Cisco WDS setup using AP as WDS and local radius.

This will outline procedures needed to setup WDS using a single AP as the WDS and local radius on that AP for infrastructure as well as clients.  I can’t find any real world use of this setup other than for a small office or area with no other authentication server who happens to have wireless voice.  I’m simply doing this as a lab to gain more understanding of the Autonomous CLI.  I'm testing many different situations/solutions but posting a working configuration here.  The end goal. WDS with 802.11n utilizing CCKM.

Aligns with CCIE Lab V2.0 document:

Information from Cisco IOS Software Configuration Guide forCisco Aironet Access Points

Cisco IOS Releases 12.4(25d)JA and 12.3(8)JEE
Chapter’s 12 & 13

Hardware:
I am using 2 1142 AP’s running 12.4-25d.JA.  They are named:
Autonomous51 – 192.168.68.51
Autonomous52 – 192.168.68.52
Autonomous51 will be the WDS and Autonomous52 will be the Infrastructure AP participating.  I will refer to Autonomous51 as Primary.

Radius Server Setup:

aaa new-model
If you have to ask you shouldn’t be here.

radius server local
Enters configuration for the local radius server on the AP.  At this point you will be in the radius server configuration (config-radsrv)#

no authentication mac
This is optional. By default all authentication methods are allowed.  This denies the mac authentication method.

nas 192.168.68.51 key Cisco
Add network access server entries for the AP’s that will be participating in the WDS using the key Cisco.  These NAS entries are listings of devices allowed to contact the radius server to authenticate “users”. For our setup it will effectively be the WDS AP itself.

user Autonomous51 password Cisco
user Autonomous52 password Cisco
user test1 password Cisco
user test2 password Cisco
Add users to the radius server.  The first two are the users that the AP’s participating in the WDS will use to authenticate themselves to the WDS.  The next two are the users we will use for clients to authenticate to the wireless. 

YEA!! We’ve done ….absolutely nothing!!  At this point the configuration of the radius server is done.  Now we need to make it useful somehow.   Exit out of the radius server config and save if your smart!

radius-server host 192.168.68.51 auth-port 1812 acct-port 1813 key Cisco
Defines the radius server (the AP itself in this case) to be used with associated ports.

aaa group server radius InfraAP
This creates the radius server group named “InfraAP” which we will call later with a method list.

server 192.168.68.51 auth-port 1812 acct-port 1813
Tells the group what server we will be using (call the server we added above)

aaa authentication login APList group InfraAP
Creates a MethodList for login named APList and assigns it to use the previously created group InfraAP

wlccp authentication-server infrastructure APList
This sets up the AP for WDS and tells it to use the method list APList that calls the group InfraAP that calls the radius server.

wlccp wds priority 255 interface bvI 1
This sets the WDS priority. Between 1 and 255 where higher numbers are more likely to become WDS.

At this point our AP should be able to tell us something about the WDS.  

Autonomous51#show wlccp wds
      MAC: c84c.7547.2447, IP-ADDR: 192.168.68.51  , Priority: 255
      Interface BVI1, State: Administratively StandAlone – ACTIVE
      AP Count: 1   , MN Count: 0

Now  head over to the second AP (Autonomous52) and see if we can make it join the WDS.

wlccp ap username Autonomous52 password Cisco
This command tells our second AP that it should use the UN/PWD to become part of the WDS. At this point you may see something  like %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated on the console if you are watching it.  WDS uses multicast to find the WDS AP.  Optionally you can tell the AP where to find the WDS AP by issuing wlccp ap wds ip address 192.168.68.51

Let’s take a moment to do some verification:
Autonomous52#show wlccp ap      
 WDS = c84c.7547.2447, 192.168.68.51    
 state = wlccp_ap_st_registered
 IN Authenticator = 192.168.68.51   
 MN Authenticator = 192.168.68.51 

We can see the second AP has found and registered to the WDS AP.

Autonomous51#show wlccp wds ap
  HOSTNAME                           MAC-ADDR      IP-ADDR          STATE  
 Autonomous52                     c84c.7500.ee12  192.168.68.52   REGISTERED

On our WDS we can see the AP is REGISTERED.  Now let’s go add our WDS AP to itself.

wlccp ap username Autonomous51 password Cisco
Just like before this tells the AP that it should use the UN/PWD to become part of the WDS (itself). At this point you may see something  like %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated on the console if you are watching it. Optionally you can tell the AP where to find the WDS AP by issuing wlccp ap wds ip address 192.168.68.51. Yup, it talks to itself...

I enabled a bunch of wlccp debugging prior to this command. Here is the output of that:
*Mar  1 08:09:59.019: wlccp_ap_wds_disc: sending wds discovery req

*Mar  1 08:10:02.285: wlccp_ap_wds_disc: receive wds discovery msg from c84c.7547.2447

*Mar  1 08:10:02.285: wlccp_ap_wds_disc: instance age: 252, active, Advertisement Period: 5

*Mar  1 08:10:02.285: wlccp_ap_wds_disc: new wds discovered

*Mar  1 08:10:02.285: wlccp_ap_fsm: swan_ap_auth_scm_update-- new scm

*Mar  1 08:10:02.285: wlccp_ap_fsm: START-FSM: event:wlccp_ap_ev_start, state: wlccp_ap_st_init

*Mar  1 08:10:02.285: wlccp_ap_fsm: start AP leap authentication

*Mar  1 08:10:02.285: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_init -> state: wlccp_ap_st_leap_auth

*Mar  1 08:10:02.286: WDS: WLCCP_TYPE_AAA (START) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 1 auth 4 key 0

*Mar  1 08:10:02.286: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP = 192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, auth 4, key 0

*Mar  1 08:10:02.286: WDS: WLCCP_TYPE_AAA (START) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 1 auth 4 key 0

*Mar  1 08:10:02.287: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 2 auth 0 key 0

*Mar  1 08:10:02.287: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 2 auth 0 key 0

*Mar  1 08:10:02.289: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP = 192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, auth 4, key 0

*Mar  1 08:10:02.294: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 3 auth 0 key 0

*Mar  1 08:10:02.294: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 3 auth 0 key 0

*Mar  1 08:10:02.299: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP = 192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, auth 4, key 0

*Mar  1 08:10:02.300: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 4 auth 0 key 0

*Mar  1 08:10:02.301: WDS: WLCCP_TYPE_AAA (EAP Request) rcvd, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, id 4 auth 0 key 0

*Mar  1 08:10:02.306: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP = 192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, auth 4, key 0

*Mar  1 08:10:02.306: WDS: WLCCP_TYPE_AAA (EAPOL) sent with Source IP = 192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, auth 4, key 0

*Mar  1 08:10:02.306: WDS: WLCCP_TYPE_AAA (FINISH) sent with Source IP = 192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, auth 4, key 0

*Mar  1 08:10:02.311: wlccp_ap_fsm: leap_auth_resp status sucess

*Mar  1 08:10:02.311: wlccp_ap_fsm: START-FSM: event:wlccp_ap_ev_leap_reply, state: wlccp_ap_st_leap_auth

*Mar  1 08:10:02.311: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_leap_auth -> state: wlccp_ap_st_path_init

*Mar  1 08:10:02.311: wlccp_ap_fsm: swan_ap_auth_fsm, rc 1

*Mar  1 08:10:02.312: WDS: WLCCP_TYPE_PATH_INIT rcvd Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, msg_id 5

*Mar  1 08:10:02.312: WDS: Path Init Rcvd: got KSC 1 *

*Mar  1 08:10:02.312: WDS: Path Init Reply: sent ksc 1 *

*Mar  1 08:10:02.312: WDS: Path Init Reply: sent msc 1 *

*Mar  1 08:10:02.312: WDS: WLCCP_TYPE_PATH_INIT Reply sent with Source IP = 192.168.68.51, Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, msg_id 5

*Mar  1 08:10:02.313: wlccp_ap_fsm: START-FSM: event:wlccp_ap_ev_path_init_reply, state: wlccp_ap_st_path_init

*Mar  1 08:10:02.313: wlccp_ap_fsm: AP path-init reply

*Mar  1 08:10:02.313: wlccp_ap_fsm: swan_ap_auth_bld_and_send_in_reg_msg : cdp neighbor info available:CDP neighbor TLV size is 46

*Mar  1 08:10:02.313: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_path_init -> state: wlccp_ap_st_registering

*Mar  1 08:10:02.314: WDS: WLCCP REG Req rcvd, Org=c84c.7547.2447, Rsp=c84c.7547.2447, Req c84c.7547.2447 len 284, id 6

*Mar  1 08:10:02.314: WDS: WTLV_IPV4_ADDRESS - ip_addr 192.168.68.51

*Mar  1 08:10:02.314: WDS: WTLV_IPV4_ADDRESS - CDP Neighbor_ip_addr192.168.68.253

*Mar  1 08:10:02.314: WDS: WTLV_PORT_ID_STRING

*Mar  1 08:10:02.314: WDS: WTLV_NODE_NAME Switch

*Mar  1 08:10:02.314: WDS: AP Neighbor info : ip_address = 192.168.68.253, hostname = Switch,interface_name = GigabitEthernet0/3

*Mar  1 08:10:02.314: WDS: WTLV_NODE_NAME Autonomous51

*Mar  1 08:10:02.314: WDS: WTLV_AUTHENTICATOR for src - dst : c84c.7547.2447 - c84c.7547.2447

*Mar  1 08:10:02.314: WDS: Auth Req TLV Rcvd: got KSC 1 *

*Mar  1 08:10:02.314: WDS: Auth Req TLV: Good MSC got 2 *

*Mar  1 08:10:02.314: WDS: Auth Reply TLV Sent: ksc 1 *

*Mar  1 08:10:02.314: WDS: Auth Reply TLV Sent: msc 3 *

*Mar  1 08:10:02.314: WDS: AP Version: 0001 0000 C1140 12.4(25d)JA

*Mar  1 08:10:02.314: WDS: WLCCP_TYPE_REG Reply sent with Org = c84c.7547.2447, Rsp = c84c.7547.2447, Req c84c.7547.2447, status 0

*Mar  1 08:10:02.315: wlccp_ap_fsm: START-FSM: event:wlccp_ap_ev_reg_reply, state: wlccp_ap_st_registering

*Mar  1 08:10:02.315: wlccp_ap_fsm: wlccp_ap_auth_reg_reply

*Mar  1 08:10:02.315: wlccp_ap_fsm: AP authenticated ...

*Mar  1 08:10:02.315: %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated

*Mar  1 08:10:02.315: wlccp_ap_fsm: END-FSM:state:wlccp_ap_st_registering -> state: wlccp_ap_st_registered

*Mar  1 08:10:07.285: wlccp_ap_wds_disc: receive wds discovery msg from c84c.7547.2447

*Mar  1 08:10:07.285: wlccp_ap_wds_disc: instance age: 253, active, Advertisement Period: 5

*Mar  1 08:10:12.285: wlccp_ap_wds_disc: receive wds discovery msg from c84c.7547.2447

*Mar  1 08:10:12.285: wlccp_ap_wds_disc: instance age: 254, active, Advertisement Period: 5

*Mar  1 08:10:17.285: wlccp_ap_wds_disc: receive wds discovery msg from c84c.7547.2447

*Mar  1 08:10:17.285: wlccp_ap_wds_disc: instance age: 255, active, Advertisement Period: 5

*Mar  1 08:10:22.285: wlccp_ap_wds_disc: receive wds discovery msg from c84c.7547.2447

*Mar  1 08:10:22.285: wlccp_ap_wds_disc: instance age: 256, active, Advertisement Period: 5

*Mar  1 08:10:27.285: wlccp_ap_wds_disc: receive wds discovery msg from c84c.7547.2447

*Mar  1 08:10:27.285: wlccp_ap_wds_disc: instance age: 257, active, Advertisement Period: 5

Things are looking good. Let’s do some checks:
Autonomous51#show wlccp ap
 WDS = c84c.7547.2447, 192.168.68.51    
 state = wlccp_ap_st_registered
 IN Authenticator = 192.168.68.51   
 MN Authenticator = 192.168.68.51  

Autonomous51#show wlccp wds ap
  HOSTNAME                           MAC-ADDR      IP-ADDR          STATE  
 Autonomous51                     c84c.7547.2447  192.168.68.51   REGISTERED  
 Autonomous52                     c84c.7500.ee12  192.168.68.52   REGISTERED  

Autonomous51#show wlccp wds   
      MAC: c84c.7547.2447, IP-ADDR: 192.168.68.51  , Priority: 255
      Interface BVI1, State: Administratively StandAlone – ACTIVE
      AP Count: 2   , MN Count: 0  

As we can see we now have both AP’s registered to the WDS and it states it is StandAlone – Active.  Lets add some redundancy by making the other AP participate. This just for the WDS. We’re going to continue to use the Radius server on the primary AP.  First we have to add the second AP as a NAS on the primary AP’s radius server so it can request auth.

radius-server local
   nas 192.168.68.52 key Cisco

Next over to the second AP

aaa new-model
radius-server host 192.168.68.51 auth-port 1812 acct-port 1813 key Cisco
aaa group server radius InfraAP
 server 192.168.68.51 auth-port 1812 acct-port 1813
aaa authentication login APList group InfraAP
wlccp authentication-server infrastructure APList
wlccp wds priority 250 interface BVI1

OK so as we did before this sets up the connection to the radius server on the primary AP and sets up this AP as a WDS but with a lower priority of 250.  Now let’s take a look at the results.

Autonomous52#show wlccp wds
      MAC: c84c.7500.ee12, IP-ADDR: 192.168.68.52  , Priority: 250
      Interface BVI1, State: BACKUP
Currently ACTIVE WDS - MAC: c84c.7547.2447, Priority: 255, IP-ADDR: 192.168.68.51

As we can see this second AP is now participating but is the backup and the Active is clearly listed.  OK we have a working WDS.  But nothing is using it as we don’t have anything running on either of the radios not to mention nothing is setup to authenticate clients.

In this setup you could use the exact same method list and group as we used for the AP for the Wireless clients.  However, I’m going to use separate and apply the following to both AP’s.

aaa group server radius Clients
 server 192.168.68.51 auth-port 1812 acct-port 1813
aaa authentication login WirelessClients group Clients
This creates a new group Clients then a new Method list WirelessClients mapped to the group Clients.

wlccp authentication-server client any WirelessClients
ssid Test
This maps the clients to the WirelessClients method list and tells the AP to use this with the ssid Test.  Yea yea yea… I know the ssid Test doesn’t exist yet. Lets fix that!

dot11 ssid Test
  authentication open eap WirelessClients
  authentication key-management wpa version 2 cckm
  guest-mode

interface dot11Radio 1
 encryption mode ciphers aes-ccm
 ssid Test

 channel width 40-above
 no shut

There …happy now!  I chose to use the 5GHz side (dot11Radio 1) and for fun enbaled 40Mhz channels.  Make sure your client supports this before enabling it! Now you should be able to setup a client and connect with authentication.

Network Auth: WPA2 – Enterprise
Data Encryption: AES – CCMP
Authentication type: LEAP

Proof is in the association:

 Autonomous51#show dot11 associations 0026.c6a1.5f4c

Address           : 0026.c6a1.5f4c     Name             : IS04

IP Address        : 192.168.68.30      Interface        : Dot11Radio 1

Device            : ccx-client         Software Version : NONE 

CCX Version       : 4                  Client MFP       : Off

State             : EAP-Assoc          Parent           : self               

SSID              : Test                            

VLAN              : 0

Hops to Infra     : 1                  Association Id   : 1

Clients Associated: 0                  Repeaters associated: 0

Tunnel Address    : 0.0.0.0

Key Mgmt type     : CCKM               Encryption       : AES-CCMP

Current Rate      : m15.               Capability       : WMM 11h

Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

Voice Rates       : disabled           Bandwidth        : 40 MHz 

Signal Strength   : -60  dBm           Connected for    : 43 seconds

Signal to Noise   : 25  dB            Activity Timeout : 18 seconds

Power-save        : On                 Last Activity    : 2 seconds ago

Apsd DE AC(s)     : NONE

Packets Input     : 3156               Packets Output   : 1778      

Bytes Input       : 215448             Bytes Output     : 2133159   

Duplicates Rcvd   : 2                  Data Retries     : 1996      

Decrypt Failed    : 0                  RTS Retries      : 0         

MIC Failed        : 0                  MIC Missing      : 0         

Packets Redirected: 0                  Redirect Filtered: 0         

Session timeout   : 0 seconds

Reauthenticate in : never