciscoprolin · ‎06-25-2007

Dear All, we have a Cisco WDS infrastructure with an ACS Radius Server. Do we have to add all infrastructure APs as AAA-Clients in ACS or should we only define the WDS Master AP and the WDS Backup AP as AAA-Clients ?

We thought it's better to add all APs as AAA-Clients for the Case the WDS devices should fail. Then the APs can authenticate against ACS directly. Is that reasoning correct ? Thanks.

dancampb · ‎06-25-2007

You will only have to add the WDS devices themselves and not the infrastructure AP's. Basically the infrastructure AP's are authenticating to the WDS as clients, same as a wireless client would authenticate to the AP. The active WDS will be the only AP that will talk directly to the Radius server. All client authentications will be forwarded from the infrastructure AP to the WDS and then sent on to the Radius server.

ciscoprolin · ‎06-25-2007

Dear dancampb,

thanks for your reply. Just one more question on this:

Suppose the WDS AP fails (and no backup WDS device exists)- then the complete WLAN would be dead because all the other APs can't forward AAA-requests to the Radius Server. Is that correct ?

Wouldn't it make sense to additionally define the APs as AAA-Clients on the Radius Server and enable AP Authentication to make sure that the APs will be authenticated as well either way (either through WDS or directly by the Radius Server in case WDS fails) ? Thanks to all for your appreciated feedback in this conceptional matter.