I've managed to get 802.1x authentication working well with a Centrally Authenticated / Locally Switched H-REAP, however when i try and use RADIUS to assign a VLAN using AAA Override, it doesn't seem to pass that information down from the controller to the AP. If the access point isn't in H-REAP mode, it works as expected, overriding the VLAN set on the WLAN itself.
From what I can find, this might be an unsupported configuration, but is there a way to configure it in order for it to work?
Basically everything works as expected except overriding the VLAN that the client should be in, instead the client attempts to get an IP address on the Native VLAN associated with the locally switched WLAN.
Controller is a 5508 running 22.214.171.124, and the ap is AIR-LAP1262N-N-K9
Further to this, i'm assuming that the issue is the fact that the WLC doesn't pass on any VLAN information to the AP, hence why it's unsupported. Does anyone know a workaround for this?
David, you are the first person I know attempting this. I dont think its supported. HREAP is pretty cut and dry, local or central switch, thats it.
I guess you want to have 1 ssid and then move your clients between them ?
Lets see if one of the Cisco guys like Pat or Sur comment ..
From what I have been reading, i'm pretty sure that it is unsupported, although I have a couple of reasons for wanting to give it a go.
Yes, I would like to have 1 SSID (which works perfectly without H-REAP), and use RADIUS to override the VLAN info based on the user's group-membership (using PEAP).
The reason i'd like to give this a try comes from a bandwidth perspective - and we have more than one customer that would like to do this. Specifically in education environments, we work with schools that have anywhere up to 1500 wireless devices and in some cases around 75 APs. Using 802.1X for VLAN assignment has made quite a few areas of management around this a lot easier, but being able to use 802.1Q along with H-REAP locally switched on the APs, in my opinion, would speed things up a great deal especially given we're now dealing with a high adoption rate of 802.11n.
Given that we can't put 10gb/s SFP+ interfaces into the WLC, we're limited to an 8gb LAG, which would quite easily reach max bandwidth with 1000-1500 wireless devices online, most of which will support 802.11n. Locally switching this traffic would mean 1gb per AP - stating the obvious i know, but that would provide a theoretical max of 75gb/s in the case of where there are 75 APs in the environment. Not solid numbers I know, but it's easy to see why H-REAP in this situation is a much preferred option.