Flex Connect - AP StandAlone mode_New Connections

Ivan Martin · ‎06-05-2025

Hi I'm Ivan

I would like to know, If is possible with AP in stadalone mode (using architecture Flex connect Central Auth-Local Switc) when it losss conectivity with WLC 9800, it could authenticate new end users (in the failure)?

We have reviewed, on failure, AP keeps the connection of end users with TLS, LWA, PEAP. But If some end user reauthenticate (in the branch site) for any reason (Windows suspend examp) he could not access to wifi DOT1X.

Thanks you for your advices,

Kind regards.

Haydn Andrews · ‎06-05-2025

it depends on if the SSID is configured with Local Authentication

But for 802.1x SSIDs you would also need to define the RADIUS server/ certificate to the APs, that being said if the RADIUS server is not local to the site then there is no point.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213921-flexconnect-configuration-with-central-a.html

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Ivan Martin · ‎06-05-2025

Flex is central auth local switching
Wlan is central no local. With some tests, user in the failure never authenticate, because radius traffic never reach out AAA server. Does exists some way to provide access?. I have local ldap

Kind regards Ivan

Scott Fella · ‎06-05-2025

Might want to review this so you understand the different states when using central vs local. This way you understand the risk of doing either modes.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_flex_connect.html?bookSearch=true#flexconnect-authentication-specific-details_920cf537-f385-4053-a815-b72e94b21120

-Scott
*** Please rate helpful posts ***

Rich R · ‎06-08-2025

As @Haydn Andrews says the only way to support 802.1x in standalone mode is with local radius authentication, configured in the flex profile. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-15/config-guide/b_wl_17_15_cg/m-sniffer-cg.html#flex-ap-local-auth
There are a few examples of using central auth as primary with fallback to local auth.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390