Search This Blog

Wednesday 9 February 2011


A breakdown of the configuration required for WDS and a CCKM ssid. Scenario requires EAP-FAST for the WDS auth and LEAP for the client auth.

aaa authentication login eap_methods group rad_eap
(set up the auth method, can be the same as the client auth)

aaa group server radius rad_eap
server auth-port 1812 acct-port 1813
(configure a radius group for local or ACS)
radius-server host auth-port 1812 acct-port 1813 key 7 020F145E13160A3358
(define the radius server and key)

radius-server local
 eapfast server-key primary auto
 nas key xxx
(nas only required on WDS AP, other AP's in the domain use WLCCP for client auth)
 user wds pass xxx
(user for infrastructure auth)
 user leap pass xxx
(user for client auth)
eap profile FAST
 method fast

wlccp ap username wds password xxx
(to join the AP to the WDS, also needs to be done on domain AP's)
wlccp ap eap profile FAST
(this is required to specify EAP-FAST as the infrastructure auth type, if not LEAP is used!)wlccp authentication-server infrastructure eap_methods
(specifies the infrastructure auth method)wlccp authentication-server client leap eap_methods
(specifies client auth method)  ssid Test5
wlccp wds recovery rate 10
(allows only 10 authentications per second during failover to prevent DoS)wlccp wds priority 255 interface BVI1
(enables WDS on this AP and configures priority, 255 is the highest and will be WDS)

dot11 ssid Test5
   vlan 15
   authentication network-eap eap_methods
  (open eap not required as LEAP only)   authentication key-management cckm
 (enable CCKM fast roaming for the SSID)

interface Dot11Radio0
 encryption vlan 15 mode ciphers ckip-cmic
(enable ckip Cisco proprietary encryption with cmic to check integrity)
dot11 extension aironet
(this must be enabled with ckip and cmic, it should be by default)

1 comment:

  1. I have read all the above and totally agree with your post. Nice and helpful information. .. that really is the solution to the problem. Thanks ccie training