Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1055
Views
0
Helpful
7
Replies

Flex Connect Auth question

IT Services
Level 1
Level 1

‎08-02-2013 06:00 AM - edited ‎07-04-2021 12:34 AM

Good Morning,

I have a question about Flex Connect.

I have read and read and read the configuration guide and I swear I do not see this answer anywhere.

We are looking to move our environments to Local Switch\Central Auth since we are going to be fully redundant at the WAN links. If the WAN were to fail would being in Standalone mode switch over to Local Auth so we would be able to authenticate local clients again?

If we were to set Local Auth on the WLAN  any way to have it central auth first and local auth in standalone.

Labels:
0 Helpful
7 Replies 7

Erwin Salazar
Cisco Employee
Cisco Employee

‎08-02-2013 01:57 PM

Great question.  So if you set Local Auth in the Advanced tab on the WLAN, it will always source the RADIUS auth from the Access Point.  With that said, if you want to use central auth first, and then local auth whenever the WAN link goes down and the AP goes into standalone, then you have to do the following:

1. On the WLAN, configure standard 802.1x settings and make sure Local Switching is checked and that Local Auth is NOT checked.

2. You will need to create a FlexConnect/HREAP Group under Wireless > FlexConnect Groups.  Here you will specify the AAA RADIUS servers to use whenever the AP goes into standalone.  Don't forget to add your APs into the FlexConnect group that you want to participate in this.  Now, if you want to do true Local Authentication(no RADIUS), this is the area to configure as well(the Local Authentication tab). 

Hope this answers your question.

Cheers, Erwin ______________________________________ How helpful was I? Don't forget to rate me when you have the chance!
0 Helpful

IT Services
Level 1
Level 1
In response to Erwin Salazar

‎08-06-2013 12:25 PM 

Erwin Salazar wrote:
Great question.  So if you set Local Auth in the Advanced tab on the WLAN, it will always source the RADIUS auth from the Access Point.  With that said, if you want to use central auth first, and then local auth whenever the WAN link goes down and the AP goes into standalone, then you have to do the following:
1. On the WLAN, configure standard 802.1x settings and make sure Local Switching is checked and that Local Auth is NOT checked.
2. You will need to create a FlexConnect/HREAP Group under Wireless > FlexConnect Groups.  Here you will specify the AAA RADIUS servers to use whenever the AP goes into standalone.  Don't forget to add your APs into the FlexConnect group that you want to participate in this.  Now, if you want to do true Local Authentication(no RADIUS), this is the area to configure as well(the Local Authentication tab).  
Hope this answers your question.

@ Erin,

Nice write up. I am trying to test this configuration and scenario but I am not having any success forcing the Test FLEX ap into standalone mode. I placed a ACL on the WAN link preventing this particular AP from reaching the controller(s).

Any other suggestions to test this configuration?

0 Helpful

Erwin Salazar
Cisco Employee
Cisco Employee
In response to IT Services

‎08-06-2013 02:00 PM

All you would need to do is place the ACL on the gateway interface for the subnet that the Access Points are on and block 5246 and 5247 udp traffic.  This should break communication with the controller and put it into standalone. 

Also, Yahya is correct in that you will also need to add the Access Points as NAS devices into your AAA server if your are using 802.1x with a RADIUS like ACS or Micrsoft NPS. 

Cheers, Erwin ______________________________________ How helpful was I? Don't forget to rate me when you have the chance!
0 Helpful

IT Services
Level 1
Level 1
In response to Erwin Salazar

‎08-07-2013 08:50 AM 

Erwin Salazar wrote:
All you would need to do is place the ACL on the gateway interface for the subnet that the Access Points are on and block 5246 and 5247 udp traffic.  This should break communication with the controller and put it into standalone.  
Also, Yahya is correct in that you will also need to add the Access Points as NAS devices into your AAA server if your are using 802.1x with a RADIUS like ACS or Micrsoft NPS. 


I guess paitence is key.

It took a while but the AP finally was not joined and sending traffic to the controller. I dont know how long but I am very suprised it wasnt instaneous. After i verified it was no longer communicating to the controller that Local Auth kicked in and was working.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎08-03-2013 08:28 AM

Just to add... here is a link to FlexConnect group, which Erwin is explaining in his post.  I'm guessing you are using 802.1x as PSK you don't need to have FlexConnect Groups.

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1225516

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Yahya Jaber
Cisco Employee
Cisco Employee

‎08-03-2013 11:24 AM

To add also...add the AP's as AAA clients also.

0 Helpful

IT Services
Level 1
Level 1
In response to Yahya Jaber

‎08-06-2013 11:15 AM

To the Local Auth AAA server correct?

I would not need to add the AP's to the central auth server correct?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card