Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2693
Views
10
Helpful
5
Replies

Cisco WLC Flex-connect SSID Radius Authentication when WLC is not available

at2885
Level 1
Level 1

‎01-31-2019 09:33 AM - edited ‎07-05-2021 09:47 AM

Hello

We have a central site which host a Virtual WLC and 5 or 6 remote offices each with a local Windows NPS authentication server used for a standard 802.1x SSID. This all works perfectly.
However we encounter an issue when the WLC is offline, the remote sites using Flexconnect and with standard PSK SSIDs continue to work. But the 802.1x SSIDs fail.
I know that this is due to the WLC proxing the requests. I have been trying to find a way to make the AP's wither failback to authenticate against the Local NPS when in flex connect mode, or even all the time if needed. 
I have read through a lot of documentation on whats needed, but I can not find anything concrete. This is not something I am able to replicate until I have an allotted outage, so anything I can find out before would be great. This diagram shows what I am trying to achieve. Is it as simple as just enabling flex connect local switching??Capture.JPG

 

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎01-31-2019 10:50 AM

Hi

 Create a flexconnect  group, add the AP to this group  and inside the group point to you radius server.  On General tab, AAA you can define up to 2 radius server, one as primary and a second as secondary.

 

 

-If I helped you somehow, please, rate it as useful.-

at2885
Level 1
Level 1
In response to Flavio Miranda

‎01-31-2019 11:19 AM

Thank you, do I also need to turn on local authentication within the SSID?
0 Helpful

ajc
Level 7
Level 7
In response to at2885

‎01-31-2019 02:10 PM - edited ‎01-31-2019 02:13 PM

Yes you need to enable local authentication so the Radius Servers to be used are the ones configured on the FlexC Group. However, where is your DHCP Server located?

 

This document tells you what you need: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/Flex_7500_DG.pdf

 

at2885
Level 1
Level 1
In response to ajc

‎02-01-2019 01:12 AM

Everything is local except the WLC. I will give it a go on Saturday and let you know



Thank you


0 Helpful

Rich R
VIP
VIP

‎09-16-2022 06:33 AM - edited ‎09-16-2022 06:40 AM

Yes it works, I've used it for some customers. But be careful: what version of software and what APs are you using?

There's a bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy00740 that causes it to break so you need at least 8.5.182.0 or 8.10.x.  It's nasty because you configure it and it works until CAPWAP to the WLC is reset for any reason (days, weeks or months later) then it stops working until you reboot the AP.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card