09-12-2022 03:47 PM
new 2802i AP installed in remote branch. Finds WLC via DHCP option 43.
After I get it configured to be flex connect, the WLAN that I have 802.1x configured on isn't working. Looking at my NAS it's saying that the IP address of the AP is sending the RADIUS request instead of the switch. "A RADIUS message was received from the invalid RADIUS client IP address 10.11.10.3." is what I'm seeing. Previous AP (2702i) was working just fine and nothing has changed in the switch AAA configuration.
I can get clients authenticated if I enable centralized authentication in that WLAN policy profile but I think that sends all traffic to the controller which defeats the purpose of flexconnect.
Any ideas? AP is 2802i and WLC is a catalyst 9800.
09-13-2022 12:32 AM
- Not a direct answer but review the 9800 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/
M.
09-13-2022 05:36 AM
If you need this to work, you need to add AP as a network device (radius client) in ISE and configure your ISE policies accordingly. When AP is in Flex connect mode and when central auth is disabled AP will always send the radius request.
I wouldn't really worry about this feature unless you have a Radius server locally at your site. If you have a Radius server at the site, you might have to consider configuring local auth radius servers under flex profiles to make it work when a complete WLC or WAN down scenario. Read the documentation very well and understand it's pros and cons before the deployment.
09-13-2022 08:00 AM
Thanks for your input.
I have a question, though. Is this something new? My previous deployment (2504 WLC with 2702i APs) were not acting as the supplicant, it was the switch. I didn't have any of the AP devices added to my RADIUS server but only the switches they were attached to.
09-13-2022 05:24 PM
I cannot understand how that could have worked at all. Like @Arshad Safrulla says the only way to 802.1x auth a wireless user is on the AP.
Don't confuse local/central authentication (control plane) with local/central switching (client traffic). You can use central authentication with local switching so the only traffic going to the WLC is the 802.1x auth while client traffic breaks out locally.
09-14-2022 08:03 AM
I'm not sure how it was working, but it was. It could very possibly be that I had central authentication enabled and didn't know it.
I wasn't confused so much with the local/central authentication and switching. I read documentation the other day that made it seem like all traffic would be sent to the controller like the AP operating in local mode. It was the wording that was throwing me off.
Thanks again for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide