05-06-2019 11:19 AM - edited 07-05-2021 10:20 AM
We currently have Flexconnect Local Switching configured at 2 of our three offices and we're using ISE for our CWA for the internal network SSIDs. We're about to stand up FCLS APs at our third office (Site C in the diagram) and we don't have a controller nor do we have an ISE server at that site. I know that FCLS stores the config on the AP and clients that are already authorized via dot1x will remain connected if the ISE server is unreachable. My question is, is there a way to configure the APs at office "C" to bypass the dot1x auth when the ISE server is unreachable? I know this seems like it defeats the purpose and is inherently less secure, I'm just trying to avoid having to deploy a hypervisor and ISE VM for an office that has a very small amount of people at it.
05-06-2019 12:30 PM
No, its not possible. As per diagram I can able to see two ISE nodes on two different offices. If incase primary is completely unreachable the request will go to the secondary server configured on the WLAN.
How the LAN authentication is happening on site C? Is it through the ISE on other two sites?
05-07-2019 04:20 AM
Currently there are no APs at site C. We are planning on installing them there soon. There is full IP connectivity between all three sites and we were going to have site C's APs configured to use Flexconnect local switching with site A as a primary RADIUS server and site B as a secondary RADIUS. I've tried to find documentation for using client certificates on the workstations as a backup to dot1x if site C were to lose connectivity to sites A and B but I've been unable to find anything. Do you know if that's possible?
05-07-2019 05:15 AM
Check out the option Local EAP Functionality Cisco WLC When External Radius Server Fails
Hope this helps for you.
05-07-2019 04:08 PM
Thanks. That doc is definitely a step in the right direction. Im going to look into using smart card auth / LDAP auth as a backup to RADIUS. I just need to figure out how to configure dot1x on the switchport for the AP and whether or not the Windows supplicant will work with smart card auth.
05-07-2019 09:20 PM
Refer this for AP 802.1x auth thru ISE
Please rate the helpful posts and mark as solution if they really helped you out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide