WDS with AP as AAA Server


In this example we’re going to configure an AP to be a WDS with local Radius server.
Make sure that the AP and the WDS are located at the same subnet otherwise it’s not possible to have it working.

First we’re going to configure the AP to point to a Radius server. In this case it will point to himself.
Because we’re using the Local Radius server, the Authentication and accounting port should be 1812 and 1813.

aaa new-model
aaa group server radius rad_eap
server 192.168.5.61 auth-port 1812 acct-port 1813
aaa authentication login wds-server group rad_eap
ip radius source-interface BVI1
radius-server host 192.168.5.61 auth-port 1812 acct-port 1813 key cisco

Now we’re configuring the Server Priority :

At the “Local Radius Server” we’re configuring a Client which is using only LEAP.
radius-server local
no authentication eapfast
no authentication mac

Configure the local radius server with an AAA Client (The AP)
radius-server local
nas 192.168.5.61 key cisco

Create an user on the Local radius server :
radius-server local
user AP1242 password cisco

Let’s enable the WDS on the AP with the priority of 254 (The higher, the more change the AP will become WDS)
wlccp wds priority 254 interface BVI1

Enable Infrastructure authentication :
wlccp authentication-server infrastructure wds-server

The WDS AP acts now as an AAA server.

Configure the other AP to point to the WDS.
wlccp ap username AP1242 password cisco

And enable AAA and point it to the WDS AP
aaa new-model
aaa group server radius rad_eap
server 192.168.5.61 auth-port 1812 acct-port 1813

To verify the configuration you can use the following commands at the WDS AP :

1252Auto#sh wlccp wds ap
HOSTNAME MAC-ADDR IP-ADDR STATE

1252Auto#sh wlccp wds ap
HOSTNAME MAC-ADDR IP-ADDR STATE
0022.901b.a914 192.168.5.62 AUTH IN PROGR

1252Auto#sh wlccp wds ap
HOSTNAME MAC-ADDR IP-ADDR STATE
Auto1242 0022.901b.a914 192.168.5.62 REGISTERED

On the AP you can use the commands :
Auto1242#sh wlccp ap
WDS = 0023.33f6.c308, 192.168.5.61
state = wlccp_ap_st_registered
IN Authenticator = 192.168.5.61
MN Authenticator = 192.168.5.61
Auto1242#

About Joost van der Made

Me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: