Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
0
Helpful
4
Replies

Flexconnect and AAA Overide

terrywatson651
Level 1
Level 1

‎09-03-2019 06:38 AM - edited ‎07-05-2021 10:56 AM

Hi

Am trying to set up some APs in Flexconnect mode that connect to a WLC runnng 8.3.143.0 that will advertise an 802.1x profile.  The RADIUS server (ISE) matches the user against AD and then returns different VLAN values in the Authorisation Profiles.  This all works fine with APs in Local Mode but when the system is set for Flexconnect APs, the user can associate with the profile, ISE authenticates the user and maps them to the correct Authorisation Profile, but the client device sits there with the WLC reporting the Policy Manager State as DHCP required.

Could someone confirm my setup, and what I must have missed.  This is what I have done:

1. AP set to Flexconnect Mode and rebooted.

2. WLAN Profile Advanced tab, profile set to AAA Overide and Flexconnect operation.

3. AP Fleconnect tab - VLAN support box checked, native VLAN set to marth switch port config, VLAN mapping button selected and SSID mapped to a VLAN.

4. Flexconnect Group created and AP added to Group.  Selected ACL Mapping tab, and then AAA VLAN-ACL Mapping sub-tab.  Typed in the VLAN Ids into the box and added them so I have a list of VLANs 250, 450 and 333, none of these have an Ingress or Egress Flexconnect ACL associated with them.

5. Logged into the AP and issued command show ip interface brief to check that sub interfaces for the the required VLANs have been created on the Gig Ethernet interface, they have.

 

Thanks in advance

 

Terry

 

Labels:
0 Helpful
4 Replies 4

patoberli
VIP Alumni
VIP Alumni

‎09-03-2019 07:07 AM

There are two operating modes with Flexconnect, local switched and central switched. With central switched, it should work by simply changing the AP to Flexconnect. The packets then are all routed to the WLC for processing.
With local switched, the packets exit directly at the AP lan port, meaning, you need to have a trunk configured (and set the native vlan to the one the ap uses to contact the WLC) with all the VLANs available that you have configured in the ISE policy.
0 Helpful

terrywatson651
Level 1
Level 1
In response to patoberli

‎09-04-2019 02:55 AM

Hi Patoberli

 

Thanks for the response.  This is a local switching solution, so the switch port has been set to trunk and a native VLAN assigned.  Similiarly on the AP, the AP is in Flexconnect mode and I have created the VLAN interfaces.

 

I believe I have now resolved the issue.

 

Kind Regards

Terry

0 Helpful

joey.debra
Level 1
Level 1
In response to terrywatson651

‎09-05-2019 12:04 AM

Did you add all the VLAN's in the WLAN-VLAN mapping?

0 Helpful

terrywatson651
Level 1
Level 1
In response to joey.debra

‎09-06-2019 12:40 AM

Hi Joey

Yes i;ve done the mappings.  For the AP Mapping I've done this under the Flexconnect tab for the AP, checked VLAN support and mapped the SSID to the VLAN.  For the AAA overide I used the VLAN-ACL Mapping mechanism within the Flexconect Group.  I'm not entriely sure what I canged the other day, but it all started working.

Thanks for taking the trouble to respond.

Terry

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card