Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2534
Views
10
Helpful
9
Replies

FexConnect AP local auth and roaming when WAN is down?

Go to solution
istvan.kelemen1
Level 1
Level 1

‎08-02-2015 11:54 AM - edited ‎07-05-2021 03:40 AM

Hello,

 

There is a remote site with 2 AP's in FlexConnect mode. Vlan switching is enabled.

The auth method is WPA2-PSK.

What will happen if the WAN link goes down? Will a new client be able to authenticate and associate?

Will the client be able to roam seamlessly?

Do I need to configure anything else than local vlan switching?

When and for what do I need to create users in the local database of the flex ap?

 

Thank you!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ric Beeching
Level 7
Level 7

‎08-02-2015 06:42 PM

 

Hi Istvan,

Please see the feature tables below from the document

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html

Security - Client

Security support on FlexConnect varies with different modes and states. This table summarizes the security features that are supported:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization)WAN Down (Standalone)
Open/Static WEPYesYesYesYes
WPA-PSKYesYesYesYes
802.1x (WPA/WPA2)YesYesYesYes
MAC filter AuthenticationYesYesNoNo
CCKM Fast RoamingYesYesYesYes, for connected clients. No, for new clients.

 

Mobility / Roaming Scenarios

WLAN ConfigurationLocal SwitchingCentral Switching
CCKMPMK (OKC)OthersCCKMPMK (OKC)Others
Mobility Between Same Flex GroupFast Roam(1)Fast Roam(1)Full Auth(1)Fast RoamFast RoamFull Auth
Mobility Between Different Flex GroupFull AuthFull AuthFull AuthFull AuthFull AuthFull Auth
Inter Controller MobilityN/AN/AN/AFull AuthFast RoamFull Auth

(1) Provided WLAN is mapped to the same VLAN (same subnet).

 

 

What version of code are you running on your WLC? 

Ric

 

-----------------------------
Please rate helpful / correct posts

View solution in original post

0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to istvan.kelemen1

‎08-03-2015 07:03 PM

No the switching type isn't dynamic based on bandwidth or WAN status etc.You have to state whether you want that SSID to switch locally or centrally if the APs are in FlexConnect mode. This can be done from the GUI under WLAN -> Select your SSID -> Advanced Tab -> select/de-select FlexConnect Local Switching. (This might be H-REAP local switching for your code)

So for one SSID I may have APs in Local Mode with all traffic tunnelled back to the WLAN Controller but then I could also have some remote offices with the same SSID off the same WLAN Controller which are in FlexConnect (H-REAP) mode with local switching enabled. This allows for the flexibility of local authentication if you have servers on site and can also make it easier to manage firewall rules if traversing the WAN. That's purely a design/requirement thing though.

I think code 7.0.252 can perform the local switching feature but bare in mind many new features aren't available on the older codes and your 4400 can't support anything higher than 7.0.x If you are using guest anchor between your 2504/4400 there may be issues if they are running different versions of code.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Ric Beeching
Level 7
Level 7

‎08-02-2015 06:42 PM

 

Hi Istvan,

Please see the feature tables below from the document

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html

Security - Client

Security support on FlexConnect varies with different modes and states. This table summarizes the security features that are supported:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization)WAN Down (Standalone)
Open/Static WEPYesYesYesYes
WPA-PSKYesYesYesYes
802.1x (WPA/WPA2)YesYesYesYes
MAC filter AuthenticationYesYesNoNo
CCKM Fast RoamingYesYesYesYes, for connected clients. No, for new clients.

 

Mobility / Roaming Scenarios

WLAN ConfigurationLocal SwitchingCentral Switching
CCKMPMK (OKC)OthersCCKMPMK (OKC)Others
Mobility Between Same Flex GroupFast Roam(1)Fast Roam(1)Full Auth(1)Fast RoamFast RoamFull Auth
Mobility Between Different Flex GroupFull AuthFull AuthFull AuthFull AuthFull AuthFull Auth
Inter Controller MobilityN/AN/AN/AFull AuthFast RoamFull Auth

(1) Provided WLAN is mapped to the same VLAN (same subnet).

 

 

What version of code are you running on your WLC? 

Ric

 

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
istvan.kelemen1
Level 1
Level 1
In response to Ric Beeching

‎08-03-2015 12:58 PM

wlc 2504 - 7.4.130

wlc4404 - 7.0.252

 

WAN Up (Local Switching  - when does it come to the play? when the bandwidth is not enough?

0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to istvan.kelemen1

‎08-03-2015 07:03 PM

No the switching type isn't dynamic based on bandwidth or WAN status etc.You have to state whether you want that SSID to switch locally or centrally if the APs are in FlexConnect mode. This can be done from the GUI under WLAN -> Select your SSID -> Advanced Tab -> select/de-select FlexConnect Local Switching. (This might be H-REAP local switching for your code)

So for one SSID I may have APs in Local Mode with all traffic tunnelled back to the WLAN Controller but then I could also have some remote offices with the same SSID off the same WLAN Controller which are in FlexConnect (H-REAP) mode with local switching enabled. This allows for the flexibility of local authentication if you have servers on site and can also make it easier to manage firewall rules if traversing the WAN. That's purely a design/requirement thing though.

I think code 7.0.252 can perform the local switching feature but bare in mind many new features aren't available on the older codes and your 4400 can't support anything higher than 7.0.x If you are using guest anchor between your 2504/4400 there may be issues if they are running different versions of code.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
istvan.kelemen1
Level 1
Level 1
In response to Ric Beeching

‎08-04-2015 02:18 PM

Ah I think I understand now!

So when the AP is in Flex mode, I can choose between local or central witching when the WAN is up. So when the WAN goes down, the AP will locally switch traffic even if I set central switch?

0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to istvan.kelemen1

‎08-04-2015 06:58 PM

Almost.

"So when the AP is in Flex mode, I can choose between local or central witching when the WAN is up" - Correct.

"So when the WAN goes down, the AP will locally switch traffic even if I set central switch?" - Incorrect.

If you want the APs to still service traffic when the WAN goes down then they have to be in H-REAP/FlexConnect mode and the SSID (WLAN) needs to have local switching enabled.

 

 

 

-----------------------------
Please rate helpful / correct posts

Go to solution
istvan.kelemen1
Level 1
Level 1
In response to Ric Beeching

‎08-05-2015 11:06 AM

Yes, I meant this under the second one. Thanks!

Few more questions... When the AP is in Flex mode, does it trunk when it is switching the traffic centrally? What should the native vlan be?

Or when it is in Flex mode, and the WAN is up, it switches the traffic centrally so, it sends the traffic out with a vlan tag matching with the appropriate ssid upto the WLC or via CAPWAP tunnel over the native vlan? 

0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to istvan.kelemen1

‎08-06-2015 04:43 AM

In Flex mode with central switching all the data traffic will be tunnelled back to the controller via the CAPWAP tunnel so that will be whatever you are tagging your trunk's native vlan as for the Access Point.

"or via CAPWAP tunnel over the native vlan?" - Yep! So in your scenario (Flex with Central switch), all the data and control traffic will flow inside a tunnel that is initially tagged with whatever vlan you have as the native vlan on your trunk port connected to the access point. This may change as it flows through the network but that doesn't matter. The traffic will arrive at your WLAN controller and from there it will egress to the rest of the network based off the interface you have told it to go out of under the WLAN (SSID) setting.

 

 

 

 

-----------------------------
Please rate helpful / correct posts

Go to solution
istvan.kelemen1
Level 1
Level 1
In response to Ric Beeching

‎08-06-2015 08:43 AM

Ah thx!

What will happen if the WAN or the WLC goes down?

Will the AP become a layer 2 switch, and change it's uplink to trunk and forwards all the traffic upwards to the layer 3 switch? Or it will only switch traffic between the clients connected to the same SSID and where the local swithing is enabled, or also between SSID-s and vlans via the L3 switch?

0 Helpful

Go to solution
buro_1986
Level 1
Level 1
In response to Ric Beeching

‎05-31-2019 05:47 AM

I have some confusion as per below document it says if I set local auth/local switch then 802.1x is not supported

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch7_HREA.html

 

Authentication-local/switch-local

This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a FlexConnect goes into standalone mode. The WLAN continues to beacon and respond to probes (Figure 7-5). Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

But as per above post it seems 802.1x is supported in local auth/ local switching mode.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card