Cisco WDS/CCKM/Fast Roaming setup using Cisco AIR-AP1242AG-A-K9 APs with local radius and WPA2

GUS By On In Cisco

Scenario was designed for 5 floor building:


OREG_HOME

1 AP on each Level of the office/house…

 

Actual Testing environment with 3 APs:

IMAG1308

IMAG1299

IMAG1286

In this scenario Cisco ASA works on L2 as a simple switch with all access mode ports…This model has only 2 POE ports so I have connected 3Rd one with external power supply.

These resources were very helpful to fill spaces in configuration understanding:

http://ccie-w.blogspot.com/2012/02/cisco-wds-setup-using-ap-as-wds-and.html
https://exemen.wordpress.com/2011/12/02/cisco-aironet-1140-11n-wds-support-and-configuration-with-cckm/
http://cciew.blogspot.com/2011/02/wds-and-cckm.html

 

Thanks!

I’m posting logs from each AP.

IT is working configuration!

 

AP1

AP1#show wlccp wds
MAC: 001e.be27.d748, IP-ADDR: 10.0.0.101 , Priority: 255
Interface BVI1, State: Administratively StandAlone – ACTIVE
AP Count: 3 , MN Count: 2
AP1#show wlccp wds ap
AP1#show wlccp wds ap
HOSTNAME MAC-ADDR IP-ADDR STATE
AP2 001e.be27.b68c 10.0.0.102 REGISTERED
AP3 001e.be27.d2fa 10.0.0.103 REGISTERED
AP1 001e.be27.d748 10.0.0.101 REGISTERED
AP1#sho ip int br
Interface IP-Address OK? Method Status Protocol
BVI1 10.0.0.101 YES NVRAM up up
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio1 unassigned YES NVRAM up up
FastEthernet0 unassigned YES NVRAM up up
AP1#sh dot11 ass

802.11 Client Stations on Dot11Radio1:

SSID [OREG5] :

MAC Address IP address Device Name Parent State
001f.3cc9.9a7e 10.0.0.56 ccx-client AP1 self Assoc

AP1#show dot11 associations all-client
Address : 001f.3cc9.9a7e Name : AP1
IP Address : 10.0.0.56 Interface : Dot11Radio 1
Device : ccx-client Software Version : NONE
CCX Version : 4 Client MFP : Off

State : Assoc Parent : self
SSID : OREG5
VLAN : 0
Hops to Infra : 1 Association Id : 1
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Current Rate : 54.0 Capability : WMM 11h
Supported Rates : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled Bandwidth : 20 MHz
Signal Strength : -40 dBm Connected for : 6942 seconds
Signal to Noise : 57 dB Activity Timeout : 20 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : NONE

Packets Input : 33384 Packets Output : 24435
Bytes Input : 12883570 Bytes Output : 7218231
Duplicates Rcvd : 0 Data Retries : 897
Decrypt Failed : 0 RTS Retries : 2
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Session timeout : 0 seconds
Reauthenticate in : never

Address : e899.c4bb.485e Name : NONE
IP Address : 10.0.0.22 Interface : Dot11Radio 0
Device : ccx-client Software Version : NONE
CCX Version : 4 Client MFP : Off

State : Assoc Parent : self
SSID : OREG5
VLAN : 0
Hops to Infra : 1 Association Id : 1
Clients Associated: 0 Repeaters associated: 0
Tunnel Address : 0.0.0.0
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Current Rate : 54.0 Capability : WMM ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
Voice Rates : disabled Bandwidth : 20 MHz
Signal Strength : -53 dBm Connected for : 1580 seconds
Signal to Noise : 40 dB Activity Timeout : 18 seconds
Power-save : On Last Activity : 2 seconds ago
Apsd DE AC(s) : NONE

Packets Input : 1483 Packets Output : 516
Bytes Input : 136349 Bytes Output : 471325
Duplicates Rcvd : 0 Data Retries : 3
Decrypt Failed : 0 RTS Retries : 0
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Session timeout : 0 seconds
Reauthenticate in : never

AP1#sh run
Building configuration…

Current configuration : 2730 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP1
!
logging rate-limit console 9
enable secret 5 $1$KMFN$Pm5JiAMyWvivDfNHKOeM6/
!
aaa new-model
!
!
aaa group server radius GUS
server 10.0.0.101 auth-port 1812 acct-port 1813
!
!
aaa authentication login GUS-LIST group GUS
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid OREG5
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 11060B001043595F50
!
!
!
username gus privilege 15 password 7 0454190308
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid OREG5
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid OREG5
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.101 255.255.255.128
no ip route-cache
!
ip default-gateway 10.0.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server local
no authentication mac
nas 10.0.0.101 key 7 0504140A26
nas 10.0.0.102 key 7 130A05170C
nas 10.0.0.103 key 7 06091D244B
user gus1 nthash 7 022756095B572A07186D58405240375E29220E7E707A116C03305641275677010D
user gus nthash 7 132445405B5D210C7F07796A62753652332525030D0A710D2F2049417D0F760B07
user wifi nthash 7 013254560B5A2329756F1F504E5232472E2A207F7F760A6A140142503254200E0C
!
radius-server host 10.0.0.101 auth-port 1812 acct-port 1813 key 7 000B010303
bridge 1 route ip
!
!
wlccp ap username gus password 7 1216171215
wlccp authentication-server infrastructure GUS-LIST
wlccp wds priority 255 interface BVI1
!
line con 0
line vty 0 4
!
end
AP1#show cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
AP3 Fas 0 148 T I AIR-AP124 Fas 0
AP2 Fas 0 154 T I AIR-AP124 Fas 0

AP2

AP2#show wlccp wds
MAC: 001e.be27.b68c, IP-ADDR: 10.0.0.102 , Priority: 250
Interface BVI1, State: BACKUP
Currently ACTIVE WDS – MAC: 001e.be27.d748, Priority: 255, IP-ADDR: 10.0.0.101
AP2#sho ip int br
Interface IP-Address OK? Method Status Protocol
BVI1 10.0.0.102 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio1 unassigned YES NVRAM up up
FastEthernet0 unassigned YES NVRAM up up

AP2#sh run
Building configuration…

Current configuration : 2205 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP2
!
logging rate-limit console 9
enable secret 5 $1$gEMK$sRn9psrwEmrR0kwZiD6Qh0
!
aaa new-model
!
!
aaa group server radius GUS
server 10.0.0.101 auth-port 1812 acct-port 1813
!
aaa authentication login GUS-LIST group GUS
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid OREG5
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 11060B001043595F50
!
!
!
username gus privilege 15 password 7 09435C0C1E
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid OREG5
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid OREG5
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.102 255.255.255.128
no ip route-cache
!
ip default-gateway 10.0.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 10.0.0.101 auth-port 1812 acct-port 1813 key 7 130A05170C
bridge 1 route ip
!
!
wlccp ap username gus1 password 7 11060B0010
wlccp authentication-server infrastructure GUS-LIST
wlccp wds priority 250 interface BVI1
!
line con 0
line vty 5 15
!
end
AP2#
AP2#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [OREG5] :

MAC Address IP address Device Name Parent State
e899.c4bb.485e 10.0.0.22 ccx-client – self Assoc

AP2#show cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
AP1 Fas 0 141 T I AIR-AP124 Fas 0
AP3 Fas 0 175 T I AIR-AP124 Fas 0

AP2#show wlccp ap
WDS = 001e.be27.d748, 10.0.0.101
state = wlccp_ap_st_registered
IN Authenticator = 10.0.0.101
MN Authenticator = 10.0.0.101

AP3

AP3#show wlccp wds
MAC: 001e.be27.d2fa, IP-ADDR: 10.0.0.103 , Priority: 245
Interface BVI1, State: BACKUP
Currently ACTIVE WDS – MAC: 001e.be27.d748, Priority: 255, IP-ADDR: 10.0.0.101
AP3#sho
AP3#show ip int br
Interface IP-Address OK? Method Status Protocol
BVI1 10.0.0.103 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio1 unassigned YES NVRAM up up
FastEthernet0 unassigned YES NVRAM up up
AP3#sh run
Building configuration…

Current configuration : 2127 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AP3
!
logging rate-limit console 9
enable secret 5 $1$f6J.$TCJp4CZZpBA5wOiWJfwkY1
!
aaa new-model
!
!
aaa group server radius GUS
server 10.0.0.101 auth-port 1812 acct-port 1813
!
aaa authentication login GUS-LIST group GUS
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid OREG5
authentication open
authentication key-management wpa version 2
guest-mode
mbssid guest-mode
wpa-psk ascii 7 11060B001043595F50
!
!
!
username gus privilege 15 password 7 000B010303
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid OREG5
!
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid OREG5
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.103 255.255.255.128
no ip route-cache
!
ip default-gateway 10.0.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 10.0.0.101 auth-port 1812 acct-port 1813 key 7 130A05170C
bridge 1 route ip
!
!
wlccp ap username gus1 password 7 11060B0010
wlccp authentication-server infrastructure GUS-LIST
wlccp wds priority 245 interface BVI1
!
line con 0
line vty 0 4
!
end
AP3#show cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID
AP1 Fas 0 147 T I AIR-AP124 Fas 0
AP2 Fas 0 126 T I AIR-AP124 Fas 0

AP3#show version

Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.4(25d)JA2, RELEASE SOFTWARE (fc1)

 

#date

Fri May 22 01:33:08 AZST 2015

[email protected]