Re: FlexConnect Central Auth with Local Switching

fatalXerror · ‎07-07-2023

Hi Wireless Experts,

I have some questions,

1. Which is better, I deploy a FlexConnect AP in my remote office and associate it to my central office or provide a another WLC dedicated for remote office.

2. I have a remote office which I plan to deploy with FlexConnect AP with central authentication to ISE (located at my central office) then once authenticated and authorized by ISE, all traffic will be locally switched at my remote branch. This is for my internal and guest use-cases.

3. How many users can connect per FlexConnect Group?

4. My WLC will be at my central office, should I set my APs in my central office to be FlexConnect APs and associate it to a FlexConnect Group also like my plan in my remote office?

5. Which is better, guest separated only by VLAN or redirecting guest traffic to anchor WLC?

Thank you

Flavio Miranda · ‎07-07-2023

Hello @fatalXerror

1. Which is better, I deploy a FlexConnect AP in my remote office and associate it to my central office or provide a another WLC dedicated for remote office.

The reason people deploy flexconnect on remote office is not because it is better or worst, it is because it is cheaper and not only because you save with the WLC. By installing APs in flexconnect you dont need to bring all the wireless traffic to the Data Center. If you use a MPLS network for example, you can save with links cost by bringing to Data Center only the necessary traffic.

Now a days where Microsoft tools is available through the internet, just a few traffic would be sent to the Data Center.

2. I have a remote office which I plan to deploy with FlexConnect AP with central authentication to ISE (located at my central office) then once authenticated and authorized by ISE, all traffic will be locally switched at my remote branch. This is for my internal and guest use-cases.

That´s the idea of Flexconnect.

3. How many users can connect per FlexConnect Group?

The relationship is AP per flexconnect group and not user per flexconnect group. A maximum of 100 APs is supported per FlexConnect group (other than the default FlexConnect group, which is limited only by the maximum APs supported by the controller).

4. My WLC will be at my central office, should I set my APs in my central office to be FlexConnect APs and associate it to a FlexConnect Group also like my plan in my remote office?

It does not matter. The idea of Flexconnect or not must rely on where you need the wireless traffic to be: Local on the access switch or on the Data Center with the WLC.

5. Which is better, guest separated only by VLAN or redirecting guest traffic to anchor WLC?

For security perspective anchor in the DMZ would be a better solution but it will always depend on the budget.

fatalXerror · ‎07-07-2023

Hi @Flavio Miranda , thank you for your reply, appreciate it.

About my question 2, will this setup work even if my ISE will do posturing as well meaning, creating flexconnect ACL for my redirection ACL will work?

Are there new solutions nowadays that is better than Flexconnect?

Thank you

Flavio Miranda · ‎07-07-2023

It will support but there are some caveats you should read before making decision. Details like:

"• FlexConnect APs do not forward the DHCP packets after Change of Authorization (CoA) and change
of VLANs using 802.1x encryption. You must disconnect the client from the WLAN and reconnect the
client to enable the client to get an IP address in the second VLAN. "

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_flex_connect.pdf

And this considering you are going to deploy 9800 WLC

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-7/config-guide/b_wl_17_7_cg/m_vewlc_flex_connect.html

MHM Cisco World · ‎07-08-2023

the answer is hard
there are two LWA and CWA but in both case if AP lost connectivity to WLC or WLC lost connectivity to ISE the guest can not auth and can not access to wireless.