Re: Posture Assessment with APs in FlexConnect Local Switching Mode

emre.aydin1 · ‎01-16-2025

Hi folks,

One of my customers is planning to place ISE to implement 802.1x and posture assessment with agent. They have 9800 WLCs in datacenter, which manage APs in number of locations. If APs worked in local (tunnel) mode through WLC, posture assessment would be easy; because WLC would be managing everything. However, APs are working in FlexConnect Local Switching mode. Is there a way to do posture assessment in this scenerio without needing anything else? If yes, who handles authentication, authorization and CoA sessions? Is it AP? If it is AP, then is AP's model important?

Thanks in advance

MHM Cisco World · ‎01-16-2025

You can use

Central authentication

This make AP local switching and central authc.

For CoA I will check be I think it work with central Authc.

MHM

MHM Cisco World · ‎01-16-2025

""Flexconnect Local Switching Access Points Only

What if you have Flexconnect local switching access points and WLANs? The previous sections are still valid. However, you need an extra step in order to push the redirect ACL to the APs in advance.""

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-814074466

MHM

emre.aydin1 · ‎01-16-2025

Thank you @MHM Cisco World for the answer.

I am wondering about posture flow handling after provisioning client for agent. Is that only managed by wlc regardless of AP model (2702, 2802, 9115 in my deployment) in FlexConnect mode? I am worrying if posture state changing, CoA process, authentication and authorization can be sent and applicable in remote site, and worrying ap's inadequacy in a situation that it must be handling.

MHM Cisco World · ‎01-16-2025

Add new ssid fo test apply step I share in link' and check posture.

I do think it will work.

Please update me

Thanks

MHM