This section addresses configuration guidelines for SWAN nonswitching deployment mode. This deployment mode is discussed in detail in Chapter 9. Security, Layer 2 fast secure roaming, local authentication, and management functions are centralized at the wireless domain services (WDS) server level. You can deploy an AP, Catalyst switch, or branch-office router (Cisco 2600 or 3700 series) as the WDS server. In this deployment mode, the control traffic (known as WLCCP traffic) flows through the WDS server, whereas the data traffic (actual 802.11 user traffic) is forwarded via the normal route. Note that this is different from the central switching model, in which both control and user data is forwarded through the central switch.
The WLAN security methods discussed in the section "WLAN Security Methods: Configuration Guidelines and Examples" also apply to SWAN nonswitching deployment mode. One of the major changes made in the SWAN nonswitching deployment mode is that 802.1x/EAP authentication messages are relayed through the WDS server. In this scenario, the WDS client AP still controls user access into the network; however, the WDS server becomes the authenticator. In EAP/802.1x authentication, these changes are used to expedite Layer 2 fast secure roaming for 802.1x/EAP clients. Along with fast secure roaming, the RF data aggregation function and the local authentication service can be enabled on the WDS server. Note that the local authentication service is independent of the WDS functions; however, it is recommended that you enable it on the WDS server because all EAP/802.1x authentication messages are relayed through the WDS server.
Basic WDS configuration involves enabling WDS server service on the selected WDS server(s), enabling WDS client service on the appropriate APs, and enabling infrastructure authentication between the WDS server and the WDS client APs. Note that the WDS client APs use WLCCP (UDP, Port # 2887) to communicate with the WDS server. Example 12-14 illustrates the configuration sequence required to enable a WDS server for the SWAN nonswitching deployment mode. As discussed in Chapter 9, WDS client APs reside in the same subnet as the WDS server and autodetect the WDS server. Note that you can refer to the WDS server in this deployment mode as the Layer 2 WDS server. As shown in Example 12-14, you must configure a specific priority for the Layer 2 WDS server; the WDS server with the highest configured priority within a subnet is selected as the active WDS server.
! ! Enable WDS server mode and specify priority for the WDS server WDS-SERVER(config)#wlccp wds priority 99 interface bVI 1 ! Enable infrastructure and client authentication types WDS-SERVER(config)#wlccp authentication-server infrastructure WLCCP-AUTH WDS-SERVER(config)#wlccp authentication-server client leap LEAP-AUTH WDS-SERVER(config-wlccp-auth)#exit WDS-SERVER(config)#wlccp authentication-server client eap EAP-AUTH WDS-SERVER(config-wlccp-auth)#exit ! Configure WDS server to communicate with the RADIUS server WDS-SERVER(config)#aaa new-model WDS-SERVER(config)#radius-server host 10.10.10.5 auth-port 1812 acct-port 1813 key tmelab ! Specify RADIUS server group for client EAP authentication WDS-SERVER(config)#aaa group server radius rad-eap WDS-SERVER(config-sg-radius)#server 10.10.10.5 auth-port 1812 acct-port 1813 WDS-SERVER(config-sg-radius)#exit ! Specify RADIUS server group for infrastructure authentication WDS-SERVER(config)#aaa group server radius rad-wlccp WDS-SERVER(config-sg-radius)#server 10.10.10.5 auth-port 1812 acct-port 1813 WDS-SERVER(config-sg-radius)#exit WDS-SERVER(config)#aaa authentication login LEAP-AUTH group rad-eap WDS-SERVER(config)#aaa authentication login EAP-AUTH group rad-eap WDS-SERVER(config)#aaa authentication login WLCCP-AUTH group rad-wlccp
Along with configuring the WDS server, you must configure WDS client service on each AP, as shown in Example 12-15.
! Specify infrastructure authentication credentials for the WDS client AP TMELAB-AP1(config)#wlccp ap username ap1 password tmelab TMELAB-AP1(config)#end
You can use debug commands shown in Example 12-16 to troubleshoot infrastructure and client authentication problems.
! View WDS server status and number of registered APs and WLAN clients WDS-SERVER#show wlccp wds MAC: 000c.30e9.0711, IP-ADDR: 10.10.10.22 , Priority: 5 Interface BVI1, State: Administratively StandAlone - ACTIVE AP Count: 1 , MN Count: 0 ! View registered WDS client AP information WDS-SERVER#show wlccp wds ap MAC-ADDR IP-ADDR STATE LIFETIME 000c.8500.0156 10.10.10.21 REGISTERED 553 WDS-SERVER# ! Other useful commands on the WDS Server --- WDS-SERVER#debug wlccp wds ! ! Debug information on the WDS client AP: ! View registration status and view authenticated WDS server info TMELAB-AP1#show wlccp ap WDS = 000c.30e9.0711, 10.10.10.22 state = wlccp_ap_st_registered IN Authenticator = 10.10.10.22 MN Authenticator = 10.10.10.22 TMELAB-AP1#
As discussed in Chapter 9, fast secure roaming functionality (CCKM protocol) expedites Layer 2 roaming for EAP/802.1x clients. In addition to the basic WDS configuration sequence provided in Examples 12-14 and 12-15, further configuration is required, as shown in Example 12-17, on a WDS client AP to enable fast secure roaming. Note that, as shown in Example 12-17, WPA-TKIP or Cisco TKIP (CKIP) is used as the cipher, whereas CCKM is used as the key management protocol.
! ! Enable CCKM roaming for LEAP or EAP-FAST with WPA-TKIP clients TMELAB-AP1(config)#int dot11Radio 0 ! Enable WPA-TKIP cipher for the WLAN clients TMELAB-AP1(config-if)#encryption mode ciphers tkip TMELAB-AP1(config-if)#ssid Enterprise TMELAB-AP1(config-if-ssid)#authentication network-eap LEAP-AUTH ! Enable CCKM key management for fast secure roaming clients TMELAB-AP1(config-if-ssid)#authentication key-management wpa cckm TMELAB-AP1(config-if-ssid)#end ! OR ! ! Enable CCKM for LEAP or EAP-FAST with Cisco TKIP clients TMELAB-AP1(config)#int dot11Radio 0 ! Enable CKIP cipher for fast secure roaming clients TMELAB-AP3(config-if)#encryption mode ciphers ckip-cmic TMELAB-AP1(config-if)#ssid Enterprise TMELAB-AP1(config-if-ssid)#authentication network-eap LEAP-AUTH ! Enable CCKM key management for fast secure roaming clients TMELAB-AP3(config-if-ssid)#authentication key-management cckm TMELAB-AP1(config-if-ssid)#end
There is no need to configure RADIUS server information on the WDS client AP because all authentication messages are relayed through the WDS server. After you enable WDS mode, it is important to enable all authentication types (LEAP, EAP, MAC address, and infrastructure) on the WDS server. This is required whether or not fast secure roaming is implemented for any EAP type. (All EAP authentication messages are relayed through the WDS server.)
Figure 12-14 illustrates the fast secure roaming configuration required for an EAP-FAST client. As shown, you can enable the WPA-TKIP cipher along with fast secure roaming (CCKM). The EAP-FAST implementation on Cisco clients requires you to configure the network EAP authentication type on the WDS client APs and on the WDS server.
In the event of client authentication failures, you can use debug commands, as shown in Example 12-18, on the WDS client AP and on the WDS server to debug the authentication problems.
TMELAB-AP1#debug wlccp ap mn *Mar 1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: Association for 0007.8592.3b5a *Mar 1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: sent ksc 1 * *Mar 1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: bssid 0007.85b3.581e key type 2 *Mar 1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: ssid Enterprise *Mar 1 03:06:12.247: wlccp_ap_mn: Pre Reg Req: sent msc 14 * *Mar 1 03:06:12.251: wlccp_ap_mn: PreReg Reply: eap_server_type 17 *Mar 1 03:06:12.251: wlccp_ap_mn: ap_proc_prereg_reply assoc for 0007.8592.3b5a *Mar 1 03:06:12.252: wlccp_ap_mn: PreReg Reply: got MSC 15 * *Mar 1 03:06:12.273: wlccp_ap_mn: MN Reg Req: ssid Enterprise, bssid 0007.85b3.581e, auth 8, ip 0.0.0.0 flag 1 *Mar 1 03:06:12.276: wlccp_ap_mn: MN registration reply status SUCCESS, NO ERROR TMELAB-AP1#show dot11 associations all-client Address : 0007.8592.3b5a Name : TME_LAB2_PC1 IP Address : 10.10.10.47 Interface : Dot11Radio 0 Device : 350-client Software Version : 5.30 State : EAP-Assoc Parent : self SSID : Enterprise VLAN : 0 Hops to Infra : 1 Association Id : 2 Clients Associated: 0 Repeaters associated: 0 Key Mgmt type : CCKM Encryption : TKIP Current Rate : 11.0 Capability : ShortHdr Supported Rates : 1.0 2.0 5.5 11.0 Signal Strength : -36 dBm Connected for : 118 seconds Signal Quality : 83 % Activity Timeout : 23 seconds Power-save : Off Last Activity : 3 seconds ago Packets Input : 42 Packets Output : 15 Bytes Input : 5388 Bytes Output : 1511 Duplicates Rcvd : 0 Data Retries : 5 Decrypt Failed : 0 RTS Retries : 0 MIC Failed : 0 MIC Missing : 0 Other Useful commands --- TMELAB-AP1#debug wlccp leap-client
As discussed in Chapter 9, the WDS client APs and WLAN clients (Cisco and CCXv2 or above) associated with WDS client APs collect RF information. They collect and forward the RF information to the WDS server, which in turn aggregates the collected RF information and forwards it to the WLSE for executing assisted site-survey, RF topology mapping, location management, and rogue AP detection services.
The WDS server must be configured to communicate with the WLSE using the WLCCP protocol. This requires the WLSE to authenticate with the WDS server and secure the WLCCP link between itself and the WDS server. SNMP community parameters must also be configured on all WDS client APs and on the WDS server. (See Example 12-19.) This enables the WLSE to manage the WDS servers and the WDS client APs.
! ! Configure the WDS server to communicate with the WLSE WDS-SERVER(config)#wlccp wnm ip address 10.10.10.9 ! ! SNMP community string configuration required on both WDS server and the WDS client APs WDS-SERVER(config)#snmp-server view iso iso included WDS-SERVER(config)#snmp-server community tmelab-ro view iso RO WDS-SERVER(config)#snmp-server view iso iso included WDS-SERVER(config)#snmp-server community tmelab-rw view iso RW
The WLSE functions as the Wireless Network Manager (WNM) component of SWAN. Follow this procedure for setting up WLSE 2.5 or above for RF management services:
Configure SNMP read and read-write communities to use with the WDS server and the WDS client APs.
On the WLSE web-based GUI, navigate to Devices > Discover > Device Credentials > SNMP Communities.
Configure Telnet/SSH credentials to use to log in to the WDS server and WDS client APs.
Enter the Telnet/SSH credentials on the WLSE GUI interface found at Devices > Discover > Device Credentials > Telnet/SSH user password.
Configure WLCCP credentials to authenticate the WLSE to each WDS server.
Using the WLSE GUI, navigate to Devices > Discover > Device Credentials > WLCCP Credentials. Enter the WLCCP username and password.
Click on Save to save the configured WLSE parameters.
Ensure that the WLSE has discovered the WDS server and moved it to the "managed" state. You can execute this by using the WLSE GUI via Devices > Discovery > Managed/ Unmanaged options.
Use the Radio Manager Assisted Site-Survey wizard to carry out the initial deployment of managed APs.
Consult the WLSE documentation posted on the Cisco website for the proper syntax for entering the previous credentials and also for carrying RF management services.
Along with configuring the WDS server, WDS client APs, and WLSE, the WLAN clients must be configured to enable radio management. The client scanning feature is not mandatory but can be enabled on Cisco and CCXv2 clients to increase the accuracy of RF management/security features such as rogue AP detection. Figure 12-15 shows enabling the radio management feature on a Cisco 350 client adapter. (The feature is enabled by default.)