Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
5
Replies

Bypass dot1X on FlexConnect CWA WLAN when ISE is unreachable

klopez138
Level 1
Level 1

‎05-06-2019 11:19 AM - edited ‎07-05-2021 10:20 AM

We currently have Flexconnect Local Switching configured at 2 of our three offices and we're using ISE for our CWA for the internal network SSIDs. We're about to stand up FCLS APs at our third office (Site C in the diagram) and we don't have a controller nor do we have an ISE server at that site. I know that FCLS stores the config on the AP and clients that are already authorized via dot1x will remain connected if the ISE server is unreachable. My question is, is there a way to configure the APs at office "C" to bypass the dot1x auth when the ISE server is unreachable? I know this seems like it defeats the purpose and is inherently less secure, I'm just trying to avoid having to deploy a hypervisor and ISE VM for an office that has a very small amount of people at it.

 

Capture.PNG

Labels:
0 Helpful
5 Replies 5

Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎05-06-2019 12:30 PM

No, its not possible. As per diagram I can able to see two ISE nodes on two different offices. If incase primary is completely unreachable the request will go to the secondary server configured on the WLAN. 

 

How the LAN authentication is happening on site C? Is it through the ISE on other two sites?

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

klopez138
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎05-07-2019 04:20 AM

Currently there are no APs at site C. We are planning on installing them there soon. There is full IP connectivity between all three sites and we were going to have site C's APs configured to use Flexconnect local switching with site A as a primary RADIUS server and site B as a secondary RADIUS. I've tried to find documentation for using client certificates on the workstations as a backup to dot1x if site C were to lose connectivity to sites A and B but I've been unable to find anything. Do you know if that's possible? 

0 Helpful

Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to klopez138

‎05-07-2019 05:15 AM

Check out the option Local EAP Functionality Cisco WLC When External Radius Server Fails

 

Hope this helps for you.

 

 

 

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

klopez138
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎05-07-2019 04:08 PM

Thanks. That doc is definitely a step in the right direction. Im going to look into using smart card auth / LDAP auth as a backup to RADIUS. I just need to figure out how to configure dot1x on the switchport for the AP and whether or not the Windows supplicant will work with smart card auth.

0 Helpful

Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to klopez138

‎05-07-2019 09:20 PM

Refer this for AP 802.1x auth thru ISE

 

Please rate the helpful posts and mark as solution if they really helped you out

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card