08-02-2013 06:00 AM - edited 07-04-2021 12:34 AM
Good Morning,
I have a question about Flex Connect.
I have read and read and read the configuration guide and I swear I do not see this answer anywhere.
We are looking to move our environments to Local Switch\Central Auth since we are going to be fully redundant at the WAN links. If the WAN were to fail would being in Standalone mode switch over to Local Auth so we would be able to authenticate local clients again?
If we were to set Local Auth on the WLAN any way to have it central auth first and local auth in standalone.
08-02-2013 01:57 PM
Great question. So if you set Local Auth in the Advanced tab on the WLAN, it will always source the RADIUS auth from the Access Point. With that said, if you want to use central auth first, and then local auth whenever the WAN link goes down and the AP goes into standalone, then you have to do the following:
1. On the WLAN, configure standard 802.1x settings and make sure Local Switching is checked and that Local Auth is NOT checked.
2. You will need to create a FlexConnect/HREAP Group under Wireless > FlexConnect Groups. Here you will specify the AAA RADIUS servers to use whenever the AP goes into standalone. Don't forget to add your APs into the FlexConnect group that you want to participate in this. Now, if you want to do true Local Authentication(no RADIUS), this is the area to configure as well(the Local Authentication tab).
Hope this answers your question.
08-06-2013 12:25 PM
Erwin Salazar wrote:
Great question. So if you set Local Auth in the Advanced tab on the WLAN, it will always source the RADIUS auth from the Access Point. With that said, if you want to use central auth first, and then local auth whenever the WAN link goes down and the AP goes into standalone, then you have to do the following:
1. On the WLAN, configure standard 802.1x settings and make sure Local Switching is checked and that Local Auth is NOT checked.
2. You will need to create a FlexConnect/HREAP Group under Wireless > FlexConnect Groups. Here you will specify the AAA RADIUS servers to use whenever the AP goes into standalone. Don't forget to add your APs into the FlexConnect group that you want to participate in this. Now, if you want to do true Local Authentication(no RADIUS), this is the area to configure as well(the Local Authentication tab).
Hope this answers your question.
@ Erin,
Nice write up. I am trying to test this configuration and scenario but I am not having any success forcing the Test FLEX ap into standalone mode. I placed a ACL on the WAN link preventing this particular AP from reaching the controller(s).
Any other suggestions to test this configuration?
08-06-2013 02:00 PM
All you would need to do is place the ACL on the gateway interface for the subnet that the Access Points are on and block 5246 and 5247 udp traffic. This should break communication with the controller and put it into standalone.
Also, Yahya is correct in that you will also need to add the Access Points as NAS devices into your AAA server if your are using 802.1x with a RADIUS like ACS or Micrsoft NPS.
08-07-2013 08:50 AM
Erwin Salazar wrote:
All you would need to do is place the ACL on the gateway interface for the subnet that the Access Points are on and block 5246 and 5247 udp traffic. This should break communication with the controller and put it into standalone.
Also, Yahya is correct in that you will also need to add the Access Points as NAS devices into your AAA server if your are using 802.1x with a RADIUS like ACS or Micrsoft NPS.
I guess paitence is key.
It took a while but the AP finally was not joined and sending traffic to the controller. I dont know how long but I am very suprised it wasnt instaneous. After i verified it was no longer communicating to the controller that Local Auth kicked in and was working.
08-03-2013 08:28 AM
Just to add... here is a link to FlexConnect group, which Erwin is explaining in his post. I'm guessing you are using 802.1x as PSK you don't need to have FlexConnect Groups.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
08-03-2013 11:24 AM
To add also...add the AP's as AAA clients also.
08-06-2013 11:15 AM
To the Local Auth AAA server correct?
I would not need to add the AP's to the central auth server correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide