Does an infrastructure AP registered w/ WDS need to be an AAA client on the ACS server? Since all authorization will be handled by the WLSM, do I need to configure Radius server settings on the infrastructure ap?
Yes, I beleve it does (needs a RADIUS config) and, I believe you you do (have to configure the RADIUS setting in the AP).
The initial authorization is done through the specified RADIUS server, proxied through the WDS.
The WDS/WLSM comes into play when roaming; it (essentially) caches the credentials and passes them to the "next" AP from the values obtained from association / authentication / authorization" of the previous" AP.
The WDS/WLSM speeds up the auth process for "seamless" roaming to prevent the client from timing-out in the event of a full authorization taking too long.
I actually have to disagree with Scott here. The following link goes into more detail.
Basically, when the Infrastructure AP logs into the WDS master, it then proxys its eap authentications through the WDS master, which querys the radius server defined locally and caches the response. Any local aaa settings for eap on the infrastructure AP will be ignored. You do need to define a username for each AP on the aaa server so that the APs can log into the WDS master.
Also, it is still useful to have tacacs/radius configured for telnet/ssh and enable access to the individual APs. If you wish to do this, you do need to define it as a network device on the AAA server.