In this post we will learn how to use AP as WDS device and what are the benefits of using WDS in autonomous environment.
In the next post we will learn how to configure the AP with WDS as local AAA server.
WDS is a part of the Cisco Structured Wireless Aware Network (SWAN). WDS is cisco IOS Software features that enhance WLAN client mobility, and simplify WLAN deployment and management. This is very useful when we don’t have Controller in our campus and still want to use RRM and roaming then it’s the best choice. WDS offer these features:
- Fast secure roaming(CCKM)
CCKM (Cisco Centralized Key Management) enables clients and access points to cache and re-use keying material derived from a full 802.1x/EAP authentication. This enables clients to roam between access points faster without the need to perform a full re-authentication.
The WDS device maintains a cache of credentials for CCKM-capable client devices on our wireless LAN. When a CCKM-capable client roams from one AP to another, the client sends a re-association request to the new AP, and the new AP relays the request to the WDS device. The WDS device forwards the client’s credentials to the new AP, and the new access point sends the re-association response to the client. Only two packets pass between the client and the new AP, greatly reducing the re-association time. The client also uses the re-association response to generate the unicast key.
- Radio management
APs forward radio management information such as rogue Aps, client associations and Signal Strength to the WDS device. The WDS device aggregates this information and forwards it to the Wireless LAN Solution Engine (WLSE) network management device for centralized logging and alerting. WDS also enables 802.11w management frame protection capability by providing a central point for key distribution and management across autonomous access points.
Requirements for WDS and Fast Secure Roaming
We must have these items:
- At least one AP configure as the WDS device
- An authentication server or an AP configured as a local authenticator.
- Rest of other AP must configure as iNfrastructure device to use WDS.
- If we are using AP as WDS then either disable the radio interfaces or use an access point that does not serve a large number of client devices. If client devices associate to the WDS access point when it starts up, the clients might wait up to 10 minutes to be authenticated.
- A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disabled supports up to 60 participating access points.
- Repeater AP does not support WDS. Do not configure a repeater access point as a WDS candidate, and do not configure a WDS access point to return (fall back) to repeater mode in case of Ethernet failure.
Communication and Tasks:
The WDS and the infrastructure APs communicate over a multicast protocol WLCCP. These multicast messages cannot be routed. Therefore, a WDS and the associated infrastructure APs must be in the same IP subnetwork and on the same LAN segment.
The WDS AP performs these tasks:
- Advertises WDS capability and participates in an election of the best WDS device for our WLAN.
- When we configure our WLAN for WDS, we set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes offline, one of the backup WDS devices takes the place of the main device.
- Authenticates all APs in the subnetwork and establishes a secure communication channel with each of the APs.
- Registers all client devices in the subnetwork, establishes session keys for the client devices, and caches the client security credentials.
- When a client roams to another AP, the WDS device forwards the client security credentials to the new AP.
- Main task of WDS is to cache the user credentials as soon as the authentication server authenticates the client for the first time. On subsequent attempts, WDS authenticates the client on the basis of the cached information.
Note: A single WDS AP can support a maximum of 60 infrastructure APs when the radio interface is disabled. The number drops to 30 if the AP that acts as the WDS AP also accepts client associations.
Note: A Wireless LAN Services Module (WLSM)-equipped switch supports up to 300 APs.
Note: WDS can perform authentication but not accounting.
Note: We cannot configure a 350 series AP as a WDS device but, we can configure 350 series AP to use the WDS device.
Note: Make sure that the AP and the WDS are located at the same subnet otherwise it’s not possible to have it working. (In case of Local AP as WDS).
Note: If we are using WLSM then we can install our AP at any location in plant for layer 3 mobility.(I don’t have WLSM in my test lab so can’t say more about this)
- Backup WDS devices must exist in case of primary fails.
- WDS clients authenticate to the WDS Primary using LEAP. Therefore, LEAP must be enabled in the AAA server performing authentication for WDS devices.
- All wireless client authentications are performed by the WDS Primary when active.
- WDS clients will revert to standalone mode if the WDS master fails and CCKM fast roaming will not be available.
- If a secondary WDS exists, then WDS clients will re-join the new WDS device and begin forwarding wireless client authentications again.
- Network-EAP (LEAP) must be enabled on SSIDs performing CCKM fast roaming; even if wireless clients are authenticated using another EAP type.
More info regarding WDS: