cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2482
Views
0
Helpful
3
Replies
Highlighted
Beginner

WLC Flexconnect vs 802.1x Local authentication

Hi, 

Can someone clarify this point :

We have some AP groupe and Flexconnect Groups and some are used in our branchs offices. We want to use the feature of local authentication with a radius server on some branch to be able to have wifi in case of a WAn failure. 

When the AAA will be configured in the flexconnect groups, if I put the server on the branch as primary and another server a secondary, does all the 802.1x queries will goes to the branch server, even when the WAN is available? In the SSID config, the main 802.1x server is in our primary datacenter...but we want to keep 802.1x traffic locally even if the WAN if available.

Thanks,

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Mentor

When the AAA will be configured in the flexconnect groups, if I put the server on the branch as primary and another server a secondary, does all the 802.1x queries will goes to the branch server, even when the WAN is available?

For the APs that belong to given FlexConnect AP group, authentication request should go to server configure under FlexConnect group.

Refer below for details on FlexConnect design

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Highlighted
Cisco Employee

If a FlexConnect is configured with both a backup RADIUS server and local authentication, the FlexConnect access point always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect access point itself (if the primary and secondary are not reachable).

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#15636

View solution in original post

3 REPLIES 3
Highlighted
VIP Mentor

When the AAA will be configured in the flexconnect groups, if I put the server on the branch as primary and another server a secondary, does all the 802.1x queries will goes to the branch server, even when the WAN is available?

For the APs that belong to given FlexConnect AP group, authentication request should go to server configure under FlexConnect group.

Refer below for details on FlexConnect design

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

Highlighted

It is unnatural to doubt you, but are you sure? :-)

When the WAN is available the access-point is no longer in standalone mode and the WLC should be used again. If you always want to use the settings configured within the FlexConnect group you also need to enable the "FlexConnect local authentication" option within the WLAN I thought?

Highlighted
Cisco Employee

If a FlexConnect is configured with both a backup RADIUS server and local authentication, the FlexConnect access point always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect access point itself (if the primary and secondary are not reachable).

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#15636

View solution in original post

Content for Community-Ad

This widget could not be displayed.