> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Alan DeKok > Sent: Thursday, October 07, 2004 11:54 AM > To: [EMAIL PROTECTED] > Subject: Re: Authentication for Cisco WDS? > > Joe Matuscak <[EMAIL PROTECTED]> wrote: > > I've got a couple of Cisco 1200 access points set up doing > EAP/TLS with > > FreeRADIUS (0.9.3) on Fedora Core 2. That seems to be > working fine, but I > > now want to allow the client devices to roam without having to > > re-authenticate. > > I don't think that will work. The AP's won't let the user onto the > network until they authenticate. They also can't get dynamic WEP keys > unless they re-authenticate.
Alan, This can work. Cisco provides a wireless infrastructure called Wireless Domain Services (WDS - see subject of the thread). One of the services in WDS is "Fast Secure Roaming", eliminating the need to re-auth to RADIUS. Here is a quote from the Cisco WDS doc: =============================================================================================== Using Cisco Centralized Key Management (CCKM), a device configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client so quickly that there is no perceptible delay in voice or other time-sensitive applications ... The WDS device maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the client sends a reassociation request to the new access point, and the new access point relays the request to the WDS device. The WDS device forwards the client's credentials to the new access point, and the new access point sends the reassociation response to the client. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. The client also uses the reassociation response to generate the unicast key. =============================================================================================== Joe, To get this to work, you will need to have a 6500 with a WLSM module, and WLSE running on CiscoWorks. The whole thing is well documented in the Cisco doc: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080208a6e.html -- Matanya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html