2 Replies Latest reply: Mar 2, 2012 6:13 PM by Vybhav Ramachandran RSS

    WDS registration issue

    Vybhav Ramachandran

      Hello All,

       

      I have a simple setup configured in my lab.

       

      AP1 <-----> Switch 1<--------> Switch 2<-------->AP2 . All the li [nks are trunk links.

       

      I tried to configure WDS but i'm facing an issue. In my example, i've made AP1 operate as both a client and a WDS (with a local-authentication server acting as the AS ). AP2 is going to be just a client AP registering to AP1. After configuring everything, AP2 is able to discover AP1 as the WDS, but it's unable to register to it and form the secure tunnel to it.

       

      I turned on EAP logging on the WDS AP and it shows authentication failure when the Client AP tries to register to it.

       

      Here is the config of AP3

       

       

      aaa new-model

      !

      !

      aaa group server radius WDS

      server 10.10.110.3 auth-port 1812 acct-port 1813

      !

      aaa authentication login MEGATRON_LIST group radius

      !

      dot11 ssid MEGATRON

         vlan 110

         authentication open eap MEGATRON_LIST

         authentication network-eap MEGATRON_LIST

         authentication key-management cckm

         mbssid guest-mode

      !

      interface Dot11Radio0

      no ip address

      no ip route-cache

      !

      encryption vlan 110 mode ciphers aes-ccm

      !

      ssid MEGATRON

      !

      antenna gain 0

      mbssid

      station-role root

      !

      interface Dot11Radio0.110

      encapsulation dot1Q 110 native

      no ip route-cache

      bridge-group 1

      bridge-group 1 subscriber-loop-control

      bridge-group 1 block-unknown-source

      no bridge-group 1 source-learning

      no bridge-group 1 unicast-flooding

      bridge-group 1 spanning-disabled

      !

      interface Dot11Radio1

      no ip address

      no ip route-cache

      shutdown

      antenna gain 0

      no dfs band block

      channel dfs

      station-role root

      bridge-group 1

      bridge-group 1 subscriber-loop-control

      bridge-group 1 block-unknown-source

      no bridge-group 1 source-learning

      no bridge-group 1 unicast-flooding

      bridge-group 1 spanning-disabled

      !

      interface GigabitEthernet0

      no ip address

      no ip route-cache

      duplex auto

      speed auto

      no keepalive

      !

      interface GigabitEthernet0.110

      encapsulation dot1Q 110 native

      no ip route-cache

      bridge-group 1

      no bridge-group 1 source-learning

      bridge-group 1 spanning-disabled

      !

      interface BVI1

      ip address 10.10.110.3 255.255.255.0

      no ip route-cache

      !

      radius-server local

        nas 10.10.110.3 key 7 00071A150754

        nas 10.10.110.4 key 7 14141B180F0B

        user wds nthash 7 08746F1659492346412A5F270F73720D1767774757322755730E0B00052B5A3944

        user user1 nthash 7 055E2557711C68584A2444312E54520F0F767D676506375333545205087D0A755C

        user AP4 nthash 7 025327035B5629701F6F5A3A204F442E28567F7F740C17610744544552240F780A

        user AP3 nthash 7 115C3A5D47422D5D570B78070D6B63073755435751727D0C76035D504933007905

      !

      radius-server host 10.10.110.3 auth-port 1812 acct-port 1813 key 7 02050D480809

      bridge 1 route ip

      !

      !

      wlccp ap username AP3 password 7 045802150C2E

      wlccp authentication-server infrastructure WDS

      wlccp authentication-server client any WDS

        ssid MEGATRON

      wlccp wds priority 255 interface BVI1

      !

      line con 0

      line vty 0 4

      !

      end

       

      Here is the config of AP4.

       

      aaa new-model

      !

      !

      aaa authentication login MEGATRON_LIST group radius

      !

      !        

      dot11 ssid MEGATRON

         vlan 110

         authentication open eap MEGATRON_LIST

         authentication network-eap MEGATRON_LIST

         authentication key-management cckm

         mbssid guest-mode

      !

       

      interface Dot11Radio0

      no ip address

      no ip route-cache

      !

      encryption vlan 110 mode ciphers aes-ccm

      !

      ssid MEGATRON

      !       

      antenna gain 0

      mbssid

      station-role root

      !

      interface Dot11Radio0.110

      encapsulation dot1Q 110 native

      no ip route-cache

      bridge-group 1

      bridge-group 1 subscriber-loop-control

      bridge-group 1 block-unknown-source

      no bridge-group 1 source-learning

      no bridge-group 1 unicast-flooding

      bridge-group 1 spanning-disabled

      !

      interface Dot11Radio1

      no ip address

      no ip route-cache

      shutdown

      antenna gain 0

      no dfs band block

      channel dfs

      station-role root

      bridge-group 1

      bridge-group 1 subscriber-loop-control

      bridge-group 1 block-unknown-source

      no bridge-group 1 source-learning

      no bridge-group 1 unicast-flooding

      bridge-group 1 spanning-disabled

      !

      interface GigabitEthernet0

      no ip address

      no ip route-cache

      duplex auto

      speed auto

      no keepalive

      !

      interface GigabitEthernet0.110

      encapsulation dot1Q 110 native

      no ip route-cache

      bridge-group 1

      no bridge-group 1 source-learning

      bridge-group 1 spanning-disabled

      !

      interface BVI1

      ip address 10.10.110.4 255.255.255.0

      no ip route-cache

      !

      radius-server host 10.10.110.3 auth-port 1812 acct-port 1813 key 7 104D000A0618

      bridge 1 route ip

      !

      !

      wlccp ap username AP4 password 7 030752180500

      !

       

      I'm not sure what i've misconfigured, but i'd love it if someone pointed it out to me!

       

      Cheers,
      Vybhav

        • 1. Re: WDS registration issue
          Brian

          Try this first.

           

          AP4:

          wlccp authentication-server infrastructure method_Infra

          wlccp authentication-server client any method_Client

           

          aaa group server radius Infra

          server 10.10.110.3 auth-port 1812 acct-port 1813

          aaa group server radius Client

          server 10.10.110.3 auth-port 1812 acct-port 1813

           

          aaa authentication login method_Infra group Infra

          aaa authentication login method_Client group Client

           

          The wlccp authentication-server infrastructure command calls a method list..the method list calls the group that contains the radius server(s).

           

          You could try to consolidate these to point both back to one aaa group as well if you wanted with something like:

           

          aaa authentication login method_Infra group WDS

          aaa authentication login method_Client group WDS

           

          aaa group server radius WDS

          server 10.10.110.3 auth-port 1812 acct-port 1813

          • 2. Re: WDS registration issue
            Vybhav Ramachandran

            Hello Brian,

             

            Thank you for the explanation and the call to explain it further

             

            Cheers,

            Vybhav