Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1741
Views
0
Helpful
2
Replies

FlexConnect and Local Authentication?

devils_advocate
Level 7
Level 7

‎04-05-2016 08:32 AM - edited ‎07-05-2021 04:52 AM

Hi

I have read the guide on this and am clear on what needs to be enabled but do I really need to upload the static list of local users?

Surely if the AP is sending the Authentication to the Radius server directly in the event of a controller failure, why does it also need a static list of local users?

Maybe I am understanding it wrong...

I am looking to have the AP's function for both switching and authorisation in the event of a controller failure with the clients using 802.1x.

Regards

Labels:
0 Helpful
2 Replies 2

Ric Beeching
Level 7
Level 7

‎04-05-2016 11:25 PM

Hi Devils,

Should the AP enter standalone mode due to a WLC failure then they are able to fallback to a locally configured RADIUS server. The local auth you are referring to is if you wanted to use a local database on each Access Point but as long as there is a configured local RADIUS server (configured under FlexConnect Groups) then you should be fine.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010001000.html#ID42

"When a FlexConnect access point enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the “local authentication, local switching” state and continue new client authentications.

In controller software release 4.2 or later releases, this configuration is also correct for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these authentication types require that an external RADIUS server be configured. You can also configure a local RADIUS server on a FlexConnect access point to support 802.1X in a standalone mode or with local authentication."

-----------------------------
Please rate helpful / correct posts
0 Helpful

devils_advocate
Level 7
Level 7
In response to Ric Beeching

‎04-06-2016 12:04 AM

Thanks Ric, that clears things up!

The guide I read didn't separate the configuration for Local Users and Radius Users so it made it look like you needed both which seemed odd but I didn't want to plough ahead with the change without checking first.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card