cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1351
Views
30
Helpful
5
Replies

Flexconnect AP with auto anchor at head office

wireless wlc
Level 1
Level 1

hi All,

  I have a head quarters with two WLC5508 anchored to another 5508 on the DMZ. Now we want to roll out wireless guest to the branches with local switching of guest wireless traffic. The guest ssid used at head quarters is anchored to the guest controller and using webauthentication.

Question 1: Can i use the same guest SSID for branch also in this case ?

Question 2 : If i only enable "HREAP local switching" feature on the guest SSID, will the other HQ SSID's still be broadcast in the HREAP branch AP's ?

I am assuming the guest ssid at branch will take IP address from local IP subnet since its local switched, webauthentication will happen on the HQ guest controller ? and once webauth completes, guest SSID traffic will be locally switched . Is this correct ?

regards

Joe

5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

Question 1: Can i use the same guest SSID for branch also in this case ?

Yes you can use the same Guest SSID

Question 2 : If i only enable "HREAP local switching" feature on the guest SSID, will the other HQ SSID's still be broadcast in the HREAP branch AP's ?

Yes they will. Unless you use ap groups and define what APs will broadcast what wlan's, the default group will have all SSIDs from WLAN id 1-16

I am assuming the guest ssid at branch will take IP address from local IP subnet since its local switched, webauthentication will happen on the HQ guest controller ? and once webauth completes, guest SSID traffic will be locally switched . Is this correct ?

You don't need to use local switching unless you want to have guest traffic go out to the remote site. If Internet routes out to HQ, then centrally switch the guest SSID. That is what I do unless they have a dedicated guest Internet at each location.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott,

Thanks for the info. Yes, webauthentication for the guest ssid happens on the HQ dmz guest controller for hQ guests and same is intended to be used for branch guest access as well. Yes we need to use local swtiching cos we have local adsl connections in branches and dont want to take the data traffic to the HQ.

What will the traffic flow like in this case ?

1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP

during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP

2. Client opens browser and enter website address (google.com) and gets the controller webauth login page

is this step  happening in the capwap tunnel or outside it ? the TCP communication between client and WLC

3. Client enters username and password for webauth

but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )

4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?

if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ?

regards

Joe

1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP

during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP

Yes, but the WLC will not get any client data since the traffic isn't going back to the WLC.

2. Client opens browser and enter website address (google.com) and gets the controller webauth login page

is this step happening in the capwap tunnel or outside it ? the TCP communication between client and WLC

This happens all inside the mobility tunnel back to the anchor wlc.

3. Client enters username and password for webauth

but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )

The WLC uses it VIP, client doesn't care.  If you have a 3rd party certificate, you need to make sure the FQDN is resolvable with the VIP address or you will get a certificate error.

4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?

if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ?

Well what is hosting the webauth... the WLC or NGS or ISE.... only one can do this and that is what you have to decide.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

hi Scot,

  i tested it out and it doesnt work like that. The client will only get IP from the HQ DMZ subnet to which that SSID anchored, even though the AP is flexconnect AP and local VLAN configured for the SSID subnet. I think this is expected behaviour ?

regards

Joe

dhcp req is always bridged locally for locally switched wlan, Did you configure local switching on both anchor & foreign.

Review Cisco Networking for a $25 gift card