
Wireless Domain Services (WDS) is a service that can be configured on Cisco autonomous Access Points (AP), where a single AP is nominated to handle authentication requests for all attached APs. The benefits of this include caching of user credentials to speed up authentication and improve client roaming between APs.The AP running the WDS server runs a RADIUS service which is used to authenticate the connected infrastructure APs. This service can also be configured to handle client authentication, however in this example an external RADIUS server is used.
The control messages sent between the WDS AP and infrastructure APs uses the multicast protocol Wireless LAN Context Control Protocol (WLCCP). These multicast messages cannot be routed, so all participating APs must be on the same subnet.
Setup details
Local radius server password, used by NAS objects: AP1, AP2 | an0ther_passw0rd |
RADIUS server password | Rad1us |
WLCCP AP username ‘wds’ | wdspassw0rd |
AP1 (local radius-server) | 10.83.5.105 |
AP2 | 10.83.5.110 |
AP3 | 10.83.5.111 |
RADIUS server | 10.83.5.128 |
WDS AP Configuration
Two AAA RADIUS server groups are configured:
- ‘local_radius’ will handle NAS authentication for the connecting infrastructure APs
- ‘ext_radius’ is used for user authentication
!
aaa new-model
!
aaa group server radius local_radius
server 10.83.5.105 auth-port 1812 acct-port 1813
!
aaa group server radius ext_radius
server 10.83.5.128 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group ext_radius
aaa authentication login infra_methods group local_radius
aaa authorization network default group sown-radius
!
dot11 ssid TESTNET
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa cckm
guest-mode
!
interface Dot11Radio0
!
ssid TESTNET
!
radius-server local
nas 10.83.5.105 key an0ther_passw0rd
nas 10.83.5.110 key an0ther_passw0rd
nas 10.83.5.111 key an0ther_passw0rd
user wds nthash wdspassw0rd
!
radius-server host 10.83.5.105 auth-port 1812 acct-port 1813 key an0ther_passw0rd
radius-server host 10.83.5.128 auth-port 1812 acct-port 1813 key Rad1us
!
wlccp ap username wds password wdspassw0rd
wlccp authentication-server infrastructure infra_methods
wlccp authentication-server client any eap_methods
ssid TESTNET
wlccp wds priority 200 interface BVI1
!
Infrastructure AP configuration
!
aaa new-model
!
aaa group server radius local_radius
server 10.83.5.105 auth-port 1812 acct-port 1813
!
aaa authentication login infra_methods group local_radius
!
dot11 ssid TESTNET
authentication open eap infra_methods
authentication network-eap infra_methods
authentication key-management wpa cckm
guest-mode
!
interface Dot11Radio0
!
ssid TESTNET
!
radius-server host 10.83.5.105 auth-port 1812 acct-port 1813 key an0ther_passw0rd!
wlccp ap username wds password wdspassw0rd
wlccp ap wds ip address 10.83.5.105
wlccp authentication-server infrastructure infra_methods
!
Leave a Reply