Wireless, LAN (WLAN)

Basic Wireless LAN Connection Configuration Example

Document ID: 68005

Contents
Introduction Prerequisites Requirements Components Used Network Diagram Conventions Configuration Configure the Access Point Step-by-Step Instructions Configure the Wireless Client Adapter Step-by-Step Instructions Verify Troubleshoot Cisco Support Community - Featured Conversations Related Information

Introduction
This document provides a sample configuration that shows how to set up a basic wireless LAN (WLAN) connection with the use of a Cisco Aironet Access Point (AP) and computers with Cisco-compatible client adapters. The example uses the GUI.

Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
y y

Familiarity with basic wireless radio frequency (RF) technology Basic understanding of how to access a Cisco AP

This document assumes that the drivers of the wireless client cards for the PCs or laptops are already installed.

Components Used
The information in this document is based on these software and hardware versions:
y y y

One Aironet 1200 Series AP that runs Cisco IOS Software Release 12.3(7)JA Three Aironet 802.11a/b/g Client Adapters that run firmware 2.5 Aironet Desktop Utility (ADU) version 2.5

Note: This document uses an AP that has an integrated antenna. If you use an AP which requires an external antenna, ensure that the antennas are connected to the AP. Otherwise, the AP is unable to connect to the wireless network. Certain AP models come with integrated antennas, whereas others need an external antenna for general operation. For information on the AP models that come with internal or external antennas, refer to the ordering guide/product guide of the appropriate device. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command or setup in the GUI.

Network Diagram
This document uses this network setup:

The network diagram is three Aironet 802.11a/b/g Client Adapters that are connected to a 1200 AP. This document depicts the configuration of the client adapters to communicate with each other via wireless interface through the AP.

The AP uses these settings:

y y

Service Set Identifier (SSID): CISCO123 Basic authentication: Open authentication with Wired Equivalent Privacy (WEP) encryption

This document explains the configuration on the AP and the client adapters. Note: You can also use other authentication and encryption methods. For information on the different authentication mechanisms that are supported, refer to Configuring Authentication Types. For information on the different encryption mechanisms that are supported, refer to Configuring Cipher Suites and WEP.

Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configuration
Configure the Access Point
You can configure the AP with the use of any of these:
y y y

GUI Command-line interface (CLI), after you establish a Telnet session The console port Note: In order to connect to the AP through the console port, connect a nine-pin, straight-through DB-9 serial cable to the RS-232 serial port on the AP and to the COM port on a computer. Set up a terminal emulator in order to communicate with the AP. Use these settings for the terminal emulator connection:
o o o o o

9600 baud 8 data bits No parity 1 stop bit No flow control

Note: These settings are the default settings. If you cannot access the device after you set the terminal program to the settings, the problem can be that the device is not set to the defaults. Try different settings, and start with the baud rate. For more information on the console cable specifications, refer to the Connecting to the 1200 and 1230AG Series Access Points Locally section of Configuring the Access Point for the First Time. This document explains how to configure the AP with the use of the GUI. There are two ways to access the AP with the use of the GUI:

y y

Assign an IP address to the device before you connect through the GUI. Obtain an IP address with the use of DHCP.

The different models of Aironet APs exhibit different default IP address behaviors. When you connect an Aironet 350, 1130AG, 1200, or 1240AG series AP with a default configuration to your LAN network, the AP requests an IP address from your DHCP server. If the AP does not receive an address, it continues to send requests indefinitely. When you connect an Aironet 1100 series AP with a default configuration to your LAN, the AP makes several attempts to get an IP address from the DHCP server. If the AP does not receive an address, it assigns itself the IP address 10.0.0.1 for 5 minutes. During this 5-minute period, you can browse to the default IP address and configure a static address. If after the 5 minutes the AP is not reconfigured, the AP discards the 10.0.0.1 address and requests an address from the DHCP server. If the AP does not receive an address, it sends requests indefinitely. If you miss the 5-minute window to browse to the AP at 10.0.0.1, you can power cycle the AP in order to repeat the process. The network in this document uses a 1200 series AP. A login through the console configures the AP with a static IP address of 10.0.0.1. For information on how to assign IP addresses to the AP, refer to the Obtaining and Assigning an IP Address section of Configuring the Access Point for the First Time.

Step-by-Step Instructions
After configuration of the IP address, you can access the AP through the browser in order to configure the AP to accept client association requests from the client adapter. Complete these steps: 1. In order to access the AP with the GUI and get the Summary Status window, complete these steps: a. Open a web browser and enter 10.0.0.1 in the address line. b. Press Tab in order to bypass the Username field and advance to the Password field. The Enter Network Password window displays. c. Enter the case-sensitive password Cisco, and press Enter. The Summary Status window displays, as this example shows:

2. Click Express Setup in the menu on the left. The Express Setup window displays. You can use this window to configure some of the basic parameters that are necessary to establish a wireless connection. Use the Express Setup window on the AP 1200 in order to configure the acceptance of wireless client associations. Here is an example of the window:

3. Enter the configuration parameters in the appropriate fields in the Express Setup window. The configuration parameters include these parameters:
o o o o o o

The host name of the AP IP address configuration of the AP, if the address is a static IP Default gateway Simple Network Management Protocol (SNMP) community string Role in the radio network SSID

This example configures these parameters:

o o o

IP address: 10.0.0.1 Host name: AP1200 SSID: CISCO123 Note: SSIDs are unique identifiers that identify a WLAN network. Wireless devices use SSIDs to establish and maintain wireless connectivity. SSIDs are case-sensitive and can contain up to 32 alphanumeric characters. Do not use any spaces or special characters in an SSID.

Note: The other parameters are left with the default values.

Click Apply in order to save your settings. Complete these steps in order to set up the radio settings: . Click Network Interfaces in the menu on the left in order to browse to the Network Interfaces Summary page. a. Select the radio interface that you want to use. This example uses interface Radio0-802.11B. The action allows you to browse to the Network Interfaces: Radio Status page. b. Click the Settings tab in order to browse to the Settings page for the radio interface. c. Click Enable in order to enable the radio. d. Leave all the other settings on the page with the default values. e. Scroll down and click Apply at the bottom of the page in order to save the settings.

In order to configure the SSID and open authentication with WEP encryption, complete these steps: . Choose Security > SSID Manager in the menu on the left. The SSID Manager page displays. a. Select the SSID that you created in Step 3 from the Current SSID List menu. This example uses CISCO123 as the SSID.

b. Under Authentication Settings, choose Open Authentication. c. Leave all other parameters with their default values. d. Click Apply at the bottom of the page.

In order to configure the WEP keys, complete these steps: . Choose Security > Encryption Manager. a. Click WEP Encryption under Encryption Modes, and choose Mandatory from the drop-down menu. b. Enter the encryption key for WEP in the Encryption Keys area. The WEP encryption keys can be 40 bits or 128 bits in length. This example uses the 128-bit WEP encryption key 1234567890abcdef1234567890 .

c. Click Apply in order to save the settings.

Configure the Wireless Client Adapter

Before configuration of the client adapter, you must install the client adapter and client adapter software components on the PC or laptop. For instructions on how to install the drivers and utilities for the client adapter, refer to Installing the Client Adapter.

Step-by-Step Instructions
After installation of the client adapter on the machine, you can configure it. This section explains how to configure the client adapter. Complete these steps: 1. Create a profile on the ADU for the client adapter. The profile defines the configuration settings that the client adapter uses in order to connect to the wireless network. You can configure a maximum of 16 different profiles on the ADU. You can switch between the different configured profiles on the basis of your requirement. Profiles enable you to use your client adapter in different locations, each of which requires different configuration settings. For example, you may want to set up profiles to use your client adapter at the office, at home, and in public areas, such as airports or hot spots.

In order to create a new profile, complete these steps: a. Click the Profile Management tab on the ADU. b. Click New. Here is an example:

2. When the Profile Management (General) window displays, complete these steps in order to set the Profile Name, Client Name, and SSID: a. Enter the name of the profile in the Profile Name field. This example uses OFFICE as the Profile Name. b. Enter the name of the client in the Client Name field. The client name is used to identify the wireless client in the WLAN network. This configuration uses the name Client 1 for the first client. c. Under Network Names, enter the SSID that is to be used for this Profile. The SSID is the same as the SSID that you configured in the AP. The SSID in this example is CISCO123.

3. Complete these steps in order to set up the Security Options: a. Click the Security tab at the top of the window. b. Click Pre-Shared Key (Static WEP) under Set Security Options. Here is an example:

c. Click Configure. The Define Pre-Shared Keys window appears. d. Click one of buttons in the Key Entry area in order to choose a key entry type. This example uses Hexadecimal (0-9, A-F).

e. Under Encryption Keys, enter the WEP key that is to be used for encryption of the data packets. This example uses the WEP key 1234567890abcdef1234567890 . See the example in Step d. Note: Use the same WEP key as the one you configured in the AP. 4. Click OK in order to save the WEP key. 5. Complete these steps in order to set the authentication method to Open: a. Click the Advanced tab at the top of the Profile Management window. b. Be sure that Open is selected under 802.11 Authentication Mode. Note: Open authentication is usually enabled by default. c. Leave all the other settings with the default values. d. Click OK.

6. Click Activate in order to enable this profile.

Note: You can use these same Step-by-Step Instructions in order to create a completely new profile. In an alternate method to create a profile, the client adapter scans the RF environment in order to check for available networks and then creates a profile on the basis of the scan results. For more information on this method, refer to the Creating a New Profile section of Using the Profile Manager. You can use the same procedure in order to configure the other two client adapters. You can use the same SSID on the other adapters. The only difference is the client name and the IP address that is statically given to the adapter. Note: This example assumes that the client adapter IP address is configured manually and is in the same subnetwork as the AP.

Verify
This section explains how to confirm that your configuration works properly. When you have completed the configurations and activated the profile, the client adapter connects to the AP. In order to check the status of the client connection, click the Current Status tab at the top of the ADU window. This example illustrates a successful connection to the AP. You can see that the client uses Channel 1 for communication and uses WEP for encryption. Also, since only open authentication is used, the Server Based Authentication field shows None:

As another method to verify the client connection on the AP, click Association in the menu on the left side of the AP home page. Here is an example:

Troubleshoot

If 802.1x authentication is used, and a Cisco Catalyst 2950 or 3750 Switch is present in the network, an 802.1X client might fail to authenticate. This error message is displayed:
Jul 21 14:14:52.782 EDT: %RADIUS -3-ALLDEADSERVER: Group rad_eap: No active radius servers found. Id 254

This symptom is observed on 2950 and 3750 Switches when the RADIUS State(24) Field values change in between the Access Challenge and the Access Request. This is because of Cisco bug id CSCef50742. This is resolved in Cisco IOS Software Release 12.3(4) JA. With release 12.3(4)JA, clients no longer fail 802.1X authentication through Cisco Catalyst 2950 and 3750 Switches due to State (24) Field values that change.

Cisco Support Community - Featured Conversations

Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right now. Want to see more? Join us by clicking here
y

Configure Access point 1140mrsystemengineer1 Reply2010/05/06 16:41 Dear All, I am not expert in wireless and cisco. I need to configure accesspoint 1140 in my network. I have 10 vlans in my network (Switch 2960) how i can configure accesspoint to used two ssid, one for lan and one for guest this two ssid in separate vlans. I was try like this... i create vlans on 3750 switch. I connected my accesspoint to switch 2960 (2960 switch is enduser switch). I trunk the port on 2960 switch is connected to access point. I assign ip address to BVI Interface in accesspoint static. i am unable to ping from access point to other vlans, from other vlans to access point. can any one help to configure access point. regards., Subscribe
o

Reply

Re: Configure Access point 1140leolaohoo2010/05/06 16:41 Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configu ration_example09186a008055c39a.shtml Reply

Help Using ap1131agLabone0011 Reply2010/01/17 14:46 Hi, I'm trying to setup a 1131 to give wireless access to office workers if they need it, I just need it to be an extension of the wired LAN, as it is connected to the LAN I need this AP to be as secure as possible, we don't have a TACACs server or anything like that so was just going to use the AP's security WPA or similar. Could someone let me know the best way to do this please (I'm not a networking expert but understand the basics ) Also if the AP is hooked up to the LAN will wireless clients pick up a

DHCP address from the DHCP server on the LAN or do I need to configure DHCP on the AP somehow? Any help would be much appreciated. Mick. Subscribe
o

Reply

Re: Help Using ap1131agleolaohoo2010/01/17 14:46 Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.shtml Reply

Multiple SSID on Cisco 1100 Series AP get2dapsy1 Reply2010/03/01 16:22 Hello, I am trying to setup multiple ssid on 1100 series AP map to different Vlans, but every time I create a Vlan mapped to a ssid the AP does not broadcast the ssid. Also i am trying to configure trunking on the AP Ethernet port, in order to carry multiple Vlan's. Can anyone help me with suggestion on how to configure this issues on a Cisco 1100 AP. Thanks. Subscribe
o

Reply

Re: Multiple SSID on Cisco 1100 Series...leolaohoo2010/03/01 16:22 Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.shtml Reply

Setting Up air-ap1141n-a-k9?charadehaha12 Replies2011/01/28 12:00 I recently acquired a air-ap1141n-a-k9 but I do not know how to set it up. I know this is probably really simple but I looked through the manual and couldn't figure it out. It says "Assign a static IP addresss by conencting to its console port and accessing the access point CLI" I connected an ethernet cable to the console port and my computer. How do I access the access point CLI though? Subscribe
o

Reply

Re: Setting Up air-ap1141n-a-k9?leolaohoo2011/01/24 20:19 Basic Wireless LAN Connection Configuration Example Don't forget to rate useful posts. Thanks. Reply


Re: Setting Up air-ap1141n-a-k9?charadehaha2011/01/24 23:13

I don't have the equipment to do the The console port Note: In order to connect to the AP through the console port, connect a nine-pin, straight-through DB-9 serial cable to the RS-232 serial port on the AP and to the COM port on a computer. Set up a terminal emulator in order to communicate with the AP. Use these settings for the terminal emulator connection: 9600 baud 8 data bits No parity... Reply


Re: Setting Up air-ap1141n-a-k9?lal.antony2011/01/25 4:16 @Josh, Basically you need to get yourself a console cable (Cisco Blue Cable) and connect that using a Serial port on your computer or a USB to Serial dongle. After doing so power up the AP then you should get console access to the AP. If you don't know the IP address assigned to the management interface on the AP this is the only way to get it working. After you get console access issue the following commands to setup your managment... Reply


Re: Setting Up air-ap1141n-ak9?charadehaha2011/01/25 20:36 It doesn't seem right that you can only do this if you buy a cable. It seems like the box it came in would have that cable if that were the case. Is there a way to do it through the CLI telnet method? Reply


Re: Setting Up air-ap1141n-ak9?lal.antony2011/01/26 17:14 @Josh, The Console cable (blue cable) is in the original packaging and without knowing the IP address of the interface it is not possible to do Telnet or GUI access to the AP. Lal Antony www.lalantony.com Reply

Re: Setting Up air-ap1141n-a-k9?AlanDaniel2011/01/26 11:18 I just configured one, on cli and interface BVI1 put the ip address that you want, subnet and no shutdows commands; then via web browser put http:xxx.xxx.xxx.xxx it is all. best regards

Reply


Re: Setting Up air-ap1141n-a-k9?charadehaha2011/01/26 16:02 How do I get to CLI and interface BVI1? Is there something I need to open or download? Reply


Re: Setting Up air-ap1141n-a-k9?leolaohoo2011/01/26 16:14 ap>enable ap#conf t ap(config)#int bv1 ap(config-if)#ip add 10.0.0.1 255.0.0.0 ap(config-if)#end Configure your client ip address to be 10.0.0.2, subnet mask is 255.0.0.0. Open a web browser to 10.0.0.1. Reply


Re: Setting Up air-ap1141n-ak9?charadehaha2011/01/27 12:27 Where do I enter this information? Do I open the command prompt? "ap>enable ap#conf t ap(config)#int bv1 ap(config-if)#ip add 10.0.0.1 255.0.0.0 ap(configif)#end Configure your client ip address to be 10.0.0.2, subnet mask is 255.0.0.0. Open a web browser to 10.0.0.1." Reply


Re: Setting Up air-ap1141n-ak9?leolaohoo2011/01/27 14:27 Console into the AP and make sure you have the "ap>". Cut-n-paste what I've posted below. enable conf t int bv1 ip address 10.0.0.1 255.0.0.0 end wr If everything goes well without any error message, then ... Configure your client ip address to be 10.0.0.2, subnet mask is 255.0.0.0. Open a web browser to 10.0.0.1. Reply

More Replies Trying to set up a Wireless AP 1130agmwaybright8 Replies2010/02/12 18:22

o

Hello, I have a wireless AP 1130ag. It doesn't show up on my network to get the IP address so I can configure it. I have the MAC address off of the back of the Wireless AP, but it doesn't show up when I go to the cmd function and type in getmac. The way I have my network set up is as follows...maybe I don't have something set up

correctly: Cable modem hooks into the router, router into a hub...from the hub I am running 2 other computers off it and then the wireless ap comes off the hub as well. I can't seem to get the ip address of the wireless ap to configure it so I can see it with my lap top to hook into the internet. Please help. Thanks, Cisco.com username: mwaybright email: mwaybright@consultant.com Subscribe
o

Reply

Re: Trying to set up a Wireless AP...leolaohoo2010/02/10 19:05 1. Is the AP powered up? 2. Can you console into your AP? Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.shtml Reply


Re: Trying to set up a Wireless AP...mwaybright2010/02/10 19:48 Yes the AP is powered up and is sequences through the diferent color lights and the radio lights are lit up. I don't know how to console into it. please advise. Reply


Re: Trying to set up a Wireless AP...leolaohoo2010/02/10 19:53 Hi Mark, Did you read the link I provided? It tells you the steps on setting up a console terminal to the AP. Reply


Re: Trying to set up a Wireless AP...mwaybright2010/02/10 19:59 yes I read it, but when I put in the ip address of 10.0.0.1 in the web browser it just comes up with a google search page and doesn't open up the username/password section. I powered the unit down waited 30 sec, turned it back on, waited for it to go through the different colored lights on the wireless ap, then tried the 10.0.0.1 ip address, but it didn't get me to the username/password section. Reply


Re: Trying to set up a Wireless AP...leolaohoo2010/02/10 20:13

Hi Mark, After you have configured the ip address of the AP using the console cable, can you configure your PC/Laptop to the next available IP address? Using a straight-through network cable, connect your PC/Laptop to the AP FastEthernet0 interface. Open a web browser and enter 10.0.0.1 in the address line. Reply


Re: Trying to set up a Wireless AP...leolaohoo2010/02/10 21:10 Hi Mark, I presume you got this working? Reply


Re: Trying to set up a Wireless AP...mwaybright2010/02/12 17:19 Not yet, I just got the console wire, trying to hook it up right now so I can communicate to the Wireless AP through the consul through your link you provided...I will let you know after I try to access it through the consule wire. Mark Reply


Re: Trying to set up a Wireless AP...mwaybright2010/02/12 18:22 I have the consule wire, I went through the link and put in the settings through Hyperterminal, then I just get a blank screen that I can type on with the Hyperterminal...what do I do next? I don't know what to type or what is next on the steps to assign an IP address to my AP. Please Advise. Reply

Unable to Connect to Cicso Aironet 1250tiger36874 Replies2009/10/28 21:29

My office just bought the Cisco Aironet 1250 and I am task to set it up. Right now, I am unable to connect to AP even when it is configured as Open Authentication without encryption. Tried using both laptops and our products to no avail. The same laptops and products are able to connect to other wireless routers So far, only my Linksys Wireless-G USB network Adapter is able to detect it. We are very puzzled by this because we are able to setup and connect to it initially. But when we try to reconfigure it to another setting, everything starts to fail. We have tried doing factory default. The AP is connect only to a Windows 2003 Server running D HCP and IAS. Appreciate if someone can help me on this. Thanks Subscribe
o

Reply

Re: Unable to Connect to Cicso Aironet...jeromehenry2009/10/28 5:39 Can you post your AP configuration? Without it, it is difficult to know why it is failing. BTW, do you broadcast the SSID (if you do show run, do you see "guest-mode" under the dot11 ssid section? Thanks Jerome Reply

Re: Unable to Connect to Cicso Aironet...leolaohoo2009/10/28 17:26 Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.shtml Hope this helps. Reply

Re: Unable to Connect to Cicso Aironet...tiger36872009/10/28 21:20 Hi All, Here are screen capture of my configuration http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Ex pressSetup.jpg http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Se curity-EncryptionManager.jpg http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Se curity-EncryptionManager.jpg http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Se curity-SSIDManager02.jpg... Reply

Re: Unable to Connect to Cicso Aironet...tiger36872009/10/28 21:29 Yes, SSID is set to broadcast. Reply

Aironet 1200 droping AP in client moderuinazario1 Reply2005/12/23 8:38

This is an update of a previous post . I have a aironet 1230 B and he is dropping clients and ive found that he is only dropping APs in client mode and only the Dlink 900+ ,there are other D-link Ap in client mode and dont have this problem . I've disabled the aironet extensions ,and increased the packet retries ,but it's not stable ,he dropps the 900+. This clients have -72 dbm 88% signal quality. If some one has any Aironet with D-link 900+ as clients and had a simillar please leave reply. Thanks. PS:using the latest firmware Subscribe
o

Reply

Re: Aironet 1200 droping AP in client...mchin3452005/12/23 8:38 To the best of my knowledge, the behaviour of AP will differ from one vendor to another vendor. This document provides a sample configuration that shows how to set up a basic wireless LAN (WLAN) connection with the use of a Cisco Aironet Access Point (AP) and computers with Cisco-compatible client adapters. The example uses the GUI. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.shtml Reply

Setting up AP1142Njohn_gustafson_at_flnp.uscourts.gov4 Replies2010/10/22 4:30 I have an AP1142N that was sold to me as a stand alone product. But there is no documentation or direction on how to set up or manage the device. Can you help me get started? Thanks Subscribe
o

Reply

Re: Setting up AP1142Nleolaohoo2010/07/14 16:38 Unfortunately, I don't really know what you are trying to achieve. So have a look at the link below and let us know if you need more. Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configu ration_example09186a008055c39a.shtml Please don't forget to rate useful posts. Thanks. Reply


Re: Setting up AP1142Njohn_gustafson@flnp.uscourts.gov2010/07/15 6:38 I tried the link you provided and got Forbidden File or Application. All I'm looking for is some documentation to set up the device. I purchased it new and it didn't come with anything. My purpose for the device is to allow wireless access for our laptop users in an office training room. I appreciate any help.

Reply


Re: Setting up AP1142Nleolaohoo2010/07/15 16:10 The link is valid. I just tried it. Reply


Re: Setting up AP1142N diogo.matos2010/10/22 4:30 i think i have the same problem that the op has... Maybe it's because i'm a new member? Reply

Basic configuration AP-Switch problemsrguzman.plannet2 Replies2009/01/21 21:01 Hello, I am having a problem when I try to configure my AP1131 to a port in a WSC3560-24PS-S. I've always known that the switchort must be configured as a trunk. I will try to give a clear explanation of what I've done: In the AP. 1.- ip address 2.default gateway 3.- vlans configuration 4.- map SSIDs to vlans In the switch. Only configure the port as a trunk interface FastEthernet0/9 switchport trunk encapsulation dot1q switchport mode trunk This way I can do everything. Get access to the network, ping, telnet other devices, but not administer nor ping the AP. But if I configure the switchport as an access port: interface FastEthernet0/9 switchport access vlan 10 switchport mode access This way I can ping other devices from the AP, ping and telnet the AP from the wired network (my laptop). I can connect to the SSID but not ping nor telnet AP or other devices. I hope that someone give a clue of what I'm doing wrong or forgetting to configure. Thanks a lot Subscribe
o

Reply

Re: Basic configuration AP-Switch...leolaohoo2009/01/21 20:57 Have you tried going through the Wireless LAN Controller and Lightweight Access Point Basic Configuration Example (Document ID: 69719)? http://www.cisco.com/en/US/products/ps6366/products_configuration_exampl e09186a0080665 cdf.shtml Does this document help? Reply

Re: Basic configuration AP-Switch...wesleyterry2009/01/21 21:01 If vlan 10 is your native vlan for the IP address, do you need the following: switchport trunk native vlan 10 I'm not familiar with your situation, but if switchport access vlan 10 make it work, then you'll probably need to specify which vlan is the native vlan for the trunk (vlan 10) I suppose. Reply

connection between lightweight access...nitass1 Reply2006/08/24 7:48 Hello everybody, I am a bit confused about cisco 1000 series access point connection. On wireless lan controller and lightweight access point basic configuration example document id 69719 (http://www.cisco.com/en/US/products/ps6366/products_configuration_example0918 6a0080665cdf.shtml), I understood the access point has two vlans associated with (vlan 3 and 4). Am I correct? Why is connection between access point and catalyst port just access port rather 802.1q trunk? How vlan traffic can traverse from the access point to controller? Please advice. Many thanks, Nitass Subscribe
o

Reply

Re: connection between lightweight...steprodr2006/08/24 7:48 Nitass, The AP itself does not need to be a trunked port, but the uplink to the controller does. When using a Lightweight enviroment, all the traffic passes thru an encrypted LWAPP tunnel from the AP to the controller, and then gets sent out the correct VLAN interface on the controller. Reply

AP1131-AG Configurationtreggleston1 Reply2006/10/10 6:12 I have the AP1131-AG. what is the best way to config out of the box. I am consoled in. Subscribe
o

Reply

Re: AP1131-AG Configurationrob.huffman2006/10/10 6:12 Hi Troy, Here are some docs to help get you started here. Please note that using the web gui may be a little more user friendly; Configuring the Access Point for the First Time http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configura tion_guide_chapter09186a0080341ccf.html Using the Command-Line Interface... Reply

Subscribe

Start A New Discussion

Related Information
y y

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12.3(7)JA Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide, OL -4211-04

y y y

Configuring the Access Point for the First Time Wireless Support Page Technical Support & Documentation - Cisco Systems

PDF Downloads Document ID: 44720

Wireless Domain Services Configuration

Related Documents
y y y y y

Wireless Domain Services AP as an ) Server Configuration Example Discont Support for Wireless Domain Services on Cisco 2600XM/2691/3700/2800/3800 [Cisco IOS Software Releases 12.4 T] Discont Support for Wireless Domain Services on Cisco 2600XM/2691/3700/2800/3800 [Cisco IOS Software Releases 12.3 T] Wireless Domain Services FAQ 1800 ISR Wireless Router with Internal DHCP and Open Authentication Configuration Example.

More...

Related Products/Technology
y y y y y y

Wireless LAN Management Cisco Aironet 1130 AG Series Cisco Aironet 1300 Series Cisco Aironet 350 Series Cisco Catalyst 6500 Series Wireless LAN Services Module (WLSM) More...

Related Discussion
y y y y y

UC520W and Wireless Domain Services... Wireless AP as controller Wireless Domain Services on Switch Cisco WDS PEAP

Contents
Introduction Prerequisites Requirements Components Used Conventions Wireless Domain Services Role of the WDS Device Role of Access Points Using the WDS Device Configuration Designate an AP as WDS Designate a WLSM as WDS Designate an AP as Infrastructure Device Define Client Authentication Method Verify Troubleshoot Troubleshooting Commands Cisco Support Community - Featured Conversations Related Information

Introduction
This document introduces the concept of Wireless Domain Services (WDS). The document also describes how to configure one access point (AP) or the Wireless LAN Services Module (WLSM) as the WDS and at least one other as an infrastructure AP. The procedure in this document guides you to a WDS that is functional and allows clients to associate to either the WDS AP or to an infrastructure AP. This document intends to establish a basis from which you can configure Fast Secure Roaming or introduce a Wireless LAN Solutions Engine (WLSE) into the network, so you can use the features.

Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
y y

Have thorough knowledge of wireless LAN networks and wireless security issues. Have knowledge of current Extensible Authentication Protocol (EAP) security methods.

Components Used
The information in this document is based on these software and hardware versions:
y y y

APs with Cisco IOS Software Cisco IOS Software Release 12.3(2)JA2 or later Catalyst 6500 Series Wireless LAN Services Module

The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration and an IP address on interface BVI1, so the unit is accessible from the Cisco IOS Software GUI or the command line interface (CLI). If you work in a live network, ensure that you understand the potential impact of any command.

Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Wireless Domain Services

WDS is a new feature for APs in Cisco IOS Software and the basis of the Catalyst 6500 Series WLSM. WDS is a core function that enables other features like these:
y y y

Fast Secure Roaming WLSE interaction Radio Management

You must establish relationships between the APs that participate in WDS and the WLSM, before any other WDS-based features work. One of the purposes of WDS is to eliminate the need for the authentication server to validate user credentials and reduce the time required for client authentications. In order to use WDS, you must designate one AP or the WLSM as the WDS. A WDS AP must use a WDS user name and password to establish a relationship with an authentication server. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS AP. The WLSM must have a relationship with the authentication server, even though WLSM does not need to authenticate to the server.

Other APs, called infrastructure APs, communicate with the WDS. Before registration occurs, the infrastructure APs must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication. One or more client server groups on the WDS define client authentication. When a client attempts to associate to an infrastructure AP, the infrastructure AP passes the credentials of the user to the WDS for validation. If the WDS sees the credentials for the first time, WDS turns to the authentication server to validate the credentials. The WDS then caches the credentials, in order to eliminate the need to return to the authentication server when the same user attempts authentication again. Examples of re-authentication include:
y y y

Re-keying Roaming When the user starts up the client device

Any RADIUS-based EAP authentication protocol can be tunneled through WDS such as these:
y y y y

Lightweight EAP (LEAP) Protected EAP (PEAP) EAP-Transport Layer Security (EAP-TLS) EAP-Flexible Authentication through Secure Tunneling (EAP-FAST)

MAC address authentication can also tunnel to either an external authentication server or against a list local to a WDS AP. The WLSM does not support MAC address authentication. The WDS and the infrastructure APs communicate over a multicast protocol called WLAN Context Control Protocol (WLCCP). These multicast messages cannot be routed, so a WDS and the associated infrastructure APs must be in the same IP subnet and on the same LAN segment. Between the WDS and the WLSE, WLCCP uses TCP and User Datagram Protocol (UDP) on port 2887. When the WDS and WLSE are on different subnets, a protocol like Network Address Translation (NAT) cannot translate the packets. An AP configured as the WDS device supports up to 60 participating APs. An Integrated Services Router (ISR) configured as the WDS devices supports up to 100 participating APs. And a WLSM-equipped switch supports up to 600 participating APs and up to 240 mobility groups. A single AP supports up to 16 mobility groups. Note: Cisco recommends that the infrastructure APs run the same version of IOS as the WDS device. If you use an older version of IOS, the APs might fail to authenticate to the WDS device. In addition, Cisco recommends that you use the latest version of the IOS. You can find the latest version of IOS in the Wireless downloads page.

Role of the WDS Device

The WDS device performs several tasks on your wireless LAN:

y y y y

Advertises its WDS capability and participates in electing the best WDS device for your wireless LAN. When you configure your wireless LAN for WDS, you set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes off line, one of the backup WDS devices takes its place. Authenticates all APs in the subnet and establishes a secure communication channel with each of them. Collects radio data from APs in the subnet, aggregates the data, and forwards it to the WLSE device on your network. Acts as a pass-through for all 802.1x-authenticated client devices associated to participating APs. Registers all client devices in the subnet that use dynamic keying, establishes session keys for them, and caches their security credentials. When a client roams to another AP, the WDS device forwards the client's security credentials to the new AP.

Role of Access Points Using the WDS Device

The APs on your wireless LAN interact with the WDS device in these activities:
y y y y

Discover and track the current WDS device and relay WDS advertisements to the wireless LAN. Authenticate with the WDS device and establish a secure communication channel to the WDS device. Register associated client devices with the WDS device. Report radio data to the WDS device.

Configuration
WDS presents the configuration in an ordered, modular fashion. Each concept builds on the concept that precedes. The WDS omits other configuration items such as passwords, remote access, and radio settings for clarity and focus on the core subject matter. This section presents the information necessary to configure the features described in this document. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Designate an AP as WDS
The first step is to designate an AP as the WDS. The WDS AP is the only one that communicates with the authentication server. Complete these steps in order to designate an AP as WDS: 1. In order to configure the Authentication server on the WDS AP, choose Security > Server Manager to go to the Server Manager tab: a. Under Corporate Servers, type the IP address of the authentication server in the Server field.

b. Specify the Shared Secret and the ports. c. Under Default Server Priorities, set the Priority 1 field to that server IP address under the appropriate authentication type.

Alternatively, issue these commands from the CLI:

WDS_AP#configure terminal Enter configuration commands, one per line. End with CNTL/Z.

WDS_AP(config)# aaa group server radius rad_eap WDS_AP(config -sg-radius)#server 10.0.0.3 auth-port 1645 acct -port 1646 WDS_AP(config -sg-radius)#exit WDS_AP(config)# aaa new-model WDS_AP(config)# aaa authentication login eap_methods group rad_eap WDS_AP(config)# radius-server host 10.0.0.3 auth-port 1645 acct-port 1646 key labap1200ip102

!--- This command appears over two lines here due to space limitations. WDS_AP(config)# end WDS_AP#write memory

2. The next step is to configure the WDS AP in the authentication server as an authentication, authorization, and accounting (AAA) client. For this, you need to add the WDS AP as an AAA client. Complete these steps: Note: This document uses the Cisco Secure ACS server as the authentication server. a. In Cisco Secure Access Control Server (ACS), this occurs on the Network Configuration page where you define these attributes for the WDS AP:  Name  IP address  Shared secret  Authentication method  RADIUS Cisco Aironet  RADIUS Internet Engineering Task Force [IETF] Click on Submit. For other non-ACS authentication servers, refer to the documentation from the manufacturer.

b. Also, in Cisco Secure ACS, ensure that you configure ACS to perform LEAP authentication on the System Configuration - Global Authentication Setup page. First, click System Configuration, then click Global Authentication Setup.

c. Scroll down the page to the LEAP setting. When you check the box, ACS authenticates LEAP.

3. In order to configure the WDS setttings on the WDS AP, choose Wireless Services > WDS on the WDS AP, and click on the General Set-Up tab. Perform these steps:

a. Under WDS-Wireless Domain Services - Global Properties, check Use this AP as Wireless Domain Services. b. Set the value for the Wireless Domain Services Priority field to a value of approximately 254, because this is the first one. You can configure one or more APs or switches as candidates to provide WDS. The device with the highest priority provides WDS.

Alternatively, issue these commands from the CLI:

WDS_AP#configure terminal Enter configuration commands, one per line. End with CNTL/Z. WDS_AP(config)# wlccp wds p riority 254 interface BVI1 WDS_AP(config)# end WDS_AP#write memory

4. Choose Wireless Services > WDS, and go to the Server Groups tab: a. Define a Server Group Name that authenticates the other APs, an Infrastructure group. b. Set Priority 1 to the previously configured authentication server. c. Click the Use Group For: Infrastructure Authentication radio button. d. Apply the settings to the relevant Service Set Identifiers (SSIDs).

Alternatively, issue these commands from the CLI:

WDS_AP#configure terminal Enter configuration commands, one per line. End with CNTL/Z. WDS_AP(config)# wlccp authentication -server infrastructure method_Infrastructure WDS_AP(config)# aaa group server radius Infrastructure WDS_AP(config -sg-radius)#server 10.0.0.3 auth-port 1645 acct-port 1646

WDS_AP(config -sg-radius)#exit WDS_AP(config)# aaa authentication login method_Infrastructure group Infrastructure WDS_AP(config)# end WDS_AP#write memory !--- Some of the commands in this table appear over two lines here due to !--- space limitations. Ensure that you enter these commands in a single line.

5. Configure the WDS user name and password as a user in your authentication server. In Cisco Secure ACS, this occurs on the User Setup page, where you define the WDS user name and password. For other non-ACS authentication servers, refer to the documentation from the manufacturer. Note: Do not put the WDS user in a group that is assigned many rights and privilegesWDS only requires limited authentication.

6. Choose Wireless Services > AP, and click Enable for the Participate in SWAN infrastructure option. Then type the WDS Username and Password. You must define a WDS user name and password on the authentication server for all devices that you designate members of the WDS.

Alternatively, issue these commands from the CLI:

WDS_AP#configure terminal Enter configuratio n commands, one per line. End with CNTL/Z. WDS_AP(config)# wlccp ap username wdsap password wdsap WDS_AP(config)# end WDS_AP#write memory

7. Choose Wireless Services > WDS. On the WDS AP WDS Status tab, check whether the WDS AP appears in the WDS Information area, in the ACTIVE State. The AP must also appear in the AP Information area, with State as REGISTERED. a. If the AP does not appear REGISTERED or ACTIVE, check the authentication server for any errors or failed authentication attempts. b. When the AP registers appropriately, add an infrastructure AP to use the services of the WDS.

Alternatively, issue these commands from the CLI:

WDS_AP#show wlccp wds ap MAC-ADDR LIFETIME 0005.9a38.429f 261 IP -ADDR 10.0.0.102 STATE REGISTERED

WDS_AP#show wlccp ap WDS = 0005.9a38.429f, 10.0.0.102 state = wlccp_ap_st_registered IN Authenticator = 10.0.0.102 MN Authenticator = 10.0.0.102 WDS_AP#

Note: You cannot test client associations because client authentication does not have provisions yet.

Designate a WLSM as WDS

This section explains how to configure a WLSM as a WDS. The WDS is the only device that communicates with the authentication server.

Note: Issue these commands at the enable command prompt of the WLSM, not of the Supervisor Engine 720. In order to get to the command prompt of the WLSM, issue these commands at an enable command prompt in the Supervisor Engine 720:
c6506#session slot x proc 1 !--- In this command, x is the sl ot number where the WLSM resides. The default escape character is Ctrl -^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.51 ... Open User Access Verification Username: <username> Password: <password> wlan>enable Password: <enable password> wlan#

Note: In order to troubleshoot and maintain your WLSM more easily, configure Telnet remote access to the WLSM. Refer to Configuring Telnet Remote Access. In order to designate a WLSM as WDS: 1. From the CLI of the WLSM, issue these commands, and establish a relationship with the authentication server:
wlan#configure terminal Enter configuration commands, one per line. End with CNTL/Z. wlan(config)# aaa new-model wlan(config)# aaa authentication login leapdevices group radius wlan(config)# aaa authentication login default enable wlan(config)# radius-server host ip_address_of_authentication_server auth-port 1645 acct -port 1646 !--- This command needs to be on one line. wlan(config)# radius-server key shared_secret_with_server wlan(config)# end wlan#write memory

Note: There is no priority control in the WLSM. If the network contains multiple WLSM modules, WLSM uses redundancy configuration in order to determine the primary module. 2. Configure the WLSM in the authentication server as an AAA client. In Cisco Secure ACS, this occurs on the Network Configuration page where you define these attributes for the WLSM:
o o o o

Name IP address Shared secret Authentication method  RADIUS Cisco Aironet  RADIUS IETF

For other non-ACS authentication servers, refer to the documentation from the manufacturer.

e. Also, in Cisco Secure ACS, configure ACS to perform LEAP authentication on the System Configuration - Global Authentication Setup page. First, click System Configuration, then click Global Authentication Setup.

f. Scroll down the page to the LEAP setting. When you check the box, ACS authenticates LEAP.

On the WLSM, define a method that authenticates the other APs (an infrastructure server group).
wlan#configure terminal

Enter configuration commands, one per line. End with CNTL/Z. wlan(config)# wlccp authentication -server infrastructure leap-devices wlan(config)# end wlan#write memory

On the WLSM, define a method that authenticates the client devices (a client server group) and what EAP types those clients use.
wlan#configure terminal Enter configuration commands, one per line. End with CNTL/Z. wlan(config)# wlccp authentication -server client any leap-devices wlan(config)# end wlan#write memory

Note: This step eliminates the need for the Define Client Authentication Method process. Define a unique VLAN between the Supervisor Engine 720 and the WLSM in order to allow the WLSM to communicate with outside entities like APs and authentication servers. This VLAN is unused anywhere else or for any other purpose on the network. Create the VLAN on the Supervisor Engine 720 first, then issue these commands: o On the Supervisor Engine 720:
c6506#configure terminal Enter configuration commands, one per line. End with CNTL/Z. c6506(config)# wlan module slot_number allowed-vlan vlan_number c6506(config)# vlan vlan_number c6506(config)# interface vlan vlan_number c6506(config -if)#ip address ip_address subnet_mask c6506(config -if)#no shut c6506(config)# end c6506#write memory o

On the WLSM:
wlan#configure terminal Enter configuration commands, one per line. with CNTL/Z. End

wlan(config)# wlan vlan vlan_number wlan(config)# ipaddr ip_address subnet_mask wlan(config)# gateway ip_address_of_vlan_interface_on_Sup720_created_above wlan(config)# ip route 0.0.0.0 0.0.0.0

!--- This is typically the same address as the gateway statement. wlan(config)# admin wlan(config)# end wlan#write memory

Verify the function of the WLSM with these commands: o On the WLSM:
wlan#show wlccp wds mobility LCP link status: up HSRP state: Not Applicable Total # of registered AP: 0 Total # of registered MN: 0 Tunnel Bindings: Network ID Tunnel IP FLAGS ========== =============== ===== <vlan> <ip address> MTU ========= 1476 T

Flags: T=Trusted, B=IP Broadcast N=Nonexistent wlan#

enabled,

On the Supervisor Engine 720:

c6506#show mobility status WLAN Module is located in Slot: State: Active) LCP Communication status : Number of Wireless Tunnels : Number of Access Points : Number of Access Points :

5 (HSRP up 0 0 0

Designate an AP as Infrastructure Device

Next, you must designate at least one infrastructure AP and relate the AP to the WDS. The clients associate to infrastructure APs. The infrastructure APs request the WDS AP or WLSM to perform authentication for them.

Complete these steps in order to add an infrastructure AP that uses the services of the WDS: Note: This configuration applies only to the infrastructure APs and not the WDS AP. 1. Choose Wireless Services > AP. On the infrastructure AP, select Enable for the Wireless Services option. Then type the WDS Username and Password. You must define a WDS user name and password on the authentication server for all devices that are to be members of the WDS.

Alternatively, issue these commands from the CLI:

WDS_AP#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Infrastructure_AP(config)# wlccp ap username infrastructureap password infrastructureap Infrastructure_AP(config)# end Infrastructure_AP# write memory

2. Choose Wireless Services > WDS. On the WDS AP WDS Status tab, the new infrastructure AP appears in the WDS Information area, with State as ACTIVE, and in the AP Information area, with State as REGISTERED.

a. If the AP does not appear ACTIVE and/or REGISTERED, check the authentication server for any errors or failed authentication attempts. b. After the AP appears ACTIVE and/or REGISTERED, add a client authentication method to the WDS.

Alternatively, issue this command from the CLI:

WDS_AP#show wlccp wds ap MAC-ADDR LIFETIME 000c.8547.b6c7 194 0005.9a38.429f 76 IP -ADDR 10.0.0.108 10.0.0.102 STATE REGISTERED REGISTERED

Alternatively, issue this command from the WLSM:

wlan#show wlccp wds ap MAC-ADDR IP -ADDR LIFETIME 000c.8547.b6c7 10.0.0.108 194

STATE REGISTERED

0005.9a38.429f 76 wlan#

10.0.0.102

REGISTERED

Then, issue this command on the infrastructure AP:

Infrastructure_AP# show wlccp ap WDS = 0005.9a38.429f, 10.0.0.102 state = wlccp_ap_st_registered IN Authenticator = 10.0.0.102 MN Authenticator = 10.0.0.102 Infrastructure_AP#

Note: You cannot test client associations because client authentication does not have provisions yet.

Define Client Authentication Method

Finally, define a method of client authentication. Complete these steps in order to add a client authentication method: 1. Choose Wireless Services > WDS. Perform these steps on the WDS AP Server Groups tab: a. Define a server group that authenticates clients (a Client group). b. Set Priority 1 to the previously configured authentication server. c. Set the applicable type of authentication (LEAP, EAP, MAC, and so forth). d. Apply the settings to the relevant SSIDs.

Alternatively, issue these commands from the CLI:

WDS_AP#configure terminal Enter configuration commands, one per line. End with CNTL/Z. WDS_AP(config)# wlccp authentication -server client eap method_Client WDS_AP(config)# wlccp authentication -server client leap method_ Client WDS_AP(config)# aaa group server radius Client WDS_AP(config -sg-radius)#server 10.0.0.3

auth-port 1645 acct -port 1646 WDS_AP(config -sg-radius)#exit WDS_AP(config)# aaa authentication login method_Client group Client WDS_AP(config)# end WDS_AP#write memory

Note: The example WDS AP is dedicated and does not accept client associations. Note: Do not configure on the infrastructure APs for server groups because infrastructure APs forward any requests to the WDS to be processed. 2. On the infrastructure AP or APs: a. Under the Security > Encryption Manager menu item, click WEP Encryption or Cipher, as required by the authentication protocol you use.

b. Under the Security > SSID Manager menu item, select authentication methods as required by the authentication protocol you use.

3. You can now successfully test whether clients authenticate to infrastructure APs. The AP of the WDS in the WDS Status tab (under the Wireless Services > WDS menu item) indicates that the client appears in the Mobile Node Information area and has a REGISTERED State. If the client does not appear, check the authentication server for any errors or failed authentication attempts by the clients.

Alternatively, issue these commands from the CLI:

WDS_AP#show wlccp wds MAC: 0005.9a38.429f, IP -ADDR: 10.0.0.102 , Priority: 254 Interface BVI1, State: Administratively StandAlone - ACTIVE AP Count: 2 , MN Count: 1 WDS_AP#show wlccp wds mn MAC-ADDR STATE 0030.6527.f74a 000c.8547.b6c7 WDS_AP# IP -ADDR 10.0.0.25 REGISTERED Cur -AP

Note: If you need to debug authentication, ensure that you debug on the WDS AP, because the WDS AP is the device that communicates with the authentication server.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot
This section provides information that you can use to troubleshoot your configuration. This list shows some of the common questions related to the WDS command in order to further clarify the usefulness of these commands:
y

Question: On the WDS AP, what are the recommended settings for these items? o radius-server timeout o radius-server deadtime o Temporal Key Integrity Protocol (TKIP) message integrity check (MIC) Failure Holdoff Time o Client Holdoff Time o EAP or MAC Reauthentication Interval o EAP Client Timeout (optional) Answer: It is suggested that you keep the configuration with default settings regarding these special settings, and only use them when there is a problem regarding timing. These are the recommended settings for the WDS AP: Disable radius-server timeout. This is the number of seconds an AP waits for a reply to a RADIUS request before it resends the request. The default is 5 seconds. o Disable radius-server deadtime. The RADIUS is skipped by additional requests for the duration of minutes unless all servers are marked dead. o TKIP MIC Failure Holdoff Time is enabled by default to 60 seconds. If you enable holdoff time, you can enter the interval in seconds. If the AP detects two MIC failures within 60 seconds, it blocks all TKIP clients on that interface for the holdoff time period specified here. o Client Holdoff Time should be disabled by default. If you enable holdoff, enter the number of seconds that the AP should wait after an authentication failure before a subsequent authentication request is processed. o EAP or MAC Reauthentication Interval is disabled by default. If you enable reauthentication, you can specify the interval or accept the interval given by the authentication server. If you choose to specify the interval, enter the interval in seconds that the AP waits before it forces an authenticated client to reauthenticate. o EAP Client Timeout (optional) is 120 seconds by default. Enter the amount of time the AP should wait for wireless clients to respond to EAP authentication requests. Question: In regards to TKIP holdoff time, I read that this should be set to 100 ms and not 60 seconds. I assume it is set to one second from the browser because that is the lowest number you can select?
o

Answer: There is no specific recommendation to set it to 100 ms unless there is a failure reported where the only solution is to increase this time. One second is the lowest setting.
y

Question: Do these two commands help client authentication in any way and are they needed on the WDS or infrastructure AP? o radius-server attribute 6 on-for-login-auth o radius-server attribute 6 support-multiple Answer: These commands do not help the authentication process and they are not needed on the WDS or the AP.

Question: On the infrastructure AP, I assume that none of the Server Manager and Global Properties settings are needed because the AP receives information from the WDS. Are any of these specific commands needed for the infrastructure AP? o radius-server attribute 6 on-for-login-auth o radius-server attribute 6 support-multiple o radius-server timeout o radius-server deadtime Answer: There is no need to have Server Manager and Global Properties for the infrastructure APs. The WDS takes care of that task and there is no need to have these settings:
o o o o

radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server timeout radius-server deadtime

The radius-server attribute 32 include-in-access-req format %h setting remains by default and is required. An AP is a Layer 2 device. Therefore, the AP does not support Layer 3 mobility when the AP is configured to act as a WDS device. You can achieve Layer 3 mobility only when you configure the WLSM as the WDS device. Refer to the Layer 3 Mobility Architecture section of Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper for more information. Therefore, when you configure an AP as a WDS device, do not use the mobility network-id command. This command applies to Layer 3 mobility and you need to have a WLSM as your WDS device in order to properly configure Layer 3 mobility. If you use the mobility network-id command incorrectly, you can see some of these symptoms:
y y y

Wireless clients cannot associate with the AP. Wireless clients can associate to the AP, but do not receive an IP address from the DHCP server. A wireless phone is not authenticated when you have a voice over WLAN deployment.

EAP authentication does not occur. With the mobility network-id configured, the AP tries to build a Generic Routing Encapsulation (GRE) tunnel to forward EAP packets. If no tunnel is established, the packets do not go anywhere. An AP configured as a WDS device does not function as expected, and the WDS configuration does not work. Note: You cannot configure the Cisco Aironet 1300 AP/Bridge as a WDS master. The 1300 AP/Bridge does not support this functionality. The 1300 AP/Bridge can participate in a WDS network as an infrastructure device in which some other AP or WLSM is configured as a WDS master.

Troubleshooting Commands
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. Note: Refer to Important Information on Debug Commands before you use debug commands.
y

y y y y

debug dot11 aaa authenticator allShows the various negotiations that a client goes through as the client associates and authenticates through the 802.1x or EAP process. This debug was introduced in Cisco IOS Software Release 12.2(15)JA. This command obsoletes debug dot11 aaa dot1x all in that and later releases. debug aaa authenticationShows the authentication process from a generic AAA perspective. debug wlccp apShows the WLCCP negotiations involved as an AP joins a WDS. debug wlccp packetShows the detailed information about WLCCP negotiations. debug wlccp leap-clientShows the details as an infrastructure device joins a WDS.

Cisco Support Community - Featured Conversations

Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers. Below are just some of the most recent and relevant conversations happening right now. Want to see more? Join us by clicking here
y

UC520W and Wireless Domain Services...dexter.s.cole2 Replies1 year, 5 months ago Does the UC520W support participation wireless domain services (WDS)? If so, how does one go about configuring it? Subscribe
o

Reply

Re: UC520W and Wireless Domain Services...marchern1 year, 6 months ago WDS is not supported in the built-in AP of UC500. Thanks, Marcos

Reply


Re: UC520W and Wireless Domain Services...dexter.s.cole1 year, 5 months ago I thought as much. Thanks. Reply

Wireless AP as controlleroneirishpollack2 Replies2 years, 2 months ago Is there a way to give one AP in a network the role of a "controller", so that basically all other APs will get their configuration or client authentication through the single device? We have 12 autonomous APs and we are using MAC authentication as part of our security strategy. Subscribe
o

Reply

Re: Wireless AP as controllerleolaohoo2 years, 2 months ago As long as the AP's are in Autonomous mode. Wireless Domain Services AP as an AAA Server Configuration Example http://www.cisco.com/en/US/products/hw/wireless/ps458/products_configuration _example09186a008059a559.shtml Hope this helps. Reply


Re: Wireless AP as controllerjeff.kish2 years, 2 months ago To clarify, WDS isn't a lightweight solution, and thus the APs won't receive their configurations from your "host" AP. WDS allows for Cisco features such as fast-secure roaming (see Leo's link for more information). There's no way to use an AP as a lightweight controller. Reply

Wireless Domain Services on Switchjohnnys_at_za.ibm.com1 Reply5 years, 10 months ago Hi, Besides the Cisco Access Points and Routers.Can Wireless Domain Services be configured on the Catalyst 3550 or is it only for the Cat 6500 switch? regds Johnny Subscribe
o

Reply

Re: Wireless Domain Services on Switchmgleason5 years, 10 months ago

Hi please follow this link for answer to your questions. http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_q_and_a_ite m09186a00804d4421.shtml Reply
y

Cisco WDScarl_townshend0 Replies4 years, 2 weeks ago Hi all, I have seen Wireless domain services setup on my ap, what is it for and what does it do? thanks Carl Subscribe Reply

PEAPney253 Replies3 years, 9 months ago hi , anyone can help ? EAP-TLS or PEAP authentication failed during SSL handshake regards kitten Subscribe
o

Reply

Re: PEAPfynskisb163 years, 9 months ago I think this is the same issue you are having. This post might help. http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%2 0%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB %3Fcmd%3Ddisplay_location%26location%3D.1ddfa0ac Reply


Re: PEAPney253 years, 9 months ago Hi Fynskisb16, thanks for ur information, that's really helpful for me. i have another question about the WDS and WPA2. becaues, i noticed when i implement WDS , those whose are using PEAP/WPA2 was affected . they can't even connect to network. thanks Reply


Re: PEAPfynskisb163 years, 9 months ago What type of AP's are you using? If lwapped from IOS they don't support WDS. Hope this helps. Access points converted to lightweight mode do not support Wireless Domain Services (WDS). Converted access points communicate only with Cisco wireless LAN controllers and cannot communicate with WDS devices.

http://www.cisco.com/en/US/docs/wireless/controller/3.2/configur ation/guide/c32lwap.html Reply

y

Client reauthenticating flip-floping APsswoodyard8 Replies3 years, 2 months ago Here is my situation. I have two AP1232s. AP-a and AP-b There is a conference room where AP-a is closer, but AP-b is still within range. Clients associate with WPA and authenticate with Radius secure ID. Everything is great. Signal strengh is about -70db. Then after a while (time is never the same), with the user still sitting in the same seat, AP-b prompts the client for authentication via secure ID. Of course this drops the connection. The signal strengh is 90db to -95db so it doesn't stay connected long. When it drops the user has to auth back to AP-a. This cycle just repeats itself. Any ideas out there? Subscribe
o

Reply

Re: Client reauthenticating...dancampb3 years, 5 months ago Per the specs the client decides when and where to roam. There are a couple things you can try to do to help. First thing is depending on the supplicant you are using you may be able to adjust how sensitive its roaming is. The other is to adjust the power levels on the AP's so that the other AP isn't as good of a roam candidate. Reply


Re: Client reauthenticating...john.preves3 years, 4 months ago By all means always regulate your power settings as stated before, but if you are using any radius authentication you need something to act as the go between between the radius and the client. Otherwise, no matter how well you get your infrastructure tweaked, any roam at all will present the same way. If you are using autonomous AP's you need WDS.... Reply


Re: Client reauthenticating...matthogue3 years, 2 months ago Hi John, I have one site that has a mix of AP1200s with B radios and 1242s with G radios. One particular area of the site has users experiencing authentication breaks and causes loss of connectivity. The two APs in their area are 1242s, but directly above them on the 2nd floor is a 1200. I have seen a log this morning on one of the 1242s showing the 1200 above them as a rogue (this is the first time i have seen it): Mar 27 09:07:13:... Reply

Re: Client reauthenticating...john.preves3 years, 2 months ago Hmmm...the very first thing I see that you either are or will have issues with is the mix of B only and BG AP's. The client wants to go as fast as it can, which means a G client will look for the ability to transmit and recieve at the faster data rates...even though the B only AP is closer. This will cause much pain and I have spent the night upgrading AP's before so please take this into consideration. You need WDS (autonomous)or something... Reply


Re: Client reauthenticating...matthogue3 years, 2 months ago Thanks John. Yes, eventually we are going to be changing over to LWAPP, but that may take a little time. Can you provide a good link for the WDS configuration process? I don't think we are going to be swapping out the B radios any time soon either, so it looks like until we get the LWAPP/WLAN Controller setup in place, the WDS solution sounds like our best more. thanks again Matt Reply


Re: Client reauthenticating...rob.huffman3 years, 2 months ago Hey Matt, Hope all is well with you :) Just to add a note to the great info from John and Dan. Here are the WDS docs you may need. Configuring WDS, Fast Secure Roaming, and Radio Management http://www.cisco.com/en/US/products/hw/ wireless/ps4570/products_configuration_gu ide_chapter09186a0080341d2d.html#wp10 35881 Wireless Domain Services Configuration... Reply


Re: Client reauthenticating...matthogue3 years, 2 months ago

Hey Rob! Yes, life is going well....bought my first house this week, and the Louisville Cardinals are in the Elite 8 of the NCAA. :) I hope life is grand with you as well. Slowly but surely on the LWAPPs. We have a few in testing in the office, but the deployment is at a standstill until the controllers are fully tested. Thanks for the info as always, and I'll keep you posted. Reply


Re: Client reauthenticating...rob.huff man3 years, 2 months ago Hi Matt, Congrats on the new home purchase!! Knowing that you must love the Cards, I will now cheer for them as well in their quest for the Championship :) Go Cardinals Go! Rob Reply

Cannot Enable WDS with a local Radius...dsmith_at_gibsondunn.com1 Reply6 years, 3 months ago I must be missing something. When I select "use this AP as WDS", the Wireless Domain Services Priority field will not take input, and of course, I can not then apply WDS. Using system software version 12.3(2)JA2. I believe I have followed the insructions in Chapter 11 of the configuration guide and am sucessfully using LEAP with CCKM key managment against the local Radius server. Subscribe
o

Reply

Re: Cannot Enable WDS with a local...thisisshanky6 years, 3 months ago WHen I was about to deploy something similar, I should have tried doing this. I am not sure if Cisco supports both WDS and Local radius server on the same box. Anyway I decided to use 2 separate APs, for WDS and Local radius server. Even the local radius server has a limitation of upto 50 users. Reply

Wireless domain servicesalexlpfeil3 Replies3 years, 5 months ago I already have over 50 1242 access points deployed.I was looking at configuring Wireless Domain Services on my network. I do not have a WLSM module for our 6500. I saw that you can configure an AP as the WDS. Do you still need the 6500 module if you configure it that way? I have an ACS and WLSE. I would appreciate any help. Thanks, Alex Subscribe
o

Reply

Re: Wireless domain servicesmrlee@cisco3 years, 5 months ago Alex, We are running WDS and have no WLSM on our 6500. We also run WLSE. You need to set one AP up as the Master in the SWAN infrastructure and another as the Backup. I have found this document that may be useful for you. http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuratio n_example09186a00801c951f.shtml If you need specific configs let me know and I will try and help you out. Regards, Pete Reply


Re: Wireless domain servicesalexlpfeil3 years, 5 months ago Pete, Thanks a lot! I just wanted to verify that would work. I appreciate your reply. Thanks, Alex Reply

Re: Wireless domain servicesrob.huffman3 years, 5 months ago Hi Alex, You can use an AP for WDS with no WLSM (Module):) Have a look Configuring WDS, Fast Secure Roaming, and Radio Management Understanding WDS When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management. If you use a... Reply

AP Authentication in 1242AG/1310G...ciscoprolin1 Reply3 years, 11 months ago Hi guys, how does the AP Authentication feature in autonomous Cisco APs work ? In the SSID Manager you can select a defined AP Authentication credential. And I created exactly the same username/password on the Radius Server. But where can I define that it's mandatory for all APs to authenticate to the network via Radius ? Even if I enter a wrong password in the AP Authentication section the AP still is accepted by the Radius Server and can serve WiFi-Clients in the same SSID. Any help is greatly appreciated. Thanks.

Subscribe
o

Reply

Re: AP Authentication in 1242AG/1310G...aghaznavi3 years, 11 months ago Go to Wireless Domain services -settings and configure the Radius server there. Reply

Subscribe

Start A New Discussion

Related Information
y y y y y y

Configuring WDS, Fast Secure Roaming, and Radio Management Catalyst 6500 Series Wireless LAN Services Module Configuration Note Configuring Cipher Suites and WEP Configuring Authentication Types Wireless LAN Support Pages Technical Support & Documentation - Cisco System