Cisco WDS setup using AP as WDS and local radius.
This will outline procedures needed to setup WDS using a
single AP as the WDS and local radius on that AP for infrastructure as well as
clients. I can’t find any real world use
of this setup other than for a small office or area with no other
authentication server who happens to have wireless voice. I’m simply doing this as a lab to gain more
understanding of the Autonomous CLI. I'm testing many different situations/solutions but posting a working configuration here. The end goal. WDS with 802.11n utilizing CCKM.
Aligns with CCIE Lab V2.0 document:
Hardware:
I am using 2 1142 AP’s running 12.4-25d.JA. They are named:
Autonomous51 – 192.168.68.51
Autonomous52 – 192.168.68.52
Autonomous51 will be the WDS and Autonomous52 will be the Infrastructure AP participating. I will refer to Autonomous51 as Primary.
I am using 2 1142 AP’s running 12.4-25d.JA. They are named:
Autonomous51 – 192.168.68.51
Autonomous52 – 192.168.68.52
Autonomous51 will be the WDS and Autonomous52 will be the Infrastructure AP participating. I will refer to Autonomous51 as Primary.
Radius Server Setup:
aaa new-model
If you have to ask you shouldn’t be here.
If you have to ask you shouldn’t be here.
radius server local
Enters configuration for the local radius server on the AP. At this point you will be in the radius server configuration (config-radsrv)#
Enters configuration for the local radius server on the AP. At this point you will be in the radius server configuration (config-radsrv)#
no authentication mac
This is optional. By default all authentication methods are allowed. This denies the mac authentication method.
This is optional. By default all authentication methods are allowed. This denies the mac authentication method.
nas 192.168.68.51 key Cisco
Add network access server entries for the AP’s that will be participating in the WDS using the key Cisco. These NAS entries are listings of devices allowed to contact the radius server to authenticate “users”. For our setup it will effectively be the WDS AP itself.
Add network access server entries for the AP’s that will be participating in the WDS using the key Cisco. These NAS entries are listings of devices allowed to contact the radius server to authenticate “users”. For our setup it will effectively be the WDS AP itself.
user
Autonomous51 password Cisco
user Autonomous52 password Cisco
user test1 password Cisco
user test2 password Cisco
Add users to the radius server. The first two are the users that the AP’s participating in the WDS will use to authenticate themselves to the WDS. The next two are the users we will use for clients to authenticate to the wireless.
user Autonomous52 password Cisco
user test1 password Cisco
user test2 password Cisco
Add users to the radius server. The first two are the users that the AP’s participating in the WDS will use to authenticate themselves to the WDS. The next two are the users we will use for clients to authenticate to the wireless.
YEA!! We’ve done ….absolutely nothing!! At this point the configuration of the radius
server is done. Now we need to make it
useful somehow. Exit out of the radius
server config and save if your smart!
radius-server host 192.168.68.51 auth-port
1812 acct-port 1813 key Cisco
Defines the radius server (the AP itself in this case) to be used with associated ports.
Defines the radius server (the AP itself in this case) to be used with associated ports.
aaa group server radius InfraAP
This creates the radius server group named “InfraAP” which we will call later with a method list.
This creates the radius server group named “InfraAP” which we will call later with a method list.
server 192.168.68.51 auth-port 1812 acct-port
1813
Tells the group what server we will be using (call the server we added above)
Tells the group what server we will be using (call the server we added above)
aaa authentication login APList
group InfraAP
Creates a MethodList for login named APList and assigns it to use the previously created group InfraAP
Creates a MethodList for login named APList and assigns it to use the previously created group InfraAP
wlccp authentication-server
infrastructure APList
This sets up the AP for WDS and tells it to use the method list APList that calls the group InfraAP that calls the radius server.
This sets up the AP for WDS and tells it to use the method list APList that calls the group InfraAP that calls the radius server.
wlccp wds priority 255 interface
bvI 1
This sets the WDS priority. Between 1 and 255 where higher numbers are more likely to become WDS.
This sets the WDS priority. Between 1 and 255 where higher numbers are more likely to become WDS.
At this point our AP should be able to tell us something
about the WDS.
Autonomous51#show wlccp wds
MAC: c84c.7547.2447, IP-ADDR: 192.168.68.51 , Priority: 255
Interface BVI1, State: Administratively StandAlone – ACTIVE
AP Count: 1 , MN Count: 0
Now head over to the
second AP (Autonomous52) and see if we can make it join the WDS.
wlccp ap username Autonomous52
password Cisco
This command tells our second AP that it should use the UN/PWD to become part of the WDS. At this point you may see something like %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated on the console if you are watching it. WDS uses multicast to find the WDS AP. Optionally you can tell the AP where to find the WDS AP by issuing wlccp ap wds ip address 192.168.68.51
This command tells our second AP that it should use the UN/PWD to become part of the WDS. At this point you may see something like %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated on the console if you are watching it. WDS uses multicast to find the WDS AP. Optionally you can tell the AP where to find the WDS AP by issuing wlccp ap wds ip address 192.168.68.51
Let’s take a moment to do some verification:
Autonomous52#show wlccp ap
WDS = c84c.7547.2447, 192.168.68.51
state = wlccp_ap_st_registered
IN Authenticator = 192.168.68.51
MN Authenticator = 192.168.68.51
Autonomous52#show wlccp ap
WDS = c84c.7547.2447, 192.168.68.51
state = wlccp_ap_st_registered
IN Authenticator = 192.168.68.51
MN Authenticator = 192.168.68.51
We can see the second AP has found and registered to the WDS AP.
Autonomous51#show wlccp wds ap
HOSTNAME MAC-ADDR IP-ADDR STATE
Autonomous52 c84c.7500.ee12 192.168.68.52 REGISTERED
HOSTNAME MAC-ADDR IP-ADDR STATE
Autonomous52 c84c.7500.ee12 192.168.68.52 REGISTERED
On our WDS we can see the AP is REGISTERED. Now let’s go add our WDS AP to itself.
wlccp ap username Autonomous51 password Cisco
Just like before this tells the AP that it should use the UN/PWD to become part of the WDS (itself). At this point you may see something like %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated on the console if you are watching it. Optionally you can tell the AP where to find the WDS AP by issuing wlccp ap wds ip address 192.168.68.51. Yup, it talks to itself...
Just like before this tells the AP that it should use the UN/PWD to become part of the WDS (itself). At this point you may see something like %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated on the console if you are watching it. Optionally you can tell the AP where to find the WDS AP by issuing wlccp ap wds ip address 192.168.68.51. Yup, it talks to itself...
I enabled a bunch of wlccp debugging prior
to this command. Here is the output of that:
*Mar 1 08:09:59.019: wlccp_ap_wds_disc: sending wds discovery req
*Mar 1 08:09:59.019: wlccp_ap_wds_disc: sending wds discovery req
*Mar
1 08:10:02.285: wlccp_ap_wds_disc: receive wds discovery msg from
c84c.7547.2447
*Mar
1 08:10:02.285: wlccp_ap_wds_disc: instance age: 252, active,
Advertisement Period: 5
*Mar
1 08:10:02.285: wlccp_ap_wds_disc: new wds discovered
*Mar
1 08:10:02.285: wlccp_ap_fsm: swan_ap_auth_scm_update-- new scm
*Mar
1 08:10:02.285: wlccp_ap_fsm: START-FSM: event:wlccp_ap_ev_start, state:
wlccp_ap_st_init
*Mar
1 08:10:02.285: wlccp_ap_fsm: start AP leap authentication
*Mar
1 08:10:02.285: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_init ->
state: wlccp_ap_st_leap_auth
*Mar
1 08:10:02.286: WDS: WLCCP_TYPE_AAA (START) rcvd, Org = c84c.7547.2447,
Rsp = c84c.7547.2447, Req c84c.7547.2447, id 1 auth 4 key 0
*Mar
1 08:10:02.286: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP =
192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447,
auth 4, key 0
*Mar
1 08:10:02.286: WDS: WLCCP_TYPE_AAA (START) rcvd, Org = c84c.7547.2447,
Rsp = c84c.7547.2447, Req c84c.7547.2447, id 1 auth 4 key 0
*Mar
1 08:10:02.287: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org =
c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 2 auth 0 key 0
*Mar
1 08:10:02.287: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org =
c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 2 auth 0 key 0
*Mar
1 08:10:02.289: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP =
192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447,
auth 4, key 0
*Mar
1 08:10:02.294: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org =
c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 3 auth 0 key 0
*Mar
1 08:10:02.294: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org =
c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 3 auth 0 key 0
*Mar
1 08:10:02.299: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP =
192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447,
auth 4, key 0
*Mar
1 08:10:02.300: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org =
c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 4 auth 0 key 0
*Mar
1 08:10:02.301: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org =
c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 4 auth 0 key 0
*Mar
1 08:10:02.306: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP =
192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447,
auth 4, key 0
*Mar
1 08:10:02.306: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP =
192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447,
auth 4, key 0
*Mar
1 08:10:02.306: WDS: WLCCP_TYPE_AAA (FINISH) sent with Source IP =
192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447,
auth 4, key 0
*Mar
1 08:10:02.311: wlccp_ap_fsm: leap_auth_resp status sucess
*Mar
1 08:10:02.311: wlccp_ap_fsm: START-FSM: event:wlccp_ap_ev_leap_reply,
state: wlccp_ap_st_leap_auth
*Mar
1 08:10:02.311: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_leap_auth ->
state: wlccp_ap_st_path_init
*Mar
1 08:10:02.311: wlccp_ap_fsm: swan_ap_auth_fsm, rc 1
*Mar
1 08:10:02.312: WDS: WLCCP_TYPE_PATH_INIT rcvd Org = c84c.7547.2447, Rsp
= c84c.7547.2447, Req c84c.7547.2447, msg_id 5
*Mar
1 08:10:02.312: WDS: Path Init Rcvd: got KSC 1 *
*Mar
1 08:10:02.312: WDS: Path Init Reply: sent ksc 1 *
*Mar
1 08:10:02.312: WDS: Path Init Reply: sent msc 1 *
*Mar
1 08:10:02.312: WDS: WLCCP_TYPE_PATH_INIT Reply sent with Source IP =
192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447,
msg_id 5
*Mar
1 08:10:02.313: wlccp_ap_fsm: START-FSM:
event:wlccp_ap_ev_path_init_reply, state: wlccp_ap_st_path_init
*Mar
1 08:10:02.313: wlccp_ap_fsm: AP path-init reply
*Mar
1 08:10:02.313: wlccp_ap_fsm: swan_ap_auth_bld_and_send_in_reg_msg : cdp
neighbor info available:CDP neighbor TLV size is 46
*Mar
1 08:10:02.313: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_path_init ->
state: wlccp_ap_st_registering
*Mar
1 08:10:02.314: WDS: WLCCP REG Req rcvd, Org=c84c.7547.2447,
Rsp=c84c.7547.2447, Req c84c.7547.2447 len 284, id 6
*Mar
1 08:10:02.314: WDS: WTLV_IPV4_ADDRESS - ip_addr 192.168.68.51
*Mar
1 08:10:02.314: WDS: WTLV_IPV4_ADDRESS - CDP
Neighbor_ip_addr192.168.68.253
*Mar
1 08:10:02.314: WDS: WTLV_PORT_ID_STRING
*Mar
1 08:10:02.314: WDS: WTLV_NODE_NAME Switch
*Mar
1 08:10:02.314: WDS: AP Neighbor info : ip_address = 192.168.68.253,
hostname = Switch,interface_name = GigabitEthernet0/3
*Mar
1 08:10:02.314: WDS: WTLV_NODE_NAME Autonomous51
*Mar
1 08:10:02.314: WDS: WTLV_AUTHENTICATOR for src - dst : c84c.7547.2447 -
c84c.7547.2447
*Mar
1 08:10:02.314: WDS: Auth Req TLV Rcvd: got KSC 1 *
*Mar
1 08:10:02.314: WDS: Auth Req TLV: Good MSC got 2 *
*Mar
1 08:10:02.314: WDS: Auth Reply TLV Sent: ksc 1 *
*Mar
1 08:10:02.314: WDS: Auth Reply TLV Sent: msc 3 *
*Mar
1 08:10:02.314: WDS: AP Version: 0001 0000 C1140 12.4(25d)JA
*Mar
1 08:10:02.314: WDS: WLCCP_TYPE_REG Reply sent with Org =
c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, status 0
*Mar
1 08:10:02.315: wlccp_ap_fsm: START-FSM: event:wlccp_ap_ev_reg_reply,
state: wlccp_ap_st_registering
*Mar
1 08:10:02.315: wlccp_ap_fsm: wlccp_ap_auth_reg_reply
*Mar
1 08:10:02.315: wlccp_ap_fsm: AP authenticated ...
*Mar
1 08:10:02.315: %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated
*Mar
1 08:10:02.315: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_registering
-> state: wlccp_ap_st_registered
*Mar
1 08:10:07.285: wlccp_ap_wds_disc: receive wds discovery msg from
c84c.7547.2447
*Mar
1 08:10:07.285: wlccp_ap_wds_disc: instance age: 253, active,
Advertisement Period: 5
*Mar
1 08:10:12.285: wlccp_ap_wds_disc: receive wds discovery msg from
c84c.7547.2447
*Mar
1 08:10:12.285: wlccp_ap_wds_disc: instance age: 254, active,
Advertisement Period: 5
*Mar
1 08:10:17.285: wlccp_ap_wds_disc: receive wds discovery msg from
c84c.7547.2447
*Mar
1 08:10:17.285: wlccp_ap_wds_disc: instance age: 255, active,
Advertisement Period: 5
*Mar
1 08:10:22.285: wlccp_ap_wds_disc: receive wds discovery msg from
c84c.7547.2447
*Mar
1 08:10:22.285: wlccp_ap_wds_disc: instance age: 256, active,
Advertisement Period: 5
*Mar
1 08:10:27.285: wlccp_ap_wds_disc: receive wds discovery msg from
c84c.7547.2447
*Mar
1 08:10:27.285: wlccp_ap_wds_disc: instance age: 257, active,
Advertisement Period: 5
Things are looking good. Let’s do
some checks:
Autonomous51#show wlccp ap
WDS = c84c.7547.2447, 192.168.68.51
state = wlccp_ap_st_registered
IN Authenticator = 192.168.68.51
MN Authenticator = 192.168.68.51
Autonomous51#show wlccp ap
WDS = c84c.7547.2447, 192.168.68.51
state = wlccp_ap_st_registered
IN Authenticator = 192.168.68.51
MN Authenticator = 192.168.68.51
Autonomous51#show
wlccp wds ap
HOSTNAME MAC-ADDR IP-ADDR STATE
Autonomous51 c84c.7547.2447 192.168.68.51 REGISTERED
Autonomous52 c84c.7500.ee12 192.168.68.52 REGISTERED
Autonomous51#show wlccp wds
MAC: c84c.7547.2447, IP-ADDR: 192.168.68.51 , Priority: 255
Interface BVI1, State: Administratively StandAlone – ACTIVE
AP Count: 2 , MN Count: 0
HOSTNAME MAC-ADDR IP-ADDR STATE
Autonomous51 c84c.7547.2447 192.168.68.51 REGISTERED
Autonomous52 c84c.7500.ee12 192.168.68.52 REGISTERED
Autonomous51#show wlccp wds
MAC: c84c.7547.2447, IP-ADDR: 192.168.68.51 , Priority: 255
Interface BVI1, State: Administratively StandAlone – ACTIVE
AP Count: 2 , MN Count: 0
As we can see we now have both AP’s registered to the WDS
and it states it is StandAlone – Active. Lets add some redundancy by making the other AP participate. This
just for the WDS. We’re going to continue to use the Radius server on the
primary AP. First we have to add the
second AP as a NAS on the primary AP’s radius server so it can request auth.
radius-server local
nas 192.168.68.52 key Cisco
nas 192.168.68.52 key Cisco
Next over to the second AP
aaa new-model
radius-server host 192.168.68.51 auth-port 1812 acct-port 1813 key Cisco
aaa group server radius InfraAP
server 192.168.68.51 auth-port 1812 acct-port 1813
aaa authentication login APList group InfraAP
wlccp authentication-server infrastructure APList
wlccp wds priority 250 interface BVI1
radius-server host 192.168.68.51 auth-port 1812 acct-port 1813 key Cisco
aaa group server radius InfraAP
server 192.168.68.51 auth-port 1812 acct-port 1813
aaa authentication login APList group InfraAP
wlccp authentication-server infrastructure APList
wlccp wds priority 250 interface BVI1
OK so as we did before this sets up the connection to the radius
server on the primary AP and sets up this AP as a WDS but with a lower priority
of 250. Now let’s take a look at the
results.
Autonomous52#show wlccp wds
MAC: c84c.7500.ee12, IP-ADDR: 192.168.68.52 , Priority: 250
Interface BVI1, State: BACKUP
Currently ACTIVE WDS - MAC: c84c.7547.2447, Priority: 255, IP-ADDR: 192.168.68.51
MAC: c84c.7500.ee12, IP-ADDR: 192.168.68.52 , Priority: 250
Interface BVI1, State: BACKUP
Currently ACTIVE WDS - MAC: c84c.7547.2447, Priority: 255, IP-ADDR: 192.168.68.51
As we can see this second AP is now participating but is the
backup and the Active is clearly listed.
OK we have a working WDS. But
nothing is using it as we don’t have anything running on either of the radios
not to mention nothing is setup to authenticate clients.
In this setup you could use the exact same method list and
group as we used for the AP for the Wireless clients. However, I’m going to use separate and apply
the following to both AP’s.
aaa group server radius Clients
server 192.168.68.51 auth-port 1812 acct-port 1813
aaa authentication login WirelessClients group Clients
This creates a new group Clients then a new Method list WirelessClients mapped to the group Clients.
server 192.168.68.51 auth-port 1812 acct-port 1813
aaa authentication login WirelessClients group Clients
This creates a new group Clients then a new Method list WirelessClients mapped to the group Clients.
wlccp authentication-server client
any WirelessClients
ssid Test
This maps the clients to the WirelessClients method list and tells the AP to use this with the ssid Test. Yea yea yea… I know the ssid Test doesn’t exist yet. Lets fix that!
ssid Test
This maps the clients to the WirelessClients method list and tells the AP to use this with the ssid Test. Yea yea yea… I know the ssid Test doesn’t exist yet. Lets fix that!
dot11 ssid Test
authentication open eap WirelessClients
authentication key-management wpa version 2 cckm
guest-mode
authentication open eap WirelessClients
authentication key-management wpa version 2 cckm
guest-mode
interface dot11Radio 1
encryption mode ciphers aes-ccm
ssid Test
encryption mode ciphers aes-ccm
ssid Test
channel width 40-above
no shut
no shut
There …happy now! I
chose to use the 5GHz side (dot11Radio 1) and for fun enbaled 40Mhz channels. Make sure your client supports this before enabling it! Now you should be able to setup a client and connect with
authentication.
Network Auth: WPA2 – Enterprise
Data Encryption: AES – CCMP
Authentication type: LEAP
Data Encryption: AES – CCMP
Authentication type: LEAP
Proof is in the association:
Address : 0026.c6a1.5f4c Name : IS04
IP Address : 192.168.68.30 Interface : Dot11Radio 1
Device : ccx-client Software Version : NONE
CCX Version : 4 Client MFP : Off
State : EAP-Assoc Parent : self
SSID : Test
VLAN : 0
Hops to Infra : 1 Association Id : 1
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : CCKM Encryption : AES-CCMP
Current Rate : m15. Capability : WMM 11h
Supported Rates : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
Voice Rates : disabled Bandwidth : 40 MHz
Signal Strength : -60 dBm Connected for : 43 seconds
Signal to Noise : 25 dB Activity Timeout : 18 seconds
Power-save : On Last Activity : 2 seconds ago
Apsd DE AC(s) : NONE
Packets Input : 3156 Packets Output : 1778
Bytes Input : 215448 Bytes Output : 2133159
Duplicates Rcvd : 2 Data Retries : 1996
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Session timeout : 0 seconds
Reauthenticate in : never