Redundant WDS devices

How to configure AP as WDS device, check this link: Configure WDS via CLI

It’s the same procedure what we did in last post to configure the Infra AP to make as backup WDS device.

Steps:

  1. First we have to add the WDS-Client AP as a NAS on the primary AP’s radius server so it can request for authentication.
  2. Configure Radius and infrastructure server configure (Same as previous post).

Let’s start:

Only one line is needed on WDS-AP:

WDS-AP(config-radsrv)#nas 10.35.80.111 key cisco123

Then we have to configure Radius and wlccp parameters on WDS-Client AP.

aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 1511021F07257A767B
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp wds priority 250 interface BVI1

This WDS configured with a lower priority of 250 because we have other AP (WDS-AP) with 254.  Now let’s take a look at the results.

Now check the WDS status on both AP:

WDS-AP:

WDS-AP#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
WDS-AP#
WDS-AP#sh wlccp wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 2   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
WDS-Client                       2894.0fa8.a594  10.35.80.111    REGISTERED
WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#

 

WDS-Client AP:

WDS-Client#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds
 MAC: 2894.0fa8.a594, IP-ADDR: 10.35.80.111   , Priority: 250
 Interface BVI1, State: BACKUP
 Currently ACTIVE WDS - MAC: 588d.0903.e31c, Priority: 254, IP-ADDR: 10.35.80.110
 WDS-Client#
 WDS-Client#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
 WDS-Client#

Now we will configure both AP to provide service to clients.

WDS-AP Configuration:

hostname WDS-AP
 !
 aaa new-model
 !
 aaa group server radius Infra
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_infra group Infra
 aaa authentication login method_client group Client
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server local
 no authentication eapfast
 no authentication mac
 nas 10.35.80.110 key 7 13061E010803557878
 nas 10.35.80.111 key 7 1511021F07257A767B
 user wds nthash 7 09196D5149553143582D57090E7C7E1611704653462725027C0F00075F2641370B
 user test nthash 7 0251537E5D502D021B1C2D4C5042445C5D56780E017D676374325E4E2552050D0A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744
 !
 wlccp ap username wds password 7 05080F1C2243
 wlccp authentication-server infrastructure method_infra
 wlccp authentication-server client any method_client
 ssid RSCCIEW
 wlccp wds priority 254 interface BVI1

WDS-Client Configuration:

hostname WDS-Client
 !
 aaa new-model
 !
 aaa group server radius Infrastructure
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa group server radius Client1
 server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_Infra group Infrastructure
 aaa authentication login method_client1 group Client1
 !
 dot11 ssid RSCCIEW
 authentication open eap method_client1
 authentication key-management wpa version 2
 guest-mode
 !
 interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid RSCCIEW
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 121A0C0411045D5679 
 !
 wlccp ap username wds password 7 104D000A0618
 wlccp authentication-server infrastructure method_Infra
 wlccp authentication-server client any Client1
 ssid RSCCIEW
 wlccp wds priority 250 interface BVI1

This is all we have to configure; now we can setup connection with client and test it.

See the client status: Client will authenticate from Primary WDS Device.

WDS-AP#sh dot11 associations
 802.11 Client Stations on Dot11Radio0:
 SSID [RSCCIEW] :
 MAC Address    IP address      Device        Name            Parent         State
 ac7b.a1d1.c289 10.35.80.106    ccx-client    WDS-AP          self           EAP-Assoc
WDS-AP#
WDS-AP#sh dot11 associations  ac7b.a1d1.c289
 Address           : ac7b.a1d1.c289     Name             : WDS-AP
 IP Address        : 10.35.80.106       Interface        : Dot11Radio 0
 Device            : ccx-client         Software Version : NONE
 CCX Version       : 4                  Client MFP       : Off
 State             : EAP-Assoc          Parent           : self
 SSID              : RSCCIEW
 VLAN              : 0
 Hops to Infra     : 1                  Association Id   : 1
 Clients Associated: 0                  Repeaters associated: 0
 Tunnel Address    : 0.0.0.0
 Key Mgmt type     : WPAv2              Encryption       : AES-CCMP
 Current Rate      : 54.0               Capability       : WMM ShortHdr ShortSlot
 Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 Voice Rates       : disabled           Bandwidth        : 20 MHz
 Signal Strength   : -45  dBm           Connected for    : 14 seconds
 Signal to Noise   : 44  dB            Activity Timeout : 50 seconds
 Power-save        : Off                Last Activity    : 0 seconds ago
 Apsd DE AC(s)     : BK BE VI VO
 Packets Input     : 164                Packets Output   : 45
 Bytes Input       : 32680              Bytes Output     : 9901
 Duplicates Rcvd   : 0                  Data Retries     : 0
 Decrypt Failed    : 0                  RTS Retries      : 0
 MIC Failed        : 0                  MIC Missing      : 0
 Packets Redirected: 0                  Redirect Filtered: 0
 PMKIDs:
 ED7B7F68446E643F622718DD96A73643
 Session timeout   : 0 seconds
 Reauthenticate in : never
WDS-AP#
Advertisements

Configuring WDS via CLI

In this post we will learn how to setup an AP as WDS device with AAA server locally.

My Topology:

I have two cisco AP models 1142.

AAP1:  AS WDS device: 10.35.80.110
AAP2: AS Infrastructure AP: 10.35.80.111

***I will only use 2.4 Ghz (Dot11radio 0 Interface) for this post. You can use both or any one.

Steps to proceed:

  1. We will setup main AP (WDS-AP) as WDS device.
  2. WDS device will also participate as iNfrastructure AP.
  3. Configure the other Infrastructure AP(WDS-Client) to connect to WDS device.

 

Setup main AP (WDS-AP) as WDS device
Configure the AP to point the radius server:
aaa new-model
aaa group server radius Infra
  server 10.35.80.110 auth-port 1812 acct-port 1813
aaa authentication login method_infra group Infra

radius-server local
<Configure AP for local radius server>
<Here we can use three type of authentication, eapfast, leap and mac authentication, by default its leap>

nas 10.35.80.110 key cisco123
<Define AP as AAA client>

no authentication mac
<Disable mac authentication>

no authentication eapfast
<Disable eapfast authentication>

User wds password cisco –> This will be used for other AP to join WDS

User test password rscciew123 –> This is for clients to authenticate

Radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key test12345
<Define the radius server to AP itself>

Enable the WDS on AP:

Wlccp wds priority 254 interface BVI1
<This sets the WDS priority. Between 1 and 255 where higher numbers are more likely to become WDS.>

Wlccp authentication-server infrastructure method_infra
<Enable Infrastructure authentication.>

WDS device will also participate as iNfrastructure AP

To join this AP as infra AP to itself, we will see this message:

WDS-AP(config)#wlccp ap username wds password cisco
WDS-AP(config)#
 *Oct  2 12:50:32.274: %WLCCP_AP-6-INFRA: WLCCP Infrastructure Authenticated

Check the WDS status:

WDS-AP#sh wlccp wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 1   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#
WDS-AP#sh wlccp ap
 WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
 WDS-AP#

Our First AP is ready to act as WDS device and this AP is also participating as infrastructure device in it.

Other Infrastructure AP(WDS-Client) to connect to WDS device

On this AP we just need to configure the username and password to participate in WDS:

WDS-Client(config)#wlccp ap username wds password cisco

*** Configuring WDS suggest that the other AP (WDS-Client) in same subnet will be authenticated  through the first AP. In this case, the authentication occurs over the cable(Not through any inter-AP wireless Link.)

Now check the status on WDS AP again:

WDS-AP#sh wlccp  wds
 MAC: 588d.0903.e31c, IP-ADDR: 10.35.80.110   , Priority: 254
 Interface BVI1, State: Administratively StandAlone - ACTIVE
 AP Count: 2   , MN Count: 0
WDS-AP#
WDS-AP#sh wlccp  wds ap
 HOSTNAME                           MAC-ADDR      IP-ADDR          STATE
 WDS-Client                       2894.0fa8.a594  10.35.80.111    REGISTERED
 WDS-AP                           588d.0903.e31c  10.35.80.110    REGISTERED
WDS-AP#
WDS-AP#sh wlccp  ap
WDS = 588d.0903.e31c, 10.35.80.110
 state = wlccp_ap_st_registered
 IN Authenticator = 10.35.80.110
 MN Authenticator = 10.35.80.110
WDS-AP#

Here is the complete configuration:

WDS Device Configuration:

hostname WDS-AP
 !
 aaa new-model
 !
 aaa group server radius Infra
  server 10.35.80.110 auth-port 1812 acct-port 1813
 !
 aaa authentication login method_infra group Infra
 !
 radius-server local
   no authentication eapfast
   no authentication mac
   nas 10.35.80.110 key 7 13061E010803557878
   user wds nthash 7 09196D5149553143582D57090E7C7E1611704653462725027C0F00075F2641370B
   user test nthash 7 0251537E5D502D021B1C2D4C5042445C5D56780E017D676374325E4E2552050D0A
 !
 radius-server host 10.35.80.110 auth-port 1812 acct-port 1813 key 7 070C285F4D06485744
 !
 wlccp ap username wds password 7 05080F1C2243
 wlccp authentication-server infrastructure method_infra
 wlccp wds priority 254 interface BVI1

Infrastructure AP Configuration (WDS-Client):

hostname WDS-Client
wlccp ap username wds password 7 05080F1C2243

In next post we will configure the 2nd AP (WDS-Client) to also act as redundant WDS device in case of primary fails.

WDS(Wireless Domain Service) Overview

In this post we will learn how to use AP as WDS device and what are the benefits of using WDS in autonomous environment.

In the next post we will learn how to configure the AP with WDS as local AAA server.

WDS is a part of the Cisco Structured Wireless Aware Network (SWAN). WDS is cisco IOS Software features that enhance WLAN client mobility, and simplify WLAN deployment and management. This is very useful when we don’t have Controller in our campus and still want to use RRM and roaming then it’s the best choice. WDS offer these features:

  • Fast secure roaming(CCKM)

CCKM (Cisco Centralized Key Management) enables clients and access points to cache and re-use keying material derived from a full 802.1x/EAP authentication. This enables clients to roam between access points faster without the need to perform a full re-authentication.

The WDS device maintains a cache of credentials for CCKM-capable client devices on our wireless LAN. When a CCKM-capable client roams from one AP to another, the client sends a re-association request to the new AP, and the new AP relays the request to the WDS device. The WDS device forwards the client’s credentials to the new AP, and the new access point sends the re-association response to the client. Only two packets pass between the client and the new AP, greatly reducing the re-association time. The client also uses the re-association response to generate the unicast key.

  • Radio management

APs forward radio management information such as rogue Aps, client associations and Signal Strength to the WDS device. The WDS device aggregates this information and forwards it to the Wireless LAN Solution Engine (WLSE) network management device for centralized logging and alerting. WDS also enables 802.11w management frame protection capability by providing a central point for key distribution and management across autonomous access points.

Requirements for WDS and Fast Secure Roaming

We must have these items:

  • At least one AP configure as the WDS device
  • An authentication server or an AP configured as a local authenticator.
  • Rest of other AP must configure as iNfrastructure device to use WDS.

Remembering Points:

  • If we are using AP as WDS then either disable the radio interfaces or use an access point that does not serve a large number of client devices. If client devices associate to the WDS access point when it starts up, the clients might wait up to 10 minutes to be authenticated.
  • A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disabled supports up to 60 participating access points.
  • Repeater AP does not support WDS. Do not configure a repeater access point as a WDS candidate, and do not configure a WDS access point to return (fall back) to repeater mode in case of Ethernet failure.

Communication and Tasks:

The WDS and the infrastructure APs communicate over a multicast protocol WLCCP. These multicast messages cannot be routed. Therefore, a WDS and the associated infrastructure APs must be in the same IP subnetwork and on the same LAN segment.

The WDS AP performs these tasks:

  • Advertises WDS capability and participates in an election of the best WDS device for our WLAN.
  • When we configure our WLAN for WDS, we set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes offline, one of the backup WDS devices takes the place of the main device.
  • Authenticates all APs in the subnetwork and establishes a secure communication channel with each of the APs.
  • Registers all client devices in the subnetwork, establishes session keys for the client devices, and caches the client security credentials.
  • When a client roams to another AP, the WDS device forwards the client security credentials to the new AP.
  • Main task of WDS is to cache the user credentials as soon as the authentication server authenticates the client for the first time. On subsequent attempts, WDS authenticates the client on the basis of the cached information.

Note: A single WDS AP can support a maximum of 60 infrastructure APs when the radio interface is disabled. The number drops to 30 if the AP that acts as the WDS AP also accepts client associations.

Note: A Wireless LAN Services Module (WLSM)-equipped switch supports up to 300 APs.

Note: WDS can perform authentication but not accounting.

Note: We cannot configure a 350 series AP as a WDS device but, we can configure 350 series AP to use the WDS device.

Note: Make sure that the AP and the WDS are located at the same subnet otherwise it’s not possible to have it working. (In case of Local AP as WDS).

Note: If we are using WLSM then we can install our AP at any location in plant for layer 3 mobility.(I don’t have WLSM in my test lab so can’t say more about this)

Make sure:

  • Backup WDS devices must exist in case of primary fails.
  • WDS clients authenticate to the WDS Primary using LEAP. Therefore, LEAP must be enabled in the AAA server performing authentication for WDS devices.
  • All wireless client authentications are performed by the WDS Primary when active.
  • WDS clients will revert to standalone mode if the WDS master fails and CCKM fast roaming will not be available.
  • If a secondary WDS exists, then WDS clients will re-join the new WDS device and begin forwarding wireless client authentications again.
  • Network-EAP (LEAP) must be enabled on SSIDs performing CCKM fast roaming; even if wireless clients are authenticated using another EAP type.

 

More info regarding WDS:

Configuring WDS

WDS on Cisco Autonomous AP