Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
7
Replies

ACS required for WDS?

tarun.pahuja
Level 1
Level 1

‎04-03-2004 03:09 PM - edited ‎07-04-2021 09:30 AM

Folks,

We recently bought WLSE 2.5. I would like to implement WDS for RF scanning (rouge access-point detection). One of the prequists of WDS is LEAP (please correct me if i am wrong). Do we have to BUY a Cisco ACS server. I was under the impression that i could use the RADIUS services built into the windows 2000 server. will that work? anyother way to get round buying a ACS server? My budget is limited, so i am looking for alternatives.

ALSO, i have heard that LEAP does not work with non-cisco client adapter cards? many companies like dell and IBM have come out with drivers that let their inbuilt wirelss cards support LEAP. Any suggestions?

Thanks

Labels:
0 Helpful
7 Replies 7

rmushtaq
Level 8
Level 8

‎04-04-2004 06:41 PM

WDS uses LEAP authentication, so you can use radius server, provide it can do LEAP authentication. Here are few relevant links that you can look for this:

LEAP Authentication with RADIUS Server -> http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml and

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml

0 Helpful

vblavet
Level 1
Level 1

‎04-05-2004 12:57 AM

Hi,

You are right, LEAP is needed to enable WDS. Here is the reason :

WDS needs to talk to all the AP in the Wireless Domain. In order to do so, we establish a secured connection beetwen APs and WDS. For that we are using the LEAP supplicant available in the AP.

This does not impact the client kind of authentication. A client end-device can still use any EAP authentication (with the corresponding RADIUS).

So in order to establish the WDS architecture (called SWAN) we need LEAP but only for the infra. Not the client.

To enable LEAP authentication you need a LEAP compliant RADIUS. However the aironet AP-1100 or 1200 supports an embedded LEAP RADIUS mini-server. This mini-server can be used for the infra authentication.

So with Cisco Aironet AP + WLSE you have all the feature for eanbling the SWAN architecture.

Using an external ACS can be a good idea for large WLAN network, for perf reason.

Hope this helps.

0 Helpful

minie
Level 4
Level 4
In response to vblavet

‎04-05-2004 05:22 AM

WDS Infrastructure authentication uses LEAP. So you are correct on it. However, there are two things to be corrected/noted based on your description.

1) LEAP requires a radius server. Cisco ACS is certainly a good candidate. However, the IOS AP1200/1100 themselves can be configured as a radius server, i.e. a radius server on IOS AP. Here is the config example. Refer to the "LEAP Authentication with Local RADIUS Server" link.

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_examples_list.html

2) You are also correct that nonCisco client adapters do not support LEAP. However, in case of WDS, only the APs are doing LEAP authtication, no clients are involved. Do not confuse the client authentication with infrastructure authentication. These are the two different authentication going independently.

0 Helpful

tarun.pahuja
Level 1
Level 1
In response to minie

‎04-05-2004 03:36 PM

Folks,

Thanks a ton for all the useful info. I have a question pertaining the posts. If I want to use LEAP for client authentication and AP authentication as well, can you just use the MINI radius server built into the 1100 and 1200 series cisco aironet access points or would i necessaryly would have to buy an ACS server.

one of my other clients only pesently has 10 access points and would like to use RF scanning feature of WLSE for rouge access point detection and would not like to spend money in purchasing ACS as he only has 10 access-points and 30 users, would it be possible?

Thanks

0 Helpful

rmushtaq
Level 8
Level 8
In response to tarun.pahuja

‎04-05-2004 04:04 PM

You can use Local Radius Server on the AP for WDS authentication. See: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

Can also look at: http://www.freeradius.org/ for a freeware app.

0 Helpful

tarun.pahuja
Level 1
Level 1
In response to rmushtaq

‎04-05-2004 08:55 PM

Thanks for the info!

I wish they have a freeradius server for windows platform, i am ignorant when it comes to unix.

Can Local radius server be used for client authentication as well?

any other radius servers that would support LEAP and would cost much less than the cisco ACS sever?

0 Helpful

minie
Level 4
Level 4
In response to tarun.pahuja

‎04-06-2004 10:19 AM

Yes, local radius server can be used for client authentication. But only for LEAP.

Not sure about any commercial radius server. However, if you do have a Linux/FreeBSD box, freeradius will be a boon to you.

http://www.freeradius.org/

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card