We have a central site which host a Virtual WLC and 5 or 6 remote offices each with a local Windows NPS authentication server used for a standard 802.1x SSID. This all works perfectly.
However we encounter an issue when the WLC is offline, the remote sites using Flexconnect and with standard PSK SSIDs continue to work. But the 802.1x SSIDs fail.
I know that this is due to the WLC proxing the requests. I have been trying to find a way to make the AP's wither failback to authenticate against the Local NPS when in flex connect mode, or even all the time if needed.
I have read through a lot of documentation on whats needed, but I can not find anything concrete. This is not something I am able to replicate until I have an allotted outage, so anything I can find out before would be great. This diagram shows what I am trying to achieve. Is it as simple as just enabling flex connect local switching??
Create a flexconnect group, add the AP to this group and inside the group point to you radius server. On General tab, AAA you can define up to 2 radius server, one as primary and a second as secondary.
-If I helped you somehow, please, rate it as useful.-
Yes you need to enable local authentication so the Radius Servers to be used are the ones configured on the FlexC Group. However, where is your DHCP Server located?
This document tells you what you need: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/Flex_7500_DG.pdf