Table Of Contents
Configuring Devices for Radio Management
Understanding WDS
What is WDS and Why Do I Need It?
Understanding WDS Access Points
Understanding WDS WLSM Devices
How To Use WDS Devices
Radio Management Setup Quick Reference
Configuring WDS Access Points (AP-WDS)
Using the Web Interface to Configure WDS APs
Using the CLI Interface to Configure WDS APs
Using a WLSE Configuration Template to Configure WDS APs
Configuring WLSM Access Points (AP-WLSM)
Configuring Infrastructure APs
Using the Web Interface to Configure Infrastructure APs
Using the CLI to Configure Infrastructure APs
Using a WLSE Configuration Job to Configure Infrastructure APs
Configuring Scanning APs
Configuring the WLSE
Configuring Authentication
Confirming the Configuration
Using the Web Interface to Validate the Configuration
Using the Command-Line Interface to Validate the Configuration
Configuring Devices for Radio Management
This chapter provides procedures for preparing IOS access points, Wireless LAN Services Modules (WLSMs), and the WLSE for participation in the Cisco Structured Wireless-Aware Network (SWAN).
Note 
Alternative methods of device configuration are described in this document. However, after access points are being managed by the WLSE, you should avoid making direct modifications to them (by using the command-line interface or Web interface). Instead, use the WLSE configuration templates to make changes. If configuration changes are made directly and not through the WLSE, the WLSE will not detect them immediately. This can cause inconsistencies in WLSE operations, especially in Radio Management.
There are two basic methods you can use to configure your network for Radio Management:
•You can use the WLSE Deployment Wizard
If you are configuring APs or WLSM modules as WDS devices, you can use the Deployment Wizard. The Deployment Wizard replaces many of the manual configuration procedures that are normally required to configure infrastructure access points and WDS devices and to configure the WLSE to discover and manage those devices.
Note Although you can use the Deployment Wizard to set up most APs, you must use the manual procedures to configure an external ACS server for AP-WDS-WLSE authentication.
For more information about using the Deployment Wizard, see the WLSE online help or the "Deployment Wizard" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
For more information about WDS, see What is WDS and Why Do I Need It?.
•You can perform the configuration tasks manually.
Setting up access points for Radio Management involves configuring all access points to register with Wireless Domain Services (WDS). The following sections describe this process:
–Understanding WDS
–Radio Management Setup Quick Reference
–Configuring WDS Access Points (AP-WDS)
–Configuring WLSM Access Points (AP-WLSM)
–Configuring Infrastructure APs
–Configuring Scanning APs
–Configuring the WLSE
–Configuring Authentication
–Confirming the Configuration
Understanding WDS
Setting up access points for Radio Management involves configuring all access points to register with Wireless Domain Services (WDS). WDS provides wireless client roaming and Radio Management aggregation.
The following topics describe how WDS relates to managing your radio network:
•What is WDS and Why Do I Need It?
•How To Use WDS Devices
What is WDS and Why Do I Need It?
The critical software component in the network is a set of IOS features called the Wireless Domain Services (WDS). The following types of devices can supply the WDS:
•An access point configured for WDS
Each WDS access point supports one AP subnet. You can add additional WDS access points for redundancy. The priorities you set on the WDS access points determine which one is the active and which ones are backups.
•A Wireless LAN Services Module (WLSM)
WLSM is a CAT6K blade that provides WDS services and allows L3 seamless roaming among APs. Each WLSM can support multiple AP subnets, as long as all of the subnets are served by the switch on which the WLSM is installed.
The following topics describe these devices types:
•Understanding WDS Access Points
•Understanding WDS WLSM Devices
Understanding WDS Access Points
The WDS provides control path technologies that must be active on an AP in each AP subnet; a backup WDS can also be defined in each AP subnet. The WDS provides:
•Fast, secure layer-2 wireless client roaming—The WDS acts as an 802.1x authenticator for wireless clients within the layer-2 network.
•Radio Management (RM) data aggregation—The WLSE provides intelligent processing of aggregated data collected by the WDS access points from other wireless clients in the network. The WLSE can manage multiple subnets, so it can receive radio data from many APs running WDS.
There is no RM data aggregation without a WDS. Without a WDS, the communication between the access points and WLSE looks like this:
Figure 4-1 Basic Network Management Communications
Using this approach, the WLSE can communicate with the APs using only these two methods:
•Primary: SNMP
•Secondary: CLI over telnet or SSH
Caution The WLSE must register with the WDS in each managed AP subnet to receive Radio Manager data.
If the WLSE
is not registered, none of the Radio Manager functions will work.
After you configure the network for Radio Management tasks, the WLSE communicates all Radio Management activities with one or more WDS APs instead of all APs in the network. Each WDS AP collects data from other wireless clients in the network and sends this aggregated data to the WLSE.
Figure 4-2 Additional Radio Management Communications
Understanding WDS WLSM Devices
A Wireless LAN Services Module (WLSM) device is a module for the Catalyst 6000 switch that provides WDS to the wireless network. Each WLSM supports multiple AP subnets, as long as all of the subnets are served by the switch on which the WLSM is installed.
You can add a second WLSM to serve as a standby. The WLSE authenticates with both the HSRP active and HSRP standby WLSM devices (WLSM uses HSRP to handle redundancies). In the reports, both WLSM devices (HSRP active and HSRP standby) will appear as active WDSs.
If the HSRP active WLSM goes down, the HSRP standby WLSM will communicate with the AP subnets (see Figure 4-3).
Figure 4-3 WLSE-WLSM Communications
Figure 4-4 illustrates a network that uses both AP and WLSM WDS devices to manage the access points in the network. In this example, additional access points have been identified as backup AP-WDS devices (AP1 and AP4), and an additional HSRP-based WLSM-WDS device has been added to as a standby for the active WLSM-WDS.
Figure 4-4 Sample Network Using AP-WDS and WLSM-WDS Devices
How To Use WDS Devices
To use WDS devices:
•One access point or one WLSM must be designated as the WDS. The WDS is the only device that speaks to the authentication server.
–For AP-WDS devices, WDS must be active on an access point in each subnet in which APs are placed; backup WDS access points can also be defined in each AP subnet.
–For WLSM-WDS devices, each WLSM can support multiple AP subnets, as long as all of the subnets are served by the switch on which the WLSM is installed.
•The WDS device establishes a relationship with the authentication server (either an external RADIUS server or the local RADIUS server feature in the WDS access point itself) by authenticating to it using a WDS user name and password.
•Other access points, called infrastructure access points, communicate with the WDS device. Infrastructure access points must authenticate themselves to the WDS before they are registered. This infrastructure authentication is defined by an infrastructure server group on the WDS device.
Communication between the WDS and the infrastructure access points happens over Wireless LAN Context Control Protocol (WLCCP). For an AP-WDS, WDS multicast messages are used for WDS discovery by the infrastructure access points. Therefore, an AP-WDS device and its associated infrastructure access points must be in the same IP subnet and on the same LAN segment.
Between the WDS and the WLSE, WLCCP uses TCP and User Datagram Protocol (UDP) on port 2887. When the WDS and WLSE are on different subnets, the packets cannot be translated with a protocol like Network Address Translation (NAT).
•Client authentication is defined by one or more client server groups on the WDS devices.
When a client attempts to associate to an infrastructure access point:
1. The infrastructure access point passes the user's credentials to the WDS device for evaluation. If it is the first time that the WDS has seen a given user's credentials, it uses the authentication server to validate the credentials.
2. The WDS device then caches the user's credentials so it does not have to return to the authentication server when that user attempts authentication again (for example, reauthentication for rekeying, for roaming, or for when the user starts up the client device).
Any RADIUS-based EAP authentication protocol can be tunneled through WDS (for example, Lightweight EAP [LEAP], Protected EAP [PEAP], EAP-Transport Layer Security [EAP-TLS], or EAP-Flexible Authentication via Secure Tunneling [EAP-FAST]).
Radio Management Setup Quick Reference
Note Before you can configure your network for Radio Management, you must configure all access points for basic network management (see "Configuring IOS Access Points for Network Management"). If your network is not properly configured, none of the Radio Manager, Location Manager, or Intrusion Detection System functions will work.
Table 4-1 lists the general setup tasks for WDS devices:
Table 4-1 Radio Management Setup Tasks
Task
|
Description
|
Notes
|
1.
|
Configure WDS devices
|
Configuring WDS devices involves:
•Defining the AAA servers and server groups that the WDS will use to LEAP authenticate infrastructure access points and the WLSE.
•Enabling WDS and setting WDS priorities.
•Entering the WNM IP address.
These sections describe how to configure WDS devices:
•Configuring WDS Access Points (AP-WDS)
•Configuring WLSM Access Points (AP-WLSM)
|
2.
|
Configure infrastructure access points to authenticate to a WDS device
|
The infrastructure access points are the APs with which the clients associate. The infrastructure access points ask the WDS to perform authentication for them. (See Configuring Infrastructure APs).
|
3.
|
Configure access points to be scanning-only APs
|
Scanning APs can detect and report clients associated to unauthorized access points. Scanning APs do not accept client associations. (See Configuring Scanning APs).
Note Radio scanning requires a read/write SNMP community string on APs. For more information, see Understanding WDS,
|
4.
|
Configure the WLSE with WLCCP credentials
|
WLCCP credentials are entered on the WLSE for each WDS device. The Deployment Wizard can do this for WDS-AP and WDS-WLSM devices. (See Configuring the WLSE).
|
5.
|
Define authentication methods
|
Both the infrastructure APs and the WLSE must use LEAP to authenticate to the WDS devices. (See Configuring Authentication).
|
6.
|
Confirm the configuration
|
The configuration steps are performed on the active WDS devices. (See Confirming the Configuration).
|
Related Topics
•What is WDS and Why Do I Need It?
•How To Use WDS Devices
Configuring WDS Access Points (AP-WDS)
Note Before making changes to device configuration, back up the current configuration and test the new configuration on non-production devices.
Note Only Cisco Aironet 1100 and 1200 series access points support WDS. For information about the supported access points and IOS firmware versions, see the Supported Devices Table for WLSE 2.11 on cisco.com.
There are several ways to configure WDS access points:
•Using the Web Interface to Configure WDS APs
•Using the CLI Interface to Configure WDS APs
•Using a WLSE Configuration Template to Configure WDS APs
Note For a sample WDS configuration, see the document titled Wireless Domain Services Configuration on Cisco.com. To locate this document, use the following navigation path from the Cisco.com home page: Products and Services > Wireless > Cisco Aironet 1200 Series Access Point> Technical Documentation > Configuration Examples.
Using the Web Interface to Configure WDS APs
Procedure
Step 1 See the "Designate an Access Point as WDS" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.
Step 2 Go to the next step, Configuring Infrastructure APs. Or, to configure WLSM access points, go to Configuring WLSM Access Points (AP-WLSM).
Using the CLI Interface to Configure WDS APs
Procedure
Step 1 See the "Designate an Access Point as WDS" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.
Tip Consult the IOS and access point documentation for details on the subtleties of IOS commands.
Step 2 Go to the next step, Configuring Infrastructure APs. Or, to configure WLSM access points, go to Configuring WLSM Access Points (AP-WLSM).
Using a WLSE Configuration Template to Configure WDS APs
You can use the WLSE to configure one or more WDS access points.
The major configuration steps are:
•Creating a configuration template to set up AAA servers and the WDS.
•Applying the configuration template to the appropriate access points by running a configuration job.
Before You Begin
•Back up the current configuration and test the new configuration on non-production devices.
•Configure all access points for basic network management (see "Configuring IOS Access Points for Network Management").
Procedure
Step 1 Log in to the WLSE web interface.
Step 2 Select Configure > Templates.
a. Enter a template name, selecting IOS as the template type.
b. Click Create New.
Step 3 Enter the AAA servers that will be used to LEAP authenticate the infrastructure access points and the WLSE to the WDS, and the AAA servers that will be used to authenticate wireless client devices:
a. From the menu on the left, select Security > Server Manager.
b. In the Corporate Servers section, for each server, enter the IP address, select RADIUS, and enter the shared secret.
c. Click Save.
Step 4 From the menu on the left, select Wireless Services > WDS to configure the WDS parameters.
In the Global Properties section:
a. Select Enable.
b. Enter the Wireless Domain Services priority. This value determines which access point will serve as the active WDS when multiple access points are configured to run WDS on the same subnet. Valid priority values are 1-255, with 255 being the highest.
c. Enter the WLSE's IP address in the WNM IP Address field.
Step 5 Configure a server group for authenticating the SWAN infrastructure components.
In the Server Groups section:
a. Enter one or more server names or server IP addresses.
b. Under Use Group For, select Infrastructure Authentication.
c. Click Save.
Step 6 The WDS access point must also register and authenticate itself to the WDS to participate in the SWAN hierarchy, so the WDS AP is also an infrastructure AP. To authenticate and register the WDS AP as an infrastructure AP:
a. Select Wireless Services > AP Configuration.
b. Select Enable as the Wireless Services option.
c. Enter a username and password that can be LEAP authenticated by the AAA servers in the infrastructure server group.
Step 7 (Optional) From the menu on the left, select Preview to see a preview of the configuration template.
Step 8 From the menu on the left, select Save, then click the Save button.
Step 9 Select Yes to apply the template immediately or select No to save the template. For information on configuration jobs, see Chapter 7, Managing Device Configuration, in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
Step 10 Go to the next step, Configuring Infrastructure APs. Or, to configure WLSM access points, go to Configuring WLSM Access Points (AP-WLSM).
Configuring WLSM Access Points (AP-WLSM)
WLSM configuration details are explained in the Cisco Catalyst 6550 Series Wireless LAN Services Module (WLSM) Deployment Guide on Cisco.com. The following procedure provides a brief description of the required configuration steps for WDS and for discovery and management by the WLSE.
Guidelines for Using WLSM Access Points
•WLSM does not implement CDP, so the only way to discover a WLSM device is through WLCCP. The following procedure shows you how to configure the WLSM for WDS and add the WNM IP address (wlccp wnm ip address ip_address) at the WLSM.
•The SNMP credentials for the WLSM and the WLSE must match before the WLSE can get certain MIB objects during discovery and inventory.
Note Because the WLSM does not support CDP, it cannot be discovered by using the regular discovery job mechanism that is used to discover other devices. If you run a regular discovery job on the WLSM, a "device is not supported" appears in the discovery log.
Before You Begin
•Back up the current configuration and test the new configuration on non-production devices.
•Configure all access points for basic network management (see "Configuring IOS Access Points for Network Management").
Procedure
Step 1 Select Devices > Discover > Device Credentials > WLCCP Credentials and enter the WLSE WLCCP credentials.
This is the LEAP username and password that the WLSE will pass to the WDS.
Step 2 Configure the community strings on the WLSM as described the Cisco Catalyst 6550 Series Wireless LAN Services Module (WLSM) Deployment Guide.
Step 3 Enter the WLSM's community strings on the WLSE under Devices > Discover > Device Credentials > SNMP Communities.
Step 4 Use the following command to configure the WLSM with the address of the WLSE:
wlccp wnm ip address WLSE_IP_address
After this command is entered on the WLSM, the WLSE will automatically discover it.
Step 5 Go to the next step, Configuring Infrastructure APs.
Configuring Infrastructure APs
The infrastructure access points are the APs with which the clients associate. The infrastructure access points ask the WDS to perform authentication for them. There are several ways to configure infrastructure access points to register with a WDS device:
•Using the Web Interface to Configure Infrastructure APs
•Using the CLI to Configure Infrastructure APs
•Using a WLSE Configuration Job to Configure Infrastructure APs
Using the Web Interface to Configure Infrastructure APs
Procedure
Step 1 See the "Designate an Access Point as Infrastructure" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.
Step 2 Go to the next step, Configuring Scanning APs.
Using the CLI to Configure Infrastructure APs
Procedure
Step 1 See the "Designate an Access Point as Infrastructure" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml.
Step 2 Go to the next step, Configuring Scanning APs.
Using a WLSE Configuration Job to Configure Infrastructure APs
When you use a WLSE configuration template, you can configure multiple infrastructure APs in a single job. Use the template creation wizard to create a configuration template, then apply the template in a configuration job.
For more information about using the template creation wizard and the configuration job interface, see WLSE online help or the "Using IOS Templates" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
Procedure
Step 1 Log in to the WLSE web interface.
Step 2 Select Configure > Templates.
a. Enter a template name, selecting IOS as the template type.
b. Click Create New.
Step 3 Select Wireless Services > AP Configuration.
Step 4 Select Enable.
Step 5 Select the mechanism that should be used to discover the WDS device:
•For access points that will register with an AP-WDS, select Auto Discovery.
•For access points that will register with a WLSM-WDS, select Specified Discovery and enter the IP address of the WLSM-WDS.
Step 6 Enter the username and password for LEAP authenticating infrastructure APs to the WDS.
Step 7 (Optional) Select Preview to see a preview of the configuration template.
Step 8 Select Save, then click the Save button.
Step 9 Select Yes to apply the template immediately or select No to save the template.
Step 10 Create a configuration job to apply the template to the appropriate devices.
For information about configuration jobs, see the online help or the "Managing Device Configuration" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
Step 11 Go to the next step, Configuring Scanning APs.
Configuring Scanning APs
This section describes how to configure an AP as a scanning-only AP. After you have performed the basic network management configuration and Radio Management configuration described in this chapter, perform the additional configuration described in this section to make the AP into a scanning-only AP. Scanning APs can detect and report clients associated to unauthorized access points. Scanning-only APs do not accept client associations.
Note Radio scanning requires a read/write SNMP community string on the APs.
For more information about scanning APs and other requirements for using scanning APs with a WLSE, see the "Radio Management" chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
Before You Begin
•Configure scanning APs for basic network management (see "Configuring IOS Access Points for Network Management").
Note Do not configure a scanning AP as a WDS device.
•Configure scanning APs for Radio Management (see Configuring Infrastructure APs).
Procedure
Step 1 To configure a scanning AP using a WLSE configuration template:
a. Select Configuration > Templates > IOS > Basic Settings, then select Scanner Access Point.
b. Select Configuration > Templates > IOS > Network Interfaces. Select a radio and select Scanner Access Point.
Step 2 To configure a scanning AP using the AP CLI, enter:
int dot11 0 (for interface 0)
Step 3 To run inventory so the WLSE can update the role of the AP, select Administration > Devices > Discover > Inventory. The scanning APs will be listed in the WLSE's Scanning AP system group.
For more information, see the online help or the "Managing Devices" chapter of the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11
Step 4 To enable Client Registration Scanning to detect clients associated to unauthorized access points, select Radio Management > Radio Monitoring.
For more information, see the online help or the "Radio Management" chapter of the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
Step 5 Go to the next step, Configuring the WLSE.
Configuring the WLSE
The WLSE is the Wireless Network Manager (WNM) component of SWAN. The WLSE polls and aggregates Radio Management data from WDS devices and processes this data.
For more information about configuring the WLSE, see the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
Procedure
Step 1 Enter the WLCCP username and password in the WLSE.
SWAN components communicate via a Cisco proprietary technology called WLCCP. This username and password is used to LEAP authenticate the WLSE to the WDS devices in the network.
Step 2 Enter the SNMP read-only and read/write communities for all managed IOS access points.
Step 3 Enter Telnet/SSH credentials for IOS access points.
Step 4 Go to the next step, Configuring Authentication.
Configuring Authentication
Both the infrastructure APs and the WLSE must use LEAP to authenticate to the WDS devices.You can use:
•Local authentication (on an AP-WDS device only)—see Configuring WDS Access Points (AP-WDS).
•AAA servers that you have already configured, or you can configure servers as described in the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
Note Do not set a session timeout on the ACS server that is less than 600 seconds. A session timeout of less than 600 seconds can disrupt Radio Management operations.
Procedure
Step 1 Create server groups on the WDS devices for infrastructure authentication (see Configuring WDS Access Points (AP-WDS)).
Step 2 Create server groups on the WDS devices for client authentication (see the "Define Client Authentication Method" section in the tech tip at http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml).
Step 3 Go to the next step, Confirming the Configuration.
Confirming the Configuration
After the configuration is complete, you should confirm that configuration is correct and that the SWAN components are communicating properly. The configuration steps are performed on the active WDS devices.
To determine which WLSEs are actively providing WDS services, you can display the WDS Summary Report. For more information about this report, see the Reports chapter in the User Guide for the CiscoWorks Wireless LAN Solution Engine, Release 2.11.
For AP WDS devices, there are two ways to confirm configuration:
•Using the Web interface (see Using the Web Interface to Validate the Configuration).
•Using the command-line interface (see Using the Command-Line Interface to Validate the Configuration).
For WLSM WDS devices, use the command-line interface to confirm the configuration (see Using the Command-Line Interface to Validate the Configuration).
Using the Web Interface to Validate the Configuration
Use this procedure to use the web interface (on WDS APs only) to confirm the configurations.
Procedure
Step 1 Log in to the web interface on each active WDS AP.
Step 2 Select Wireless Services > WDS > WDS Status.
Check for the following:
•The WDS Information section should display the device WDS state as ACTIVE.
•The WDS Registration and AP Information sections should show the correct number of APs (all of the infrastructure APs and the WDS AP).
•The Mobile Node Information section should display the wireless clients participating in SWAN.
•The Wireless Network Manager section should contain the WLSE IP address. If the WLSE authentication status is SECURITY KEYS SETUP, the WLSE is properly registered.
Using the Command-Line Interface to Validate the Configuration
Use this procedure to confirm the configurations on AP or WLSM WDS devices.
Procedure
Step 1 Log in to the CLI on each active WDS device.
Step 2 To validate the WDS configuration, enter:
MAC-ADDR IP-ADDR STATE LIFETIME
000c.ce12.92ce 172.16.99.212 REGISTERED 62
000c.85a8.8bdd 172.16.99.213 REGISTERED 391
This command lists all of the infrastructure APs and the WDS.
Step 3 To verify that the WLSE is correctly registered, enter:
WNM IP Address : 172.16.100.81 Status : SECURITY KEYS SETUP
This command should display the WLSE IP address. If the WLSE authentication status is SECURITY KEYS SETUP, the WLSE is properly registered.
