topic local authentication, local in Wireless

Flexconnect local authentication (PSK) - Is it really local or not?

ldeoliveira — Mon, 05 Jul 2021 11:59:26 GMT

I am a bit unclear about the Local Authentication feature of Flexconnect.

According to the documentation, if local authentication is selected on a flex-connect AP, as long as the WLC is reachable, the authentication will be forwarded to the WLC. However, if the WLC becomes unreachable, then authentication is handled locally by the AP.

This doesn't make sense. Isn't the whole point of local authentication to ensure that traffic between the WLC and AP is reduced so it doesn't have to travel up the WAN if the WLC is located in a datacentre somewhere?

Also, does anyone know how often the PSK is synched between the WLC and the APs?

It is a bit convoluted to

Ric Beeching — Tue, 03 May 2016 09:25:19 GMT

It is a bit convoluted to begin with!

If you want to do only local authentication without having to auth across the WAN to your WLC then select FlexConnect Local Auth under the WLAN ID settings.

If you want to do both then it will centrally auth by default and switch to Local Auth if the WAN goes down and the AP enters standalone mode. This is only if local switching is also enabled.

For synching of PSKs - as soon as you make a change to the PSK that will cause the WLC to synch with any APs requiring it so effectively it is instantaneous.

Ric

Hi Ric,

ldeoliveira — Tue, 03 May 2016 23:49:23 GMT

Hi Ric,

Thanks for stepping in and trying to clarify. To be honest, I still don't get it.

The requirement is for local switching. We don't want the Wi-Fi traffic to travel up the WAN link to the controller (this is for a small branch office that doesn't have a controller, just APs).

So what you're saying is that if local switching is enabled, then authentication will first go via WLC then via the local APs when these enter standby mode (ie. cannot reach any WLC)? What is the advantage of authenticating through the WLC if the AP can do that locally?

cheers

Leo

In your scenario the AP will

Ric Beeching — Wed, 04 May 2016 00:50:03 GMT

In your scenario the AP will always handle authentication. However if you change the PSK under the WLAN Settings on the WLC this will then propagate out to those APs.

So the only traffic you should see across your WAN will be CAPWAP Control traffic.

Cheers,

Ric

local authentication, local

mohanak — Wed, 04 May 2016 01:29:09 GMT

local authentication, local switching—In this state, the FlexConnect access point handles client authentication and switches client data packets locally. This state is valid in standalone mode and connected mode.

In connected mode, the access point provides minimal information about the locally authenticated client to the controller. The following information is not available to the controller:

–Policy type

–Access VLAN

–VLAN name

–Supported rates

–Encryption cipher

Local authentication is useful where you cannot maintain a remote office setup of a minimum bandwidth of 128 kbps with the round-trip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local authentication, the authentication capabilities are present in the access point itself. Local authentication reduces the latency requirements of the branch office.

My Wireless Structure is same

rayho2000 — Thu, 03 Aug 2017 03:19:22 GMT

My Wireless Structure is same SSID (For example: Internal_Staff ) for all location and office.

We had 2 x 2504 HA, setup on DataCenter. And all Branch office through VPN to connect the DataCenter WLC. Branch office APs use flexconnect using same SSID with local network address. Also we using Radius Server for authentication.

My question is: Can I use the " Local Authentication " on primary rather than " Central Authen ".

If your aps are flexconnect

sremk — Thu, 03 Aug 2017 07:47:41 GMT

If your aps are flexconnect and you have radius server on local side for authenticating wireless clients, then yes, you can use local authentication.