https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3831415#M592 When FlexConnect is in connected mode (i.e. WLC CAPWAP Control tunnel is up) you have two options for EAP-TLS:<BR />1) Local mode EAP-TLS (works either connected or standalone mode). This is where clients are authenticated locally on the Access Points via certificates. As long as certificates are setup in the way outlined in the guide, this will work.<BR />2) Use central auth with a RADIUS server like Cisco ISE setup with EAP-TLS chain in similar fashion. With this option you lose auth with WAN down and auth must traverse the WAN to central so local is a less risky option, but could be a headache to setup (I haven't set this up so not sure).<BR /><BR />Mobility Express doesn't seem to support local EAP-TLS so there's a limitation there. It can still support central auth to a RADIUS server over the WAN with local switching if that is an option.<BR /><BR />Ric<BR /> Wed, 03 Apr 2019 13:20:05 GMT Ric Beeching 2019-04-03T13:20:05Z https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3831291#M591 <P>Dear Ciscoers,</P><P>&nbsp;</P><P>I am studying branch authentication capabilities and I have got the needing to authorize clients even if the WAN link is down.</P><P>My authentication server is located in Data-center so i'm interested by the new functionnality of local EAP-TLS authentication described by this link :&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/configuration-guide/b_cg81/b_cg81_chapter_0101101.html#ID1324" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/configuration-guide/b_cg81/b_cg81_chapter_0101101.html#ID1324</A></P><P>&nbsp;</P><P>I've seen these tables&nbsp;but I didn't really understood what is possible and what is not.</P><P>So, could you confirm that this method is compatible with Flexconnect "connected" mode ? We really don't need any local server, Flexconnect AP take completely authentication in charge ?&nbsp;</P><P>&nbsp;</P><P>And, subsidiary question : Is this possible with Mobility Express AP ?</P><P>&nbsp;</P><P>Thanks a lot for your help.</P> Mon, 05 Jul 2021 17:11:33 GMT https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3831291#M591 julbvt 2021-07-05T17:11:33Z https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3831415#M592 When FlexConnect is in connected mode (i.e. WLC CAPWAP Control tunnel is up) you have two options for EAP-TLS:<BR />1) Local mode EAP-TLS (works either connected or standalone mode). This is where clients are authenticated locally on the Access Points via certificates. As long as certificates are setup in the way outlined in the guide, this will work.<BR />2) Use central auth with a RADIUS server like Cisco ISE setup with EAP-TLS chain in similar fashion. With this option you lose auth with WAN down and auth must traverse the WAN to central so local is a less risky option, but could be a headache to setup (I haven't set this up so not sure).<BR /><BR />Mobility Express doesn't seem to support local EAP-TLS so there's a limitation there. It can still support central auth to a RADIUS server over the WAN with local switching if that is an option.<BR /><BR />Ric<BR /> Wed, 03 Apr 2019 13:20:05 GMT https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3831415#M592 Ric Beeching 2019-04-03T13:20:05Z https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3832022#M593 <P>Thanks for your answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>3) The third option could be to activate both <U>central auth</U> and «&nbsp;<EM>AP local mode Authentication</EM>&nbsp;»&nbsp;?</P><P>- When the WLC and the ISE are reachable, Flexconnect AP use the central authentication.</P><P>- When the tunnel is <EM>down</EM>, WLC and ISE are not reachable but Flexconnect AP could use local authentication like below.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="351041" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/33535iBD10BB2721B37E5E/image-size/large?v=v2&amp;px=999" role="button" title="351041" alt="351041" /></span></P><P>&nbsp;</P><P>Is this a scenario thinkable&nbsp;?</P> Thu, 04 Apr 2019 08:11:45 GMT https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3832022#M593 julbvt 2019-04-04T08:11:45Z https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3832145#M594 Yes sorry, I should have worded answer 1 more clearly. That will work too <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thu, 04 Apr 2019 11:16:41 GMT https://community.cisco.com/t5/wireless/flexconnect-eap-tls-authentication-after-wan-failure/m-p/3832145#M594 Ric Beeching 2019-04-04T11:16:41Z