Está en la página 1de 62

Wireless, LAN (WLAN

)

Basic Wireless LAN Connection Configuration Example
Document ID: 68005

Contents
Introduction Prerequisites Requirements Components Used Network Diagram Conventions Configuration Configure the Access Point Step-by-Step Instructions Configure the Wireless Client Adapter Step-by-Step Instructions Verify Troubleshoot Cisco Support Community - Featured Conversations Related Information

Introduction
This document provides a sample configuration that shows how to set up a basic wireless LAN (WLAN) connection with the use of a Cisco Aironet Access Point (AP) and computers with Cisco-compatible client adapters. The example uses the GUI.

Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
y y

Familiarity with basic wireless radio frequency (RF) technology Basic understanding of how to access a Cisco AP

This document assumes that the drivers of the wireless client cards for the PCs or laptops are already installed.

Components Used
The information in this document is based on these software and hardware versions:
y y y

One Aironet 1200 Series AP that runs Cisco IOS® Software Release 12.3(7)JA Three Aironet 802.11a/b/g Client Adapters that run firmware 2.5 Aironet Desktop Utility (ADU) version 2.5

Note: This document uses an AP that has an integrated antenna. If you use an AP which requires an external antenna, ensure that the antennas are connected to the AP. Otherwise, the AP is unable to connect to the wireless network. Certain AP models come with integrated antennas, whereas others need an external antenna for general operation. For information on the AP models that come with internal or external antennas, refer to the ordering guide/product guide of the appropriate device. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command or setup in the GUI.

Network Diagram
This document uses this network setup:

The network diagram is three Aironet 802.11a/b/g Client Adapters that are connected to a 1200 AP. This document depicts the configuration of the client adapters to communicate with each other via wireless interface through the AP.

The AP uses these settings:
y y

Service Set Identifier (SSID): CISCO123 Basic authentication: Open authentication with Wired Equivalent Privacy (WEP) encryption

This document explains the configuration on the AP and the client adapters. Note: You can also use other authentication and encryption methods. For information on the different authentication mechanisms that are supported, refer to Configuring Authentication Types. For information on the different encryption mechanisms that are supported, refer to Configuring Cipher Suites and WEP.

Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configuration
Configure the Access Point
You can configure the AP with the use of any of these:
y y y

GUI Command-line interface (CLI), after you establish a Telnet session The console port Note: In order to connect to the AP through the console port, connect a nine-pin, straight-through DB-9 serial cable to the RS-232 serial port on the AP and to the COM port on a computer. Set up a terminal emulator in order to communicate with the AP. Use these settings for the terminal emulator connection:
o o o o o

9600 baud 8 data bits No parity 1 stop bit No flow control

Note: These settings are the default settings. If you cannot access the device after you set the terminal program to the settings, the problem can be that the device is not set to the defaults. Try different settings, and start with the baud rate. For more information on the console cable specifications, refer to the Connecting to the 1200 and 1230AG Series Access Points Locally section of Configuring the Access Point for the First Time. This document explains how to configure the AP with the use of the GUI. There are two ways to access the AP with the use of the GUI:

The network in this document uses a 1200 series AP. the AP makes several attempts to get an IP address from the DHCP server. refer to the Obtaining and Assigning an IP Address section of Configuring the Access Point for the First Time. In order to access the AP with the GUI and get the Summary Status window. Press Tab in order to bypass the Username field and advance to the Password field. The Enter Network Password window displays.1. Complete these steps: 1.0. or 1240AG series AP with a default configuration to your LAN network. and press Enter.1 in the address line. you can power cycle the AP in order to repeat the process. it sends requests indefinitely.1 address and requests an address from the DHCP server. you can access the AP through the browser in order to configure the AP to accept client association requests from the client adapter.y y Assign an IP address to the device before you connect through the GUI. If the AP does not receive an address.0.0. The Summary Status window displays. 1130AG. complete these steps: a.1. the AP discards the 10. 1200. b. as this example shows: . When you connect an Aironet 350. c.0. it assigns itself the IP address 10. For information on how to assign IP addresses to the AP. If the AP does not receive an address.0. Obtain an IP address with the use of DHCP. During this 5-minute period. it continues to send requests indefinitely. you can browse to the default IP address and configure a static address.1 for 5 minutes. When you connect an Aironet 1100 series AP with a default configuration to your LAN. Enter the case-sensitive password Cisco. If the AP does not receive an address. If after the 5 minutes the AP is not reconfigured.0.0.0. the AP requests an IP address from your DHCP server.0. The different models of Aironet APs exhibit different default IP address behaviors. A login through the console configures the AP with a static IP address of 10. Open a web browser and enter 10.0. If you miss the 5-minute window to browse to the AP at 10. Step-by-Step Instructions After configuration of the IP address.

Here is an example of the window: . You can use this window to configure some of the basic parameters that are necessary to establish a wireless connection. The Express Setup window displays. Click Express Setup in the menu on the left. Use the Express Setup window on the AP 1200 in order to configure the acceptance of wireless client associations.2.

Note: The other parameters are left with the default values. . Do not use any spaces or special characters in an SSID. Wireless devices use SSIDs to establish and maintain wireless connectivity. SSIDs are case-sensitive and can contain up to 32 alphanumeric characters.0. if the address is a static IP Default gateway Simple Network Management Protocol (SNMP) community string Role in the radio network SSID This example configures these parameters: o o o IP address: 10.0. The configuration parameters include these parameters: o o o o o o The host name of the AP IP address configuration of the AP. Enter the configuration parameters in the appropriate fields in the Express Setup window.3.1 Host name: AP1200 SSID: CISCO123 Note: SSIDs are unique identifiers that identify a WLAN network.

Click Network Interfaces in the menu on the left in order to browse to the Network Interfaces Summary page. . Choose Security > SSID Manager in the menu on the left. Click Enable in order to enable the radio. Scroll down and click Apply at the bottom of the page in order to save the settings. d.Click Apply in order to save your settings. In order to configure the SSID and open authentication with WEP encryption. a. a. Select the SSID that you created in Step 3 from the Current SSID List menu. Complete these steps in order to set up the radio settings: . b. Click the Settings tab in order to browse to the Settings page for the radio interface. complete these steps: . The action allows you to browse to the Network Interfaces: Radio Status page. Leave all the other settings on the page with the default values. e. The SSID Manager page displays. This example uses CISCO123 as the SSID. c.11B. Select the radio interface that you want to use. This example uses interface Radio0-802.

Choose Security > Encryption Manager. Click Apply at the bottom of the page. . In order to configure the WEP keys. a. and choose Mandatory from the drop-down menu. c.b. This example uses the 128-bit WEP encryption key 1234567890abcdef1234567890 . Click WEP Encryption under Encryption Modes. complete these steps: . Enter the encryption key for WEP in the Encryption Keys area. b. d. The WEP encryption keys can be 40 bits or 128 bits in length. Leave all other parameters with their default values. Under Authentication Settings. choose Open Authentication.

Create a profile on the ADU for the client adapter. you may want to set up profiles to use your client adapter at the office. For instructions on how to install the drivers and utilities for the client adapter. refer to Installing the Client Adapter. at home. each of which requires different configuration settings. The profile defines the configuration settings that the client adapter uses in order to connect to the wireless network. Click Apply in order to save the settings.c. you must install the client adapter and client adapter software components on the PC or laptop. Configure the Wireless Client Adapter Before configuration of the client adapter. This section explains how to configure the client adapter. You can switch between the different configured profiles on the basis of your requirement. such as airports or hot spots. Step-by-Step Instructions After installation of the client adapter on the machine. For example. . Profiles enable you to use your client adapter in different locations. Complete these steps: 1. and in public areas. You can configure a maximum of 16 different profiles on the ADU. you can configure it.

enter the SSID that is to be used for this Profile. This configuration uses the name Client 1 for the first client. Enter the name of the client in the Client Name field. c. The SSID in this example is CISCO123. Client Name. Here is an example: 2. The client name is used to identify the wireless client in the WLAN network. The SSID is the same as the SSID that you configured in the AP. and SSID: a. b. complete these steps in order to set the Profile Name.In order to create a new profile. When the Profile Management (General) window displays. complete these steps: a. . Under Network Names. This example uses OFFICE as the Profile Name. Enter the name of the profile in the Profile Name field. Click the Profile Management tab on the ADU. b. Click New.

3. Click the Security tab at the top of the window. Complete these steps in order to set up the Security Options: a. Here is an example: . Click Pre-Shared Key (Static WEP) under Set Security Options. b.

d. A-F). Click Configure. Click one of buttons in the Key Entry area in order to choose a key entry type. . The Define Pre-Shared Keys window appears.c. This example uses Hexadecimal (0-9.

6. . b. d. Click Activate in order to enable this profile. 5.11 Authentication Mode. This example uses the WEP key 1234567890abcdef1234567890 . Complete these steps in order to set the authentication method to Open: a. c. 4. Click OK. Under Encryption Keys. Be sure that Open is selected under 802. enter the WEP key that is to be used for encryption of the data packets. Note: Use the same WEP key as the one you configured in the AP.e. Click OK in order to save the WEP key. Click the Advanced tab at the top of the Profile Management window. Leave all the other settings with the default values. Note: Open authentication is usually enabled by default. See the example in Step d.

since only open authentication is used. You can use the same procedure in order to configure the other two client adapters. the client adapter scans the RF environment in order to check for available networks and then creates a profile on the basis of the scan results. This example illustrates a successful connection to the AP. refer to the Creating a New Profile section of Using the Profile Manager.Note: You can use these same Step-by-Step Instructions in order to create a completely new profile. You can use the same SSID on the other adapters. click the Current Status tab at the top of the ADU window. Also. When you have completed the configurations and activated the profile. In order to check the status of the client connection. Note: This example assumes that the client adapter IP address is configured manually and is in the same subnetwork as the AP. For more information on this method. You can see that the client uses Channel 1 for communication and uses WEP for encryption. In an alternate method to create a profile. The only difference is the client name and the IP address that is statically given to the adapter. the Server Based Authentication field shows None: . Verify This section explains how to confirm that your configuration works properly. the client adapter connects to the AP.

Here is an example: Troubleshoot . click Association in the menu on the left side of the AP home page.As another method to verify the client connection on the AP.

can any one help to configure access point. With release 12.If 802. I have 10 vlans in my network (Switch 2960) how i can configure accesspoint to used two ssid.1x authentication is used.. Cisco Support Community .shtml Reply y Help Using ap1131agLabone0011 Reply2010/01/17 14:46 Hi. This error message is displayed: Jul 21 14:14:52. This is because of Cisco bug id CSCef50742. I am not expert in wireless and cisco.3(4) JA. as it is connected to the LAN I need this AP to be as secure as possible.1X client might fail to authenticate. I assign ip address to BVI Interface in accesspoint static. I trunk the port on 2960 switch is connected to access point. an 802. Want to see more? Join us by clicking here y Configure Access point 1140mrsystemengineer1 Reply2010/05/06 16:41 Dear All. This is resolved in Cisco IOS Software Release 12.Featured Conversations Cisco Support Community is a forum for you to ask and answer questions.782 EDT: %RADIUS -3-ALLDEADSERVER: Group rad_eap: No active radius servers found.3(4)JA. I need to configure accesspoint 1140 in my network.. I connected my accesspoint to switch 2960 (2960 switch is enduser switch). regards.1X authentication through Cisco Catalyst 2950 and 3750 Switches due to State (24) Field values that change. and a Cisco Catalyst 2950 or 3750 Switch is present in the network. clients no longer fail 802. Subscribe o Reply Re: Configure Access point 1140leolaohoo2010/05/06 16:41 Basic Wireless LAN Connection Configuration Example http://www. and collaborate with your peers. i am unable to ping from access point to other vlans.. Below are just some of the most recent and relevant conversations happening right now. I was try like this. I'm trying to setup a 1131 to give wireless access to office workers if they need it. I just need it to be an extension of the wired LAN. we don't have a TACACs server or anything like that so was just going to use the AP's security WPA or similar. share suggestions. from other vlans to access point. Could someone let me know the best way to do this please (I'm not a networking expert but understand the basics ) Also if the AP is hooked up to the LAN will wireless clients pick up a .cisco. Id 254 This symptom is observed on 2950 and 3750 Switches when the RADIUS State(24) Field values change in between the Access Challenge and the Access Request.com/en/US/customer/tech/tk722/tk809/technologies_configu ration_example09186a008055c39a. i create vlans on 3750 switch. one for lan and one for guest this two ssid in separate vlans.

in order to carry multiple Vlan's.leolaohoo2010/03/01 16:22 Basic Wireless LAN Connection Configuration Example http://www. How do I access the access point CLI though? Subscribe o Reply Re: Setting Up air-ap1141n-a-k9?leolaohoo2011/01/24 20:19 Basic Wireless LAN Connection Configuration Example Don't forget to rate useful posts..com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a. but every time I create a Vlan mapped to a ssid the AP does not broadcast the ssid. I know this is probably really simple but I looked through the manual and couldn't figure it out.cisco. Subscribe o Reply Re: Multiple SSID on Cisco 1100 Series.cisco. Subscribe o Reply Re: Help Using ap1131agleolaohoo2010/01/17 14:46 Basic Wireless LAN Connection Configuration Example http://www. It says "Assign a static IP addresss by conencting to its console port and accessing the access point CLI" I connected an ethernet cable to the console port and my computer. Reply  Re: Setting Up air-ap1141n-a-k9?charadehaha2011/01/24 23:13 .shtml Reply y Setting Up air-ap1141n-a-k9?charadehaha12 Replies2011/01/28 12:00 I recently acquired a air-ap1141n-a-k9 but I do not know how to set it up.shtml Reply y Multiple SSID on Cisco 1100 Series AP get2dapsy1 Reply2010/03/01 16:22 Hello. Thanks. I am trying to setup multiple ssid on 1100 series AP map to different Vlans. Also i am trying to configure trunking on the AP Ethernet port. Thanks.. Mick. Can anyone help me with suggestion on how to configure this issues on a Cisco 1100 AP.DHCP address from the DHCP server on the LAN or do I need to configure DHCP on the AP somehow? Any help would be much appreciated.

com Reply o Re: Setting Up air-ap1141n-a-k9?AlanDaniel2011/01/26 11:18 I just configured one. connect a nine-pin..xxx.antony2011/01/25 4:16 @Josh.I don't have the equipment to do the The console port Note: In order to connect to the AP through the console port.lalantony. then via web browser put http:xxx. After you get console access issue the following commands to setup your managment.. It seems like the box it came in would have that cable if that were the case. The Console cable (blue cable) is in the original packaging and without knowing the IP address of the interface it is not possible to do Telnet or GUI access to the AP. subnet and no shutdows commands. If you don't know the IP address assigned to the management interface on the AP this is the only way to get it working. Reply  Re: Setting Up air-ap1141n-a-k9?lal. Use these settings for the terminal emulator connection: 9600 baud 8 data bits No parity.. Basically you need to get yourself a console cable (Cisco Blue Cable) and connect that using a Serial port on your computer or a USB to Serial dongle. best regards . Lal Antony www. Reply  Re: Setting Up air-ap1141n-ak9?charadehaha2011/01/25 20:36 It doesn't seem right that you can only do this if you buy a cable.antony2011/01/26 17:14 @Josh.xxx it is all. straight-through DB-9 serial cable to the RS-232 serial port on the AP and to the COM port on a computer. Is there a way to do it through the CLI telnet method? Reply  Re: Setting Up air-ap1141n-ak9?lal.xxx. on cli and interface BVI1 put the ip address that you want. After doing so power up the AP then you should get console access to the AP.. Set up a terminal emulator in order to communicate with the AP.

0 end wr If everything goes well without any error message.0.0 ap(config-if)#end Configure your client ip address to be 10. but it doesn't show up when I go to the cmd function and type in getmac.0. Reply y More Replies Trying to set up a Wireless AP 1130agmwaybright8 Replies2010/02/12 18:22 o Hello. Configure your client ip address to be 10.. Reply  Re: Setting Up air-ap1141n-ak9?charadehaha2011/01/27 12:27 Where do I enter this information? Do I open the command prompt? "ap>enable ap#conf t ap(config)#int bv1 ap(config-if)#ip add 10.0. Cut-n-paste what I've posted below.0.0.0. subnet mask is 255.2. subnet mask is 255.0.0.. I have a wireless AP 1130ag.0.1. The way I have my network set up is as follows.1.0.Reply  Re: Setting Up air-ap1141n-a-k9?charadehaha2011/01/26 16:02 How do I get to CLI and interface BVI1? Is there something I need to open or download? Reply  Re: Setting Up air-ap1141n-a-k9?leolaohoo2011/01/26 16:14 ap>enable ap#conf t ap(config)#int bv1 ap(config-if)#ip add 10.0 ap(configif)#end Configure your client ip address to be 10.0..1 255.0.1 255. Open a web browser to 10.2.0.2. then .0.1 255.0.0." Reply  Re: Setting Up air-ap1141n-ak9?leolaohoo2011/01/27 14:27 Console into the AP and make sure you have the "ap>".0.0.0.0. It doesn't show up on my network to get the IP address so I can configure it.0.0.0.0. subnet mask is 255.0. enable conf t int bv1 ip address 10..0.0.0. I have the MAC address off of the back of the Wireless AP.0.0.0.1. Open a web browser to 10. Open a web browser to 10.maybe I don't have something set up .0.0.

but when I put in the ip address of 10.correctly: Cable modem hooks into the router...0. Is the AP powered up? 2..mwaybright2010/02/10 19:59 yes I read it. Cisco...leolaohoo2010/02/10 19:05 1. turned it back on. Thanks. I don't know how to console into it. I can't seem to get the ip address of the wireless ap to configure it so I can see it with my lap top to hook into the internet.0.1 ip address... Did you read the link I provided? It tells you the steps on setting up a console terminal to the AP.from the hub I am running 2 other computers off it and then the wireless ap comes off the hub as well. Can you console into your AP? Basic Wireless LAN Connection Configuration Example http://www.mwaybright2010/02/10 19:48 Yes the AP is powered up and is sequences through the diferent color lights and the radio lights are lit up...cisco. but it didn't get me to the username/password section. please advise. router into a hub.0.leolaohoo2010/02/10 20:13 ..com Subscribe o Reply Re: Trying to set up a Wireless AP. Reply  Re: Trying to set up a Wireless AP.com username: mwaybright email: mwaybright@consultant. then tried the 10. I powered the unit down waited 30 sec. waited for it to go through the different colored lights on the wireless ap.0. Please help..shtml Reply  Re: Trying to set up a Wireless AP..com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.1 in the web browser it just comes up with a google search page and doesn't open up the username/password section. Reply  Re: Trying to set up a Wireless AP. Reply  Re: Trying to set up a Wireless AP.leolaohoo2010/02/10 19:53 Hi Mark.

leolaohoo2010/02/10 21:10 Hi Mark.0.1 in the address line.... I just got the console wire. then I just get a blank screen that I can type on with the Hyperterminal. Mark Reply  Re: Trying to set up a Wireless AP. can you configure your PC/Laptop to the next available IP address? Using a straight-through network cable..0. After you have configured the ip address of the AP using the console cable.I will let you know after I try to access it through the consule wire.mwaybright2010/02/12 17:19 Not yet. connect your PC/Laptop to the AP FastEthernet0 interface.mwaybright2010/02/12 18:22 I have the consule wire.. Open a web browser and enter 10..what do I do next? I don't know what to type or what is next on the steps to assign an IP address to my AP. Reply  Re: Trying to set up a Wireless AP. I presume you got this working? Reply  Re: Trying to set up a Wireless AP.Hi Mark. trying to hook it up right now so I can communicate to the Wireless AP through the consul through your link you provided.. I went through the link and put in the settings through Hyperterminal.. Please Advise... Reply y Unable to Connect to Cicso Aironet 1250tiger36874 Replies2009/10/28 21:29 .

My office just bought the Cisco Aironet 1250 and I am task to set it up. Right now, I am unable to connect to AP even when it is configured as Open Authentication without encryption. Tried using both laptops and our products to no avail. The same laptops and products are able to connect to other wireless routers So far, only my Linksys Wireless-G USB network Adapter is able to detect it. We are very puzzled by this because we are able to setup and connect to it initially. But when we try to reconfigure it to another setting, everything starts to fail. We have tried doing factory default. The AP is connect only to a Windows 2003 Server running D HCP and IAS. Appreciate if someone can help me on this. Thanks Subscribe
o

Reply

Re: Unable to Connect to Cicso Aironet...jeromehenry2009/10/28 5:39 Can you post your AP configuration? Without it, it is difficult to know why it is failing. BTW, do you broadcast the SSID (if you do show run, do you see "guest-mode" under the dot11 ssid section? Thanks Jerome Reply

o

Re: Unable to Connect to Cicso Aironet...leolaohoo2009/10/28 17:26 Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.shtml Hope this helps. Reply

o

Re: Unable to Connect to Cicso Aironet...tiger36872009/10/28 21:20 Hi All, Here are screen capture of my configuration http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Ex pressSetup.jpg http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Se curity-EncryptionManager.jpg http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Se curity-EncryptionManager.jpg http://img.photobucket.com/albums/v146/tiger3687/Cisco%20AP%201250/Se curity-SSIDManager02.jpg... Reply

o

Re: Unable to Connect to Cicso Aironet...tiger36872009/10/28 21:29 Yes, SSID is set to broadcast. Reply

y

Aironet 1200 droping AP in client moderuinazario1 Reply2005/12/23 8:38

This is an update of a previous post . I have a aironet 1230 B and he is dropping clients and i´ve found that he is only dropping AP´s in client mode and only the Dlink 900+ ,there are other D-link Ap in client mode and don´t have this problem . I've disabled the aironet extensions ,and increased the packet retries ,but it's not stable ,he dropps the 900+. This clients have -72 dbm 88% signal quality. If some one has any Aironet with D-link 900+ as clients and had a simillar please leave reply. Thanks. PS:using the latest firmware Subscribe
o

Reply

Re: Aironet 1200 droping AP in client...mchin3452005/12/23 8:38 To the best of my knowledge, the behaviour of AP will differ from one vendor to another vendor. This document provides a sample configuration that shows how to set up a basic wireless LAN (WLAN) connection with the use of a Cisco Aironet Access Point (AP) and computers with Cisco-compatible client adapters. The example uses the GUI. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_ex ample09186a008055c39a.shtml Reply

y

Setting up AP1142Njohn_gustafson_at_flnp.uscourts.gov4 Replies2010/10/22 4:30 I have an AP1142N that was sold to me as a stand alone product. But there is no documentation or direction on how to set up or manage the device. Can you help me get started? Thanks Subscribe
o

Reply

Re: Setting up AP1142Nleolaohoo2010/07/14 16:38 Unfortunately, I don't really know what you are trying to achieve. So have a look at the link below and let us know if you need more. Basic Wireless LAN Connection Configuration Example http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_configu ration_example09186a008055c39a.shtml Please don't forget to rate useful posts. Thanks. Reply 

Re: Setting up AP1142Njohn_gustafson@flnp.uscourts.gov2010/07/15 6:38 I tried the link you provided and got Forbidden File or Application. All I'm looking for is some documentation to set up the device. I purchased it new and it didn't come with anything. My purpose for the device is to allow wireless access for our laptop users in an office training room. I appreciate any help.

Reply 

Re: Setting up AP1142Nleolaohoo2010/07/15 16:10 The link is valid. I just tried it. Reply 

Re: Setting up AP1142N diogo.matos2010/10/22 4:30 i think i have the same problem that the op has... Maybe it's because i'm a new member? Reply

y

Basic configuration AP-Switch problemsrguzman.plannet2 Replies2009/01/21 21:01 Hello, I am having a problem when I try to configure my AP1131 to a port in a WSC3560-24PS-S. I've always known that the switchort must be configured as a trunk. I will try to give a clear explanation of what I've done: In the AP. 1.- ip address 2.default gateway 3.- vlans configuration 4.- map SSIDs to vlans In the switch. Only configure the port as a trunk interface FastEthernet0/9 switchport trunk encapsulation dot1q switchport mode trunk This way I can do everything. Get access to the network, ping, telnet other devices, but not administer nor ping the AP. But if I configure the switchport as an access port: interface FastEthernet0/9 switchport access vlan 10 switchport mode access This way I can ping other devices from the AP, ping and telnet the AP from the wired network (my laptop). I can connect to the SSID but not ping nor telnet AP or other devices. I hope that someone give a clue of what I'm doing wrong or forgetting to configure. Thanks a lot Subscribe
o

Reply

Re: Basic configuration AP-Switch...leolaohoo2009/01/21 20:57 Have you tried going through the Wireless LAN Controller and Lightweight Access Point Basic Configuration Example (Document ID: 69719)? http://www.cisco.com/en/US/products/ps6366/products_configuration_exampl e09186a0080665 cdf.shtml Does this document help? Reply

o

Re: Basic configuration AP-Switch...wesleyterry2009/01/21 21:01 If vlan 10 is your native vlan for the IP address, do you need the following: switchport trunk native vlan 10 I'm not familiar with your situation, but if switchport access vlan 10 make it work, then you'll probably need to specify which vlan is the native vlan for the trunk (vlan 10) I suppose. Reply

Reply y AP1131-AG Configurationtreggleston1 Reply2006/10/10 6:12 I have the AP1131-AG.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide. Reply Subscribe Start A New Discussion Related Information y y Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12.html Using the Command-Line Interface. When using a Lightweight enviroment. all the traffic passes thru an encrypted LWAPP tunnel from the AP to the controller. and then gets sent out the correct VLAN interface on the controller. I understood the access point has two vlans associated with (vlan 3 and 4). Am I correct? Why is connection between access point and catalyst port just access port rather 802..cisco.com/en/US/products/hw/wireless/ps4570/products_configura tion_guide_chapter09186a0080341ccf.com/en/US/products/ps6366/products_configuration_example0918 6a0080665cdf.y connection between lightweight access.cisco. Please note that using the web gui may be a little more user friendly.. The AP itself does not need to be a trunked port.nitass1 Reply2006/08/24 7:48 Hello everybody.steprodr2006/08/24 7:48 Nitass. I am a bit confused about cisco 1000 series access point connection.huffman2006/10/10 6:12 Hi Troy. I am consoled in. but the uplink to the controller does. OL -4211-04 . Subscribe o Reply Re: AP1131-AG Configurationrob.. Here are some docs to help get you started here. Configuring the Access Point for the First Time http://www. On wireless lan controller and lightweight access point basic configuration example document id 69719 (http://www.. Nitass Subscribe o Reply Re: connection between lightweight. Many thanks.shtml).3(7)JA Cisco Aironet 802. what is the best way to config out of the box.1q trunk? How vlan traffic can traverse from the access point to controller? Please advice...

..3 T] Wireless Domain Services FAQ 1800 ISR Wireless Router with Internal DHCP and Open Authentication Configuration Example. ..Cisco Systems PDF Downloads Document ID: 44720 Wireless Domain Services Configuration Related Documents y y y y y Wireless Domain Services AP as an ) Server Configuration Example Discont Support for Wireless Domain Services on Cisco 2600XM/2691/3700/2800/3800 [Cisco IOS Software Releases 12.4 T] Discont Support for Wireless Domain Services on Cisco 2600XM/2691/3700/2800/3800 [Cisco IOS Software Releases 12. Related Products/Technology y y y y y y Wireless LAN Management Cisco Aironet 1130 AG Series Cisco Aironet 1300 Series Cisco Aironet 350 Series Cisco Catalyst 6500 Series Wireless LAN Services Module (WLSM) More. More.y y y Configuring the Access Point for the First Time Wireless Support Page Technical Support & Documentation ..

Related Discussion y y y y y UC520W and Wireless Domain Services. . The procedure in this document guides you to a WDS that is functional and allows clients to associate to either the WDS AP or to an infrastructure AP. Wireless AP as controller Wireless Domain Services on Switch Cisco WDS PEAP Contents Introduction Prerequisites Requirements Components Used Conventions Wireless Domain Services Role of the WDS Device Role of Access Points Using the WDS Device Configuration Designate an AP as WDS Designate a WLSM as WDS Designate an AP as Infrastructure Device Define Client Authentication Method Verify Troubleshoot Troubleshooting Commands Cisco Support Community .. The document also describes how to configure one access point (AP) or the Wireless LAN Services Module (WLSM) as the WDS and at least one other as an infrastructure AP.. so you can use the features. This document intends to establish a basis from which you can configure Fast Secure Roaming or introduce a Wireless LAN Solutions Engine (WLSE) into the network.Featured Conversations Related Information Introduction This document introduces the concept of Wireless Domain Services (WDS).

Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions. If you work in a live network. Have knowledge of current Extensible Authentication Protocol (EAP) security methods. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS AP. One of the purposes of WDS is to eliminate the need for the authentication server to validate user credentials and reduce the time required for client authentications. so the unit is accessible from the Cisco IOS Software GUI or the command line interface (CLI). WDS is a core function that enables other features like these: y y y Fast Secure Roaming WLSE interaction Radio Management You must establish relationships between the APs that participate in WDS and the WLSM. Wireless Domain Services WDS is a new feature for APs in Cisco IOS Software and the basis of the Catalyst 6500 Series WLSM. The WLSM must have a relationship with the authentication server.Prerequisites Requirements Ensure that you meet these requirements before you attempt this configuration: y y Have thorough knowledge of wireless LAN networks and wireless security issues. even though WLSM does not need to authenticate to the server. In order to use WDS. All of the devices used in this document started with a cleared (default) configuration and an IP address on interface BVI1.3(2)JA2 or later Catalyst 6500 Series Wireless LAN Services Module The information presented in this document was created from devices in a specific lab environment. ensure that you understand the potential impact of any command. you must designate one AP or the WLSM as the WDS. Components Used The information in this document is based on these software and hardware versions: y y y APs with Cisco IOS® Software Cisco IOS Software Release 12. . A WDS AP must use a WDS user name and password to establish a relationship with an authentication server. before any other WDS-based features work.

If you use an older version of IOS. communicate with the WDS. These multicast messages cannot be routed. the APs might fail to authenticate to the WDS device. The WDS then caches the credentials. Cisco recommends that you use the latest version of the IOS. in order to eliminate the need to return to the authentication server when the same user attempts authentication again. Role of the WDS Device The WDS device performs several tasks on your wireless LAN: . An Integrated Services Router (ISR) configured as the WDS devices supports up to 100 participating APs.Other APs. The WDS and the infrastructure APs communicate over a multicast protocol called WLAN Context Control Protocol (WLCCP). An AP configured as the WDS device supports up to 60 participating APs. The WLSM does not support MAC address authentication. When the WDS and WLSE are on different subnets. Note: Cisco recommends that the infrastructure APs run the same version of IOS as the WDS device. An infrastructure server group on the WDS defines this infrastructure authentication. Before registration occurs. so a WDS and the associated infrastructure APs must be in the same IP subnet and on the same LAN segment. called infrastructure APs. Examples of re-authentication include: y y y Re-keying Roaming When the user starts up the client device Any RADIUS-based EAP authentication protocol can be tunneled through WDS such as these: y y y y Lightweight EAP (LEAP) Protected EAP (PEAP) EAP-Transport Layer Security (EAP-TLS) EAP-Flexible Authentication through Secure Tunneling (EAP-FAST) MAC address authentication can also tunnel to either an external authentication server or against a list local to a WDS AP. A single AP supports up to 16 mobility groups. a protocol like Network Address Translation (NAT) cannot translate the packets. And a WLSM-equipped switch supports up to 600 participating APs and up to 240 mobility groups. WDS turns to the authentication server to validate the credentials. Between the WDS and the WLSE. the infrastructure APs must authenticate themselves to the WDS. If the WDS sees the credentials for the first time. You can find the latest version of IOS in the Wireless downloads page. WLCCP uses TCP and User Datagram Protocol (UDP) on port 2887. One or more client server groups on the WDS define client authentication. the infrastructure AP passes the credentials of the user to the WDS for validation. In addition. When a client attempts to associate to an infrastructure AP.

modular fashion. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section. Registers all client devices in the subnet that use dynamic keying. If the main WDS device goes off line. When you configure your wireless LAN for WDS. Configuration WDS presents the configuration in an ordered. Report radio data to the WDS device. The WDS AP is the only one that communicates with the authentication server. This section presents the information necessary to configure the features described in this document. the WDS device forwards the client's security credentials to the new AP. Designate an AP as WDS The first step is to designate an AP as the WDS. you set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. and radio settings for clarity and focus on the core subject matter. . and forwards it to the WLSE device on your network. establishes session keys for them. Collects radio data from APs in the subnet. Each concept builds on the concept that precedes. type the IP address of the authentication server in the Server field. aggregates the data. choose Security > Server Manager to go to the Server Manager tab: a. Under Corporate Servers. Role of Access Points Using the WDS Device The APs on your wireless LAN interact with the WDS device in these activities: y y y y Discover and track the current WDS device and relay WDS advertisements to the wireless LAN.y y y y y Advertises its WDS capability and participates in electing the best WDS device for your wireless LAN. Authenticates all APs in the subnet and establishes a secure communication channel with each of them. one of the backup WDS devices takes its place. Register associated client devices with the WDS device. Acts as a pass-through for all 802. Authenticate with the WDS device and establish a secure communication channel to the WDS device. remote access. In order to configure the Authentication server on the WDS AP. The WDS omits other configuration items such as passwords.1x-authenticated client devices associated to participating APs. When a client roams to another AP. Complete these steps in order to designate an AP as WDS: 1. and caches their security credentials.

b. c. End with CNTL/Z. . Under Default Server Priorities. issue these commands from the CLI: WDS_AP#configure terminal Enter configuration commands. one per line. set the Priority 1 field to that server IP address under the appropriate authentication type. Alternatively. Specify the Shared Secret and the ports.

WDS_AP(config)# aaa group server radius rad_eap WDS_AP(config -sg-radius)#server 10. For this. For other non-ACS authentication servers. authorization. and accounting (AAA) client.This command appears over two lines here due to space limitations. . In Cisco Secure Access Control Server (ACS).0.0. refer to the documentation from the manufacturer.0. a.3 auth-port 1645 acct-port 1646 key labap1200ip102 !--. Complete these steps: Note: This document uses the Cisco Secure ACS server as the authentication server.0. this occurs on the Network Configuration page where you define these attributes for the WDS AP:  Name  IP address  Shared secret  Authentication method  RADIUS Cisco Aironet  RADIUS Internet Engineering Task Force [IETF] Click on Submit.3 auth-port 1645 acct -port 1646 WDS_AP(config -sg-radius)#exit WDS_AP(config)# aaa new-model WDS_AP(config)# aaa authentication login eap_methods group rad_eap WDS_AP(config)# radius-server host 10. The next step is to configure the WDS AP in the authentication server as an authentication. you need to add the WDS AP as an AAA client. WDS_AP(config)# end WDS_AP#write memory 2.

b. then click Global Authentication Setup. ensure that you configure ACS to perform LEAP authentication on the System Configuration .Global Authentication Setup page. click System Configuration. Also. . First. in Cisco Secure ACS.

When you check the box.c. Scroll down the page to the LEAP setting. and click on the General Set-Up tab. Perform these steps: . In order to configure the WDS setttings on the WDS AP. ACS authenticates LEAP. choose Wireless Services > WDS on the WDS AP. 3.

a. Click the Use Group For: Infrastructure Authentication radio button. Choose Wireless Services > WDS. .Global Properties. WDS_AP(config)# wlccp wds p riority 254 interface BVI1 WDS_AP(config)# end WDS_AP#write memory 4. Alternatively. issue these commands from the CLI: WDS_AP#configure terminal Enter configuration commands. Set the value for the Wireless Domain Services Priority field to a value of approximately 254. b. b. The device with the highest priority provides WDS. End with CNTL/Z. You can configure one or more APs or switches as candidates to provide WDS. d. and go to the Server Groups tab: a. check Use this AP as Wireless Domain Services. Define a Server Group Name that authenticates the other APs. Apply the settings to the relevant Service Set Identifiers (SSIDs). because this is the first one. Set Priority 1 to the previously configured authentication server. an Infrastructure group. Under WDS-Wireless Domain Services . one per line. c.

0.3 auth-port 1645 acct-port 1646 .Alternatively. WDS_AP(config)# wlccp authentication -server infrastructure method_Infrastructure WDS_AP(config)# aaa group server radius Infrastructure WDS_AP(config -sg-radius)#server 10.0. End with CNTL/Z. issue these commands from the CLI: WDS_AP#configure terminal Enter configuration commands. one per line.

For other non-ACS authentication servers.space limitations. Configure the WDS user name and password as a user in your authentication server. Note: Do not put the WDS user in a group that is assigned many rights and privileges²WDS only requires limited authentication.Some of the commands in this table appear over two lines here due to !--. . Ensure that you enter these commands in a single line. In Cisco Secure ACS. refer to the documentation from the manufacturer. 5. where you define the WDS user name and password.WDS_AP(config -sg-radius)#exit WDS_AP(config)# aaa authentication login method_Infrastructure group Infrastructure WDS_AP(config)# end WDS_AP#write memory !--. this occurs on the User Setup page.

WDS_AP(config)# wlccp ap username wdsap password wdsap WDS_AP(config)# end WDS_AP#write memory 7. If the AP does not appear REGISTERED or ACTIVE. Choose Wireless Services > WDS.6. You must define a WDS user name and password on the authentication server for all devices that you designate members of the WDS. a. add an infrastructure AP to use the services of the WDS. . in the ACTIVE State. check the authentication server for any errors or failed authentication attempts. Then type the WDS Username and Password. issue these commands from the CLI: WDS_AP#configure terminal Enter configuratio n commands. check whether the WDS AP appears in the WDS Information area. Alternatively. with State as REGISTERED. On the WDS AP WDS Status tab. When the AP registers appropriately. b. End with CNTL/Z. The AP must also appear in the AP Information area. Choose Wireless Services > AP. and click Enable for the Participate in SWAN infrastructure option. one per line.

issue these commands from the CLI: WDS_AP#show wlccp wds ap MAC-ADDR LIFETIME 0005.429f 261 IP -ADDR 10.9a38.9a38.429f. The WDS is the only device that communicates with the authentication server.0.102 WDS_AP# Note: You cannot test client associations because client authentication does not have provisions yet.102 state = wlccp_ap_st_registered IN Authenticator = 10.0. .0.102 STATE REGISTERED WDS_AP#show wlccp ap WDS = 0005. 10.102 MN Authenticator = 10.Alternatively.0.0.0.0.0. Designate a WLSM as WDS This section explains how to configure a WLSM as a WDS.

From the CLI of the WLSM.0. x is the sl ot number where the WLSM resides.0. not of the Supervisor Engine 720. The default escape character is Ctrl -^. wlan(config)# aaa new-model wlan(config)# aaa authentication login leapdevices group radius wlan(config)# aaa authentication login default enable wlan(config)# radius-server host ip_address_of_authentication_server auth-port 1645 acct -port 1646 !--.In this command.Note: Issue these commands at the enable command prompt of the WLSM. In order to designate a WLSM as WDS: 1. End with CNTL/Z. Open User Access Verification Username: <username> Password: <password> wlan>enable Password: <enable password> wlan# Note: In order to troubleshoot and maintain your WLSM more easily.51 . wlan(config)# radius-server key shared_secret_with_server wlan(config)# end wlan#write memory .. issue these commands at an enable command prompt in the Supervisor Engine 720: c6506#session slot x proc 1 !--. Refer to Configuring Telnet Remote Access.. one per line. and establish a relationship with the authentication server: wlan#configure terminal Enter configuration commands. In order to get to the command prompt of the WLSM.This command needs to be on one line. then x. You can also type 'exit' at the remote prompt to end the session Trying 127. configure Telnet remote access to the WLSM. issue these commands.

If the network contains multiple WLSM modules. In Cisco Secure ACS. in Cisco Secure ACS. Also.Global Authentication Setup page. refer to the documentation from the manufacturer. click System Configuration.Note: There is no priority control in the WLSM. . First. WLSM uses redundancy configuration in order to determine the primary module. then click Global Authentication Setup. e. 2. Configure the WLSM in the authentication server as an AAA client. this occurs on the Network Configuration page where you define these attributes for the WLSM: o o o o Name IP address Shared secret Authentication method  RADIUS Cisco Aironet  RADIUS IETF For other non-ACS authentication servers. configure ACS to perform LEAP authentication on the System Configuration .

ACS authenticates LEAP. . Scroll down the page to the LEAP setting.f. When you check the box.

define a method that authenticates the other APs (an infrastructure server group).On the WLSM. wlan#configure terminal .

End with CNTL/Z. define a method that authenticates the client devices (a client server group) and what EAP types those clients use. End with CNTL/Z. one per line. with CNTL/Z. This VLAN is unused anywhere else or for any other purpose on the network. one per line. c6506(config)# wlan module slot_number allowed-vlan vlan_number c6506(config)# vlan vlan_number c6506(config)# interface vlan vlan_number c6506(config -if)#ip address ip_address subnet_mask c6506(config -if)#no shut c6506(config)# end c6506#write memory o On the WLSM: wlan#configure terminal Enter configuration commands.Enter configuration commands. wlan(config)# wlccp authentication -server client any leap-devices wlan(config)# end wlan#write memory Note: This step eliminates the need for the Define Client Authentication Method process. Create the VLAN on the Supervisor Engine 720 first. one per line. wlan#configure terminal Enter configuration commands. End with CNTL/Z. then issue these commands: o On the Supervisor Engine 720: c6506#configure terminal Enter configuration commands. Define a unique VLAN between the Supervisor Engine 720 and the WLSM in order to allow the WLSM to communicate with outside entities like APs and authentication servers. End . wlan(config)# wlccp authentication -server infrastructure leap-devices wlan(config)# end wlan#write memory On the WLSM. one per line.

0.0. you must designate at least one infrastructure AP and relate the AP to the WDS.0. wlan(config)# admin wlan(config)# end wlan#write memory Verify the function of the WLSM with these commands: o On the WLSM: wlan#show wlccp wds mobility LCP link status: up HSRP state: Not Applicable Total # of registered AP: 0 Total # of registered MN: 0 Tunnel Bindings: Network ID Tunnel IP FLAGS ========== =============== ===== <vlan> <ip address> MTU ========= 1476 T Flags: T=Trusted.0 0. The infrastructure APs request the WDS AP or WLSM to perform authentication for them. . The clients associate to infrastructure APs.0.This is typically the same address as the gateway statement. o On the Supervisor Engine 720: c6506#show mobility status WLAN Module is located in Slot: State: Active) LCP Communication status : Number of Wireless Tunnels : Number of Access Points : Number of Access Points : 5 (HSRP up 0 0 0 Designate an AP as Infrastructure Device Next. B=IP Broadcast N=Nonexistent wlan# enabled.0 !--.wlan(config)# wlan vlan vlan_number wlan(config)# ipaddr ip_address subnet_mask wlan(config)# gateway ip_address_of_vlan_interface_on_Sup720_created_above wlan(config)# ip route 0.

Complete these steps in order to add an infrastructure AP that uses the services of the WDS: Note: This configuration applies only to the infrastructure APs and not the WDS AP. Choose Wireless Services > WDS. 1. Alternatively. with State as REGISTERED. with State as ACTIVE. Infrastructure_AP(config)# wlccp ap username infrastructureap password infrastructureap Infrastructure_AP(config)# end Infrastructure_AP# write memory 2. On the WDS AP WDS Status tab. and in the AP Information area. one per line. . On the infrastructure AP. Choose Wireless Services > AP. Then type the WDS Username and Password. You must define a WDS user name and password on the authentication server for all devices that are to be members of the WDS. End with CNTL/Z. the new infrastructure AP appears in the WDS Information area. issue these commands from the CLI: WDS_AP#configure terminal Enter configuration commands. select Enable for the Wireless Services option.

a.0.0.0.8547.8547. Alternatively.0. After the AP appears ACTIVE and/or REGISTERED.0.108 10. check the authentication server for any errors or failed authentication attempts.0.108 194 STATE REGISTERED .102 STATE REGISTERED REGISTERED Alternatively.b6c7 10. If the AP does not appear ACTIVE and/or REGISTERED. issue this command from the CLI: WDS_AP#show wlccp wds ap MAC-ADDR LIFETIME 000c.429f 76 IP -ADDR 10. issue this command from the WLSM: wlan#show wlccp wds ap MAC-ADDR IP -ADDR LIFETIME 000c.b6c7 194 0005. b.9a38. add a client authentication method to the WDS.

0. Set the applicable type of authentication (LEAP. Define a server group that authenticates clients (a Client group). Complete these steps in order to add a client authentication method: 1. Define Client Authentication Method Finally.102 REGISTERED Then.429f 76 wlan# 10. d. Choose Wireless Services > WDS.0. Set Priority 1 to the previously configured authentication server. 10. Perform these steps on the WDS AP Server Groups tab: a.0. b. and so forth).102 MN Authenticator = 10.102 Infrastructure_AP# Note: You cannot test client associations because client authentication does not have provisions yet.0005.0. c.0.9a38.0.102 state = wlccp_ap_st_registered IN Authenticator = 10. issue this command on the infrastructure AP: Infrastructure_AP# show wlccp ap WDS = 0005. define a method of client authentication.0.9a38. Apply the settings to the relevant SSIDs. .0. EAP.429f. MAC.

Alternatively. one per line.0. End with CNTL/Z.0.3 . WDS_AP(config)# wlccp authentication -server client eap method_Client WDS_AP(config)# wlccp authentication -server client leap method_ Client WDS_AP(config)# aaa group server radius Client WDS_AP(config -sg-radius)#server 10. issue these commands from the CLI: WDS_AP#configure terminal Enter configuration commands.

auth-port 1645 acct -port 1646 WDS_AP(config -sg-radius)#exit WDS_AP(config)# aaa authentication login method_Client group Client WDS_AP(config)# end WDS_AP#write memory Note: The example WDS AP is dedicated and does not accept client associations. Under the Security > SSID Manager menu item. Under the Security > Encryption Manager menu item. On the infrastructure AP or APs: a. . 2. select authentication methods as required by the authentication protocol you use. as required by the authentication protocol you use. Note: Do not configure on the infrastructure APs for server groups because infrastructure APs forward any requests to the WDS to be processed. click WEP Encryption or Cipher. b.

The AP of the WDS in the WDS Status tab (under the Wireless Services > WDS menu item) indicates that the client appears in the Mobile Node Information area and has a REGISTERED State. If the client does not appear.3. check the authentication server for any errors or failed authentication attempts by the clients. You can now successfully test whether clients authenticate to infrastructure APs. .

0. Verify .8547.Alternatively. MN Count: 1 WDS_AP#show wlccp wds mn MAC-ADDR STATE 0030.ACTIVE AP Count: 2 . Priority: 254 Interface BVI1.f74a 000c.0. IP -ADDR: 10.0. State: Administratively StandAlone . issue these commands from the CLI: WDS_AP#show wlccp wds MAC: 0005.b6c7 WDS_AP# IP -ADDR 10. because the WDS AP is the device that communicates with the authentication server.0.6527.25 REGISTERED Cur -AP Note: If you need to debug authentication.429f.102 . ensure that you debug on the WDS AP.9a38.

you can specify the interval or accept the interval given by the authentication server. The default is 5 seconds. enter the interval in seconds that the AP waits before it forces an authenticated client to reauthenticate. I read that this should be set to 100 ms and not 60 seconds. Question: In regards to TKIP holdoff time. o Disable radius-server deadtime. o EAP or MAC Reauthentication Interval is disabled by default. If you enable holdoff time. o TKIP MIC Failure Holdoff Time is enabled by default to 60 seconds. This list shows some of the common questions related to the WDS command in order to further clarify the usefulness of these commands: y Question: On the WDS AP. This is the number of seconds an AP waits for a reply to a RADIUS request before it resends the request. If the AP detects two MIC failures within 60 seconds. These are the recommended settings for the WDS AP: Disable radius-server timeout. Enter the amount of time the AP should wait for wireless clients to respond to EAP authentication requests. I assume it is set to one second from the browser because that is the lowest number you can select? o y . If you enable reauthentication. Troubleshoot This section provides information that you can use to troubleshoot your configuration. If you enable holdoff. o EAP Client Timeout (optional) is 120 seconds by default. what are the recommended settings for these items? o radius-server timeout o radius-server deadtime o Temporal Key Integrity Protocol (TKIP) message integrity check (MIC) Failure Holdoff Time o Client Holdoff Time o EAP or MAC Reauthentication Interval o EAP Client Timeout (optional) Answer: It is suggested that you keep the configuration with default settings regarding these special settings. it blocks all TKIP clients on that interface for the holdoff time period specified here. you can enter the interval in seconds. The RADIUS is skipped by additional requests for the duration of minutes unless all servers are marked dead. If you choose to specify the interval. o Client Holdoff Time should be disabled by default. and only use them when there is a problem regarding timing.There is currently no verification procedure available for this configuration. enter the number of seconds that the AP should wait after an authentication failure before a subsequent authentication request is processed.

An AP is a Layer 2 device. I assume that none of the Server Manager and Global Properties settings are needed because the AP receives information from the WDS.Answer: There is no specific recommendation to set it to 100 ms unless there is a failure reported where the only solution is to increase this time. but do not receive an IP address from the DHCP server. . One second is the lowest setting. when you configure an AP as a WDS device. Are any of these specific commands needed for the infrastructure AP? o radius-server attribute 6 on-for-login-auth o radius-server attribute 6 support-multiple o radius-server timeout o radius-server deadtime Answer: There is no need to have Server Manager and Global Properties for the infrastructure APs. you can see some of these symptoms: y y y Wireless clients cannot associate with the AP. If you use the mobility network-id command incorrectly. do not use the mobility network-id command. y Question: On the infrastructure AP. This command applies to Layer 3 mobility and you need to have a WLSM as your WDS device in order to properly configure Layer 3 mobility. the AP does not support Layer 3 mobility when the AP is configured to act as a WDS device. Therefore. Refer to the Layer 3 Mobility Architecture section of Cisco Catalyst 6500 Series Wireless LAN Services Module: White Paper for more information. y Question: Do these two commands help client authentication in any way and are they needed on the WDS or infrastructure AP? o radius-server attribute 6 on-for-login-auth o radius-server attribute 6 support-multiple Answer: These commands do not help the authentication process and they are not needed on the WDS or the AP. The WDS takes care of that task and there is no need to have these settings: o o o o radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server timeout radius-server deadtime The radius-server attribute 32 include-in-access-req format %h setting remains by default and is required. Therefore. Wireless clients can associate to the AP. You can achieve Layer 3 mobility only when you configure the WLSM as the WDS device. A wireless phone is not authenticated when you have a voice over WLAN deployment.

debug wlccp leap-client²Shows the details as an infrastructure device joins a WDS... y y y y y debug dot11 aaa authenticator all²Shows the various negotiations that a client goes through as the client associates and authenticates through the 802. This debug was introduced in Cisco IOS Software Release 12.. debug wlccp ap²Shows the WLCCP negotiations involved as an AP joins a WDS. The 1300 AP/Bridge does not support this functionality.cole2 Replies1 year.Featured Conversations Cisco Support Community is a forum for you to ask and answer questions. 6 months ago WDS is not supported in the built-in AP of UC500. debug wlccp packet²Shows the detailed information about WLCCP negotiations.dexter. With the mobility network-id configured. The 1300 AP/Bridge can participate in a WDS network as an infrastructure device in which some other AP or WLSM is configured as a WDS master. the packets do not go anywhere.. This command obsoletes debug dot11 aaa dot1x all in that and later releases. Troubleshooting Commands The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. and the WDS configuration does not work. Marcos .y y EAP authentication does not occur. An AP configured as a WDS device does not function as expected. Thanks.s.marchern1 year. Use the OIT to view an analysis of show command output. Note: You cannot configure the Cisco Aironet 1300 AP/Bridge as a WDS master. Note: Refer to Important Information on Debug Commands before you use debug commands. If no tunnel is established. Below are just some of the most recent and relevant conversations happening right now.1x or EAP process. and collaborate with your peers.2(15)JA. the AP tries to build a Generic Routing Encapsulation (GRE) tunnel to forward EAP packets. how does one go about configuring it? Subscribe o Reply Re: UC520W and Wireless Domain Services. 5 months ago Does the UC520W support participation wireless domain services (WDS)? If so. Cisco Support Community . debug aaa authentication²Shows the authentication process from a generic AAA perspective. share suggestions. Want to see more? Join us by clicking here y UC520W and Wireless Domain Services.

10 months ago Hi.shtml Hope this helps. WDS allows for Cisco features such as fast-secure roaming (see Leo's link for more information). 10 months ago . Wireless Domain Services AP as an AAA Server Configuration Example http://www.com1 Reply5 years. Subscribe o Reply Re: Wireless AP as controllerleolaohoo2 years. 2 months ago As long as the AP's are in Autonomous mode. Reply y Wireless Domain Services on Switchjohnnys_at_za.ibm.com/en/US/products/hw/wireless/ps458/products_configuration _example09186a008059a559. Besides the Cisco Access Points and Routers.s.Can Wireless Domain Services be configured on the Catalyst 3550 or is it only for the Cat 6500 switch? regds Johnny Subscribe o Reply Re: Wireless Domain Services on Switchmgleason5 years. 2 months ago To clarify.cisco. 2 months ago Is there a way to give one AP in a network the role of a "controller". and thus the APs won't receive their configurations from your "host" AP. so that basically all other APs will get their configuration or client authentication through the single device? We have 12 autonomous APs and we are using MAC authentication as part of our security strategy.dexter. WDS isn't a lightweight solution. Thanks.cole1 year. Reply  Re: Wireless AP as controllerjeff. Reply y Wireless AP as controlleroneirishpollack2 Replies2 years.kish2 years.Reply  Re: UC520W and Wireless Domain Services. There's no way to use an AP as a lightweight controller. 5 months ago I thought as much...

i have another question about the WDS and WPA2. i noticed when i implement WDS .cisco. http://forum. 9 months ago What type of AP's are you using? If lwapped from IOS they don't support WDS.Hi please follow this link for answer to your questions. thanks for ur information.com/en/US/partner/tech/tk722/tk809/technologies_q_and_a_ite m09186a00804d4421. thanks Reply  Re: PEAPfynskisb163 years. anyone can help ? EAP-TLS or PEAP authentication failed during SSL handshake regards kitten Subscribe o Reply Re: PEAPfynskisb163 years. what is it for and what does it do? thanks Carl Subscribe Reply y PEAPney253 Replies3 years. 9 months ago I think this is the same issue you are having. 2 weeks ago Hi all. they can't even connect to network.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%2 0%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB %3Fcmd%3Ddisplay_location%26location%3D. Hope this helps. .1ddfa0ac Reply  Re: PEAPney253 years. becaues. This post might help.shtml Reply y Cisco WDScarl_townshend0 Replies4 years. Converted access points communicate only with Cisco wireless LAN controllers and cannot communicate with WDS devices. that's really helpful for me. http://www. 9 months ago Hi Fynskisb16. 9 months ago hi . Access points converted to lightweight mode do not support Wireless Domain Services (WDS).cisco. those whose are using PEAP/WPA2 was affected . I have seen Wireless domain services setup on my ap.

http://www.. Otherwise.. with the user still sitting in the same seat. Everything is great. The two APs in their area are 1242s. but AP-b is still within range. This cycle just repeats itself. When it drops the user has to auth back to AP-a. Clients associate with WPA and authenticate with Radius secure ID. I have two AP1232s. Signal strengh is about -70db. 2 months ago Hi John.dancampb3 years. I have one site that has a mix of AP1200s with B radios and 1242s with G radios. Reply  Re: Client reauthenticating. Of course this drops the connection. One particular area of the site has users experiencing authentication breaks and causes loss of connectivity..cisco. 5 months ago Per the specs the client decides when and where to roam. The other is to adjust the power levels on the AP's so that the other AP isn't as good of a roam candidate.. Reply . Any ideas out there? Subscribe o Reply Re: Client reauthenticating. AP-b prompts the client for authentication via secure ID. Then after a while (time is never the same). any roam at all will present the same way.matthogue3 years.2/configur ation/guide/c32lwap. Reply  Re: Client reauthenticating. AP-a and AP-b There is a conference room where AP-a is closer.html Reply y Client reauthenticating flip-floping APsswoodyard8 Replies3 years.. but directly above them on the 2nd floor is a 1200. no matter how well you get your infrastructure tweaked.com/en/US/docs/wireless/controller/3.. First thing is depending on the supplicant you are using you may be able to adjust how sensitive its roaming is. The signal strengh is 90db to -95db so it doesn't stay connected long. If you are using autonomous AP's you need WDS.... 2 months ago Here is my situation. but if you are using any radius authentication you need something to act as the go between between the radius and the client.preves3 years.. I have seen a log this morning on one of the 1242s showing the 1200 above them as a rogue (this is the first time i have seen it): Mar 27 09:07:13:. There are a couple things you can try to do to help..john. 4 months ago By all means always regulate your power settings as stated before.

rob.huffman3 years. but that may take a little time.html#wp10 35881 Wireless Domain Services Configuration...even though the B only AP is closer... The client wants to go as fast as it can... Can you provide a good link for the WDS configuration process? I don't think we are going to be swapping out the B radios any time soon either.the very first thing I see that you either are or will have issues with is the mix of B only and BG AP's.... 2 months ago .. Reply  Re: Client reauthenticating.matthogue3 years. so it looks like until we get the LWAPP/WLAN Controller setup in place.john. Here are the WDS docs you may need. 2 months ago Hmmm.preves3 years. thanks again Matt Reply  Re: Client reauthenticating. You need WDS (autonomous)or something.. 2 months ago Hey Matt.matthogue3 years. Reply  Re: Client reauthenticating. Fast Secure Roaming. Yes. 2 months ago Thanks John.. which means a G client will look for the ability to transmit and recieve at the faster data rates. Configuring WDS.cisco. and Radio Management http://www. the WDS solution sounds like our best more. This will cause much pain and I have spent the night upgrading AP's before so please take this into consideration..com/en/US/products/hw/ wireless/ps4570/products_configuration_gu ide_chapter09186a0080341d2d.... Re: Client reauthenticating. eventually we are going to be changing over to LWAPP. Hope all is well with you :) Just to add a note to the great info from John and Dan.

com1 Reply6 years. Thanks for the info as always... We have a few in testing in the office. Congrats on the new home purchase!! Knowing that you must love the Cards. for WDS and Local radius server.bought my first house this week. the Wireless Domain Services Priority field will not take input. I will now cheer for them as well in their quest for the Championship :) Go Cardinals Go! Rob Reply y Cannot Enable WDS with a local Radius. and I'll keep you posted.rob. :) I hope life is grand with you as well. Anyway I decided to use 2 separate APs. When I select "use this AP as WDS".dsmith_at_gibsondunn.Hey Rob! Yes... Using system software version 12. 2 months ago Hi Matt. I can not then apply WDS. and of course..huff man3 years. I should have tried doing this. I am not sure if Cisco supports both WDS and Local radius server on the same box. Reply . but the deployment is at a standstill until the controllers are fully tested. and the Louisville Cardinals are in the Elite 8 of the NCAA. Even the local radius server has a limitation of upto 50 users... 3 months ago WHen I was about to deploy something similar.3(2)JA2. I believe I have followed the insructions in Chapter 11 of the configuration guide and am sucessfully using LEAP with CCKM key managment against the local Radius server.thisisshanky6 years. 3 months ago I must be missing something. life is going well.. Reply  Re: Client reauthenticating. Subscribe o Reply Re: Cannot Enable WDS with a local. Slowly but surely on the LWAPPs..

5 months ago Pete. how does the AP Authentication feature in autonomous Cisco APs work ? In the SSID Manager you can select a defined AP Authentication credential. Do you still need the 6500 module if you configure it that way? I have an ACS and WLSE. 5 months ago Hi Alex.ciscoprolin1 Reply3 years. We also run WLSE. If you use a. And I created exactly the same username/password on the Radius Server. You need to set one AP up as the Master in the SWAN infrastructure and another as the Backup.shtml If you need specific configs let me know and I will try and help you out.. secure roaming for client devices and to participate in radio management. Thanks a lot! I just wanted to verify that would work.cisco. I have found this document that may be useful for you.com/en/US/products/hw/wireless/ps4570/products_configuratio n_example09186a00801c951f..huffman3 years. Regards. I do not have a WLSM module for our 6500. I would appreciate any help. access points on your wireless LAN use the WDS device (either an access point or a switch configured as the WDS device) to provide fast.y Wireless domain servicesalexlpfeil3 Replies3 years. Any help is greatly appreciated. Thanks. . http://www. 5 months ago Alex.I was looking at configuring Wireless Domain Services on my network. But where can I define that it's mandatory for all APs to authenticate to the network via Radius ? Even if I enter a wrong password in the AP Authentication section the AP still is accepted by the Radius Server and can serve WiFi-Clients in the same SSID. We are running WDS and have no WLSM on our 6500. 11 months ago Hi guys.. Fast Secure Roaming. You can use an AP for WDS with no WLSM (Module):) Have a look Configuring WDS. Thanks. Alex Subscribe o Reply Re: Wireless domain servicesmrlee@cisco3 years. I saw that you can configure an AP as the WDS. Reply y AP Authentication in 1242AG/1310G. Alex Reply o Re: Wireless domain servicesrob. Pete Reply  Re: Wireless domain servicesalexlpfeil3 years. I appreciate your reply. 5 months ago I already have over 50 1242 access points deployed. Thanks.. and Radio Management Understanding WDS When you configure Wireless Domain Services on your network.

aghaznavi3 years.Cisco System . Fast Secure Roaming. and Radio Management Catalyst 6500 Series Wireless LAN Services Module Configuration Note Configuring Cipher Suites and WEP Configuring Authentication Types Wireless LAN Support Pages Technical Support & Documentation . 11 months ago Go to Wireless Domain services -settings and configure the Radius server there.. Reply Subscribe Start A New Discussion Related Information y y y y y y Configuring WDS.Subscribe o Reply Re: AP Authentication in 1242AG/1310G..