SWAN Nonswitching Deployment: Configuration Guidelines and Examples

This section addresses configuration guidelines for SWAN nonswitching deployment mode. This deployment mode is discussed in detail in Chapter 9. Security, Layer 2 fast secure roaming, local authentication, and management functions are centralized at the wireless domain services (WDS) server level. You can deploy an AP, Catalyst switch, or branch-office router (Cisco 2600 or 3700 series) as the WDS server. In this deployment mode, the control traffic (known as WLCCP traffic) flows through the WDS server, whereas the data traffic (actual 802.11 user traffic) is forwarded via the normal route. Note that this is different from the central switching model, in which both control and user data is forwarded through the central switch.

The WLAN security methods discussed in the section "WLAN Security Methods: Configuration Guidelines and Examples" also apply to SWAN nonswitching deployment mode. One of the major changes made in the SWAN nonswitching deployment mode is that 802.1x/EAP authentication messages are relayed through the WDS server. In this scenario, the WDS client AP still controls user access into the network; however, the WDS server becomes the authenticator. In EAP/802.1x authentication, these changes are used to expedite Layer 2 fast secure roaming for 802.1x/EAP clients. Along with fast secure roaming, the RF data aggregation function and the local authentication service can be enabled on the WDS server. Note that the local authentication service is independent of the WDS functions; however, it is recommended that you enable it on the WDS server because all EAP/802.1x authentication messages are relayed through the WDS server.

Basic WDS Configuration

Basic WDS configuration involves enabling WDS server service on the selected WDS server(s), enabling WDS client service on the appropriate APs, and enabling infrastructure authentication between the WDS server and the WDS client APs. Note that the WDS client APs use WLCCP (UDP, Port # 2887) to communicate with the WDS server. Example 12-14 illustrates the configuration sequence required to enable a WDS server for the SWAN nonswitching deployment mode. As discussed in Chapter 9, WDS client APs reside in the same subnet as the WDS server and autodetect the WDS server. Note that you can refer to the WDS server in this deployment mode as the Layer 2 WDS server. As shown in Example 12-14, you must configure a specific priority for the Layer 2 WDS server; the WDS server with the highest configured priority within a subnet is selected as the active WDS server.

Example 12-14. WDS Server Configuration (SWAN Nonswitching Deployment Mode)


!

! Enable WDS server mode and specify priority for the WDS server

WDS-SERVER(config)#wlccp wds priority 99 interface bVI 1

! Enable infrastructure and client authentication types

WDS-SERVER(config)#wlccp authentication-server infrastructure WLCCP-AUTH

WDS-SERVER(config)#wlccp authentication-server client leap LEAP-AUTH

WDS-SERVER(config-wlccp-auth)#exit

WDS-SERVER(config)#wlccp authentication-server client eap EAP-AUTH

WDS-SERVER(config-wlccp-auth)#exit

! Configure WDS server to communicate with the RADIUS server

WDS-SERVER(config)#aaa new-model

WDS-SERVER(config)#radius-server host 10.10.10.5 auth-port 1812 acct-port 1813 key

tmelab

! Specify RADIUS server group for client EAP authentication

WDS-SERVER(config)#aaa group server radius rad-eap

WDS-SERVER(config-sg-radius)#server 10.10.10.5 auth-port 1812 acct-port 1813

WDS-SERVER(config-sg-radius)#exit

! Specify RADIUS server group for infrastructure authentication

WDS-SERVER(config)#aaa group server radius rad-wlccp

WDS-SERVER(config-sg-radius)#server 10.10.10.5 auth-port 1812 acct-port 1813

WDS-SERVER(config-sg-radius)#exit

WDS-SERVER(config)#aaa authentication login LEAP-AUTH group rad-eap

WDS-SERVER(config)#aaa authentication login EAP-AUTH group rad-eap

WDS-SERVER(config)#aaa authentication login WLCCP-AUTH group rad-wlccp

Along with configuring the WDS server, you must configure WDS client service on each AP, as shown in Example 12-15.

Example 12-15. Configuring WDS Client Mode on an Access Point (SWAN Nonswitching Deployment Mode)


! Specify infrastructure authentication credentials for the WDS client AP

TMELAB-AP1(config)#wlccp ap username ap1 password tmelab

TMELAB-AP1(config)#end

You can use debug commands shown in Example 12-16 to troubleshoot infrastructure and client authentication problems.

Example 12-16. Debug Information on the WDS Server (SWAN Nonswitching Deployment Mode)


! View WDS server status and number of registered APs and WLAN clients

WDS-SERVER#show wlccp wds

      MAC: 000c.30e9.0711, IP-ADDR: 10.10.10.22    , Priority: 5

      Interface BVI1, State: Administratively StandAlone - ACTIVE

      AP Count: 1   , MN Count: 0

! View registered WDS client AP information

WDS-SERVER#show wlccp wds ap

    MAC-ADDR       IP-ADDR          STATE         LIFETIME

000c.8500.0156    10.10.10.21     REGISTERED      553

WDS-SERVER#

! Other useful commands on the WDS Server ---

WDS-SERVER#debug wlccp wds

!

!

Debug information on the WDS client AP:

! View registration status and view authenticated WDS server info

TMELAB-AP1#show wlccp ap

 WDS = 000c.30e9.0711, 10.10.10.22

 state = wlccp_ap_st_registered

 IN Authenticator = 10.10.10.22

 MN Authenticator = 10.10.10.22

TMELAB-AP1#

Fast Secure Roaming (CCKM) Configuration

As discussed in Chapter 9, fast secure roaming functionality (CCKM protocol) expedites Layer 2 roaming for EAP/802.1x clients. In addition to the basic WDS configuration sequence provided in Examples 12-14 and 12-15, further configuration is required, as shown in Example 12-17, on a WDS client AP to enable fast secure roaming. Note that, as shown in Example 12-17, WPA-TKIP or Cisco TKIP (CKIP) is used as the cipher, whereas CCKM is used as the key management protocol.

Example 12-17. Configuring Fast Secure Roaming on a WDS Client AP


!

! Enable CCKM roaming for LEAP or EAP-FAST with WPA-TKIP clients

TMELAB-AP1(config)#int dot11Radio 0

! Enable WPA-TKIP cipher for the WLAN clients

TMELAB-AP1(config-if)#encryption mode ciphers tkip

TMELAB-AP1(config-if)#ssid Enterprise

TMELAB-AP1(config-if-ssid)#authentication network-eap LEAP-AUTH

! Enable CCKM key management for fast secure roaming clients

TMELAB-AP1(config-if-ssid)#authentication key-management wpa cckm

TMELAB-AP1(config-if-ssid)#end

!

            OR

!

! Enable CCKM for LEAP or EAP-FAST with Cisco TKIP clients

TMELAB-AP1(config)#int dot11Radio 0

! Enable CKIP cipher for fast secure roaming clients

TMELAB-AP3(config-if)#encryption mode ciphers ckip-cmic

TMELAB-AP1(config-if)#ssid Enterprise

TMELAB-AP1(config-if-ssid)#authentication network-eap LEAP-AUTH

! Enable CCKM key management for fast secure roaming clients

TMELAB-AP3(config-if-ssid)#authentication key-management cckm

TMELAB-AP1(config-if-ssid)#end

There is no need to configure RADIUS server information on the WDS client AP because all authentication messages are relayed through the WDS server. After you enable WDS mode, it is important to enable all authentication types (LEAP, EAP, MAC address, and infrastructure) on the WDS server. This is required whether or not fast secure roaming is implemented for any EAP type. (All EAP authentication messages are relayed through the WDS server.)

Figure 12-14 illustrates the fast secure roaming configuration required for an EAP-FAST client. As shown, you can enable the WPA-TKIP cipher along with fast secure roaming (CCKM). The EAP-FAST implementation on Cisco clients requires you to configure the network EAP authentication type on the WDS client APs and on the WDS server.

Figure 12-14. Fast Secure Roaming Configuration for EAP-FAST Client

In the event of client authentication failures, you can use debug commands, as shown in Example 12-18, on the WDS client AP and on the WDS server to debug the authentication problems.

Example 12-18. Debug Information on the WDS Client AP


TMELAB-AP1#debug wlccp ap mn

*Mar  1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: Association for 0007.8592.3b5a

*Mar  1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: sent ksc 1 *

*Mar  1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: bssid 0007.85b3.581e key type 2

*Mar  1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: ssid Enterprise

*Mar  1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: sent msc 14 *

*Mar  1 03:06:12.251: wlccp_ap_mn: PreReg Reply: eap_server_type 17

*Mar 1 03:06:12.251: wlccp_ap_mn: ap_proc_prereg_reply assoc for 0007.8592.3b5a

*Mar  1 03:06:12.252: wlccp_ap_mn: PreReg Reply: got MSC 15 *

*Mar  1 03:06:12.273: wlccp_ap_mn: MN Reg Req: ssid Enterprise,

 bssid 0007.85b3.581e, auth 8, ip 0.0.0.0 flag 1

*Mar  1 03:06:12.276: wlccp_ap_mn: MN registration reply status SUCCESS, NO ERROR

TMELAB-AP1#show dot11 associations all-client

Address           : 0007.8592.3b5a     Name             : TME_LAB2_PC1

IP Address        : 10.10.10.47        Interface        : Dot11Radio 0

Device            : 350-client         Software Version : 5.30

State             : EAP-Assoc          Parent           : self

SSID              : Enterprise         VLAN             : 0

Hops to Infra     : 1                  Association Id   : 2

Clients Associated: 0                  Repeaters associated: 0

Key Mgmt type     : CCKM               Encryption       : TKIP

Current Rate      : 11.0               Capability       : ShortHdr

Supported Rates   : 1.0 2.0 5.5 11.0

Signal Strength   : -36  dBm           Connected for    : 118 seconds

Signal Quality    : 83 %               Activity Timeout : 23 seconds

Power-save        : Off                Last Activity    : 3 seconds ago

Packets Input     : 42                 Packets Output   : 15

Bytes Input       : 5388               Bytes Output     : 1511

Duplicates Rcvd   : 0                  Data Retries     : 5

Decrypt Failed    : 0                  RTS Retries      : 0

MIC Failed        : 0

MIC Missing       : 0

Other Useful commands ---

TMELAB-AP1#debug wlccp leap-client

RF Aggregation Configuration and Rogue AP Detection

As discussed in Chapter 9, the WDS client APs and WLAN clients (Cisco and CCXv2 or above) associated with WDS client APs collect RF information. They collect and forward the RF information to the WDS server, which in turn aggregates the collected RF information and forwards it to the WLSE for executing assisted site-survey, RF topology mapping, location management, and rogue AP detection services.

The WDS server must be configured to communicate with the WLSE using the WLCCP protocol. This requires the WLSE to authenticate with the WDS server and secure the WLCCP link between itself and the WDS server. SNMP community parameters must also be configured on all WDS client APs and on the WDS server. (See Example 12-19.) This enables the WLSE to manage the WDS servers and the WDS client APs.

Example 12-19. WDS Server and WDS Client AP Configuration for Enabling RF Management


!

! Configure the WDS server to communicate with the WLSE

WDS-SERVER(config)#wlccp wnm ip address 10.10.10.9

!

! SNMP community string configuration required on both WDS server and the WDS client APs

WDS-SERVER(config)#snmp-server view iso iso included

WDS-SERVER(config)#snmp-server community tmelab-ro view iso RO

WDS-SERVER(config)#snmp-server view iso iso included

WDS-SERVER(config)#snmp-server community tmelab-rw view iso RW

The WLSE functions as the Wireless Network Manager (WNM) component of SWAN. Follow this procedure for setting up WLSE 2.5 or above for RF management services:

Configure SNMP read and read-write communities to use with the WDS server and the WDS client APs.
On the WLSE web-based GUI, navigate to Devices > Discover > Device Credentials > SNMP Communities.
Configure Telnet/SSH credentials to use to log in to the WDS server and WDS client APs.
Enter the Telnet/SSH credentials on the WLSE GUI interface found at Devices > Discover > Device Credentials > Telnet/SSH user password.
Configure WLCCP credentials to authenticate the WLSE to each WDS server.
Using the WLSE GUI, navigate to Devices > Discover > Device Credentials > WLCCP Credentials. Enter the WLCCP username and password.
Click on Save to save the configured WLSE parameters.
Ensure that the WLSE has discovered the WDS server and moved it to the "managed" state. You can execute this by using the WLSE GUI via Devices > Discovery > Managed/ Unmanaged options.
Use the Radio Manager Assisted Site-Survey wizard to carry out the initial deployment of managed APs.

Consult the WLSE documentation posted on the Cisco website for the proper syntax for entering the previous credentials and also for carrying RF management services.

Along with configuring the WDS server, WDS client APs, and WLSE, the WLAN clients must be configured to enable radio management. The client scanning feature is not mandatory but can be enabled on Cisco and CCXv2 clients to increase the accuracy of RF management/security features such as rogue AP detection. Figure 12-15 shows enabling the radio management feature on a Cisco 350 client adapter. (The feature is enabled by default.)

Figure 12-15. Enabling Radio Management on a Cisco Client

Figure 12-16 shows a rogue AP alert generated by the WLSE. As shown in Figure 12-15, you can use Location Manager in WLSE version 2.5 or higher to narrow the location of the detected rogue AP. Furthermore, the WLSE 2.7 release and above provides rogue AP suppression via switch port tracing and allowing the administrator to shut down the switch port to which the rogue AP is attached. Note that this (rogue AP suppression via switch port shutdown) requires CDP to be enabled on your wired network.

Figure 12-16. Rogue AP Alert on WLSE

Local Authentication Configuration (RADIUS Fall-Back Service)

You can enable local authentication service on the WDS server in a branch office scenario to provide fall-back RADIUS service during WAN link failure conditions. You can also use it as the primary RADIUS server in a small office scenario; however, note that accounting/auditing services are not available on the local authentication server. Furthermore, local authentication service is only supported for LEAP and EAP-FAST authentication types. Example 12-20 provides the configuration sequence required to enable local authentication service for LEAP users. Note that local authentication service is independent of WDS functions, but it is recommended that you enable it on the WDS server because all EAP/802.1x authentication messages (CCKM and non-CCKM) are relayed through the WDS server.

Example 12-20. Local LEAP Authentication Service Configuration on the WDS Server


! Enable local authentication service on the WDS server for LEAP clients

WDS-SERVER(config)#aaa new-model

WDS-SERVER(config)#aaa authorization exec default local

WDS-SERVER(config)#aaa authentication login default local

WDS-SERVER(config)#radius-server local

! Add AP(s) as AAA client(s) along with shared secret for RADIUS authentication

WDS-SERVER(config-radsrv)#nas 10.10.10.21 key 0 tmelab

! Add user account information under the local radius service for specific users

WDS-SERVER(config-radsrv)#user tmeuser101 password 0 tmelab

WDS-SERVER(config-radsrv)#end

WDS-SERVER#

You can use debug commands to verify local authentication service (on the local authentication server), as shown in Example 12-21.

Example 12-21. Debug Commands for Local Authentication Service


WDS-SERVER#debug radius local-server error

WDS-SERVER#debug radius local-server client

! Use the following show command to look at local authentication statistics

WDS-SERVER#show radius local-server statistics

Successes              : 2           Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 0

Unknown NAS            : 0           Invalid packet from NAS: 0

NAS : 10.10.10.21

Successes              : 2           Unknown usernames      : 0

Client blocks          : 0           Invalid passwords      : 0

Corrupted packet       : 0           Unknown RADIUS message : 0

No username attribute  : 0           Missing auth attribute : 0

Shared key mismatch    : 0           Invalid state attribute: 0

Unknown EAP message    : 0           Unknown EAP auth type  : 0

Username                  Successes  Failures  Blocks

tmeuser101                        2         0       0