Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Infrastructure AP - ACS question

Does an infrastructure AP registered w/ WDS need to be an AAA client on the ACS server? Since all authorization will be handled by the WLSM, do I need to configure Radius server settings on the infrastructure ap?


Robert Evans


Re: Infrastructure AP - ACS question

Yes, I beleve it does (needs a RADIUS config) and, I believe you you do (have to configure the RADIUS setting in the AP).

The initial authorization is done through the specified RADIUS server, proxied through the WDS.

The WDS/WLSM comes into play when roaming; it (essentially) caches the credentials and passes them to the "next" AP from the values obtained from association / authentication / authorization" of the previous" AP.

The WDS/WLSM speeds up the auth process for "seamless" roaming to prevent the client from timing-out in the event of a full authorization taking too long.

It is not, in itself, an authorization source.

Good Luck



Re: Infrastructure AP - ACS question

I actually have to disagree with Scott here. The following link goes into more detail.

Basically, when the Infrastructure AP logs into the WDS master, it then proxys its eap authentications through the WDS master, which querys the radius server defined locally and caches the response. Any local aaa settings for eap on the infrastructure AP will be ignored. You do need to define a username for each AP on the aaa server so that the APs can log into the WDS master.

Also, it is still useful to have tacacs/radius configured for telnet/ssh and enable access to the individual APs. If you wish to do this, you do need to define it as a network device on the AAA server.