cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
238
Views
0
Helpful
5
Replies
Beginner

Bypass dot1X on FlexConnect CWA WLAN when ISE is unreachable

We currently have Flexconnect Local Switching configured at 2 of our three offices and we're using ISE for our CWA for the internal network SSIDs. We're about to stand up FCLS APs at our third office (Site C in the diagram) and we don't have a controller nor do we have an ISE server at that site. I know that FCLS stores the config on the AP and clients that are already authorized via dot1x will remain connected if the ISE server is unreachable. My question is, is there a way to configure the APs at office "C" to bypass the dot1x auth when the ISE server is unreachable? I know this seems like it defeats the purpose and is inherently less secure, I'm just trying to avoid having to deploy a hypervisor and ISE VM for an office that has a very small amount of people at it.

 

Capture.PNG

5 REPLIES 5

Re: Bypass dot1X on FlexConnect CWA WLAN when ISE is unreachable

No, its not possible. As per diagram I can able to see two ISE nodes on two different offices. If incase primary is completely unreachable the request will go to the secondary server configured on the WLAN. 

 

How the LAN authentication is happening on site C? Is it through the ISE on other two sites?

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Beginner

Re: Bypass dot1X on FlexConnect CWA WLAN when ISE is unreachable

Currently there are no APs at site C. We are planning on installing them there soon. There is full IP connectivity between all three sites and we were going to have site C's APs configured to use Flexconnect local switching with site A as a primary RADIUS server and site B as a secondary RADIUS. I've tried to find documentation for using client certificates on the workstations as a backup to dot1x if site C were to lose connectivity to sites A and B but I've been unable to find anything. Do you know if that's possible? 

Re: Bypass dot1X on FlexConnect CWA WLAN when ISE is unreachable

Check out the option Local EAP Functionality Cisco WLC When External Radius Server Fails

 

Hope this helps for you.

 

 

 

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Beginner

Re: Bypass dot1X on FlexConnect CWA WLAN when ISE is unreachable

Thanks. That doc is definitely a step in the right direction. Im going to look into using smart card auth / LDAP auth as a backup to RADIUS. I just need to figure out how to configure dot1x on the switchport for the AP and whether or not the Windows supplicant will work with smart card auth.

Highlighted

Re: Bypass dot1X on FlexConnect CWA WLAN when ISE is unreachable

Refer this for AP 802.1x auth thru ISE

 

Please rate the helpful posts and mark as solution if they really helped you out

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards