Hi folks, just to report back that I did eventually get this working. Thanks again for your suggestions/advice!
Here's a summary of what I had to do... Not saying that this is all necessary or correct, but it worked for me :-) First you need to have your APs talking Cisco WDS to each other. I made one of my loaned APs into a WDS master, so my config looked like this on the WDS slave APs: wlccp ap username slave1 password 7 XXXXXX And this on the WDS master AP: aaa group server radius FOO server-private 1.2.3.4 auth-port 1812 acct-port 1813 key 7 XXXX aaa authentication login FOO group FOO aaa authorization network FOO group FOO wlccp ap username slave1 password 7 XXXXXX wlccp authentication-server infrastructure FOO wlccp wds priority 254 interface BVI1 wlccp wnm ip address 4.3.2.1 The master WDS will try to authenticate the slave APs and the WLSE via the RADIUS server and secret specified in FOO. It seems that you need to put the "wlccp ap username" clause in on the master. I don't see the slave APs or the WLSE contacting the RADIUS server, although I think you can do WLSE Web user interface authentication via RADIUS if you really want to. The APs and the WLSE have entries in the 'users' file on the RADIUS server which look like this: slave1 User-Password == "XXXXX" I actually put a separate user name and password in for each of the APs and the WLSE, but you probably don't need to do this. If you're having problems, it should be easier to debug this way. You'll need to include your WDS master AP(s) in the RADIUS clients.conf, as per: client 1.2.3.4 { secret = XXXXX shortname = XXXXXX nastype = other } I'm not sure whether the 'shortname' field has to be filled in. I set this to be the same as my AP hostname as configured in IOS. My eap.conf looks like this: eap { default_eap_type = leap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } mschapv2 { } } And my radiusd.conf has: instantiate { exec expr } authorize { preprocess eap files } authenticate { eap } preacct { preprocess acct_unique files } accounting { detail radutmp } session { radutmp } post-auth { } pre-proxy { } post-proxy { eap } I also defined "with_cisco_vsa_hack = yes" in the preprocess section. Now, the above is fine for the WDS side of things, but the WLSE side needs the hack from Richard Timsit, i.e. http://lists.cistron.nl/pipermail/freeradius-users/2004-September/035796.html But note Richard's advice that it may need to be tweaked a little for your installation: > Once the patch applied, see the log an find such lines : > rlm_eap_leap: Stage 6 > rlm_eap: RT Modif EAP-Type = 17 EAP-LENGTH = XX > > If XX not equal to 30, modify the test of the patch eap.c accordingly. Will see if my contacts at Cisco can pass on this info to the developers of the WLSE, as they should be able to fix the problem easily... Cheers, Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html