Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1605
Views
0
Helpful
3
Replies

Flexconnect - EAP-TLS authentication after WAN failure

Go to solution
julbvt
Level 1
Level 1

‎04-03-2019 02:13 AM - edited ‎07-05-2021 10:11 AM

Dear Ciscoers,

 

I am studying branch authentication capabilities and I have got the needing to authorize clients even if the WAN link is down.

My authentication server is located in Data-center so i'm interested by the new functionnality of local EAP-TLS authentication described by this link : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/configuration-guide/b_cg81/b_cg81_chapter_0101101.html#ID1324

 

I've seen these tables but I didn't really understood what is possible and what is not.

So, could you confirm that this method is compatible with Flexconnect "connected" mode ? We really don't need any local server, Flexconnect AP take completely authentication in charge ? 

 

And, subsidiary question : Is this possible with Mobility Express AP ?

 

Thanks a lot for your help.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ric Beeching
Level 7
Level 7
In response to julbvt

‎04-04-2019 04:16 AM

Yes sorry, I should have worded answer 1 more clearly. That will work too :)
-----------------------------
Please rate helpful / correct posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Ric Beeching
Level 7
Level 7

‎04-03-2019 06:20 AM

When FlexConnect is in connected mode (i.e. WLC CAPWAP Control tunnel is up) you have two options for EAP-TLS:
1) Local mode EAP-TLS (works either connected or standalone mode). This is where clients are authenticated locally on the Access Points via certificates. As long as certificates are setup in the way outlined in the guide, this will work.
2) Use central auth with a RADIUS server like Cisco ISE setup with EAP-TLS chain in similar fashion. With this option you lose auth with WAN down and auth must traverse the WAN to central so local is a less risky option, but could be a headache to setup (I haven't set this up so not sure).

Mobility Express doesn't seem to support local EAP-TLS so there's a limitation there. It can still support central auth to a RADIUS server over the WAN with local switching if that is an option.

Ric
-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
julbvt
Level 1
Level 1
In response to Ric Beeching

‎04-04-2019 01:11 AM

Thanks for your answer :)

 

3) The third option could be to activate both central auth and « AP local mode Authentication » ?

- When the WLC and the ISE are reachable, Flexconnect AP use the central authentication.

- When the tunnel is down, WLC and ISE are not reachable but Flexconnect AP could use local authentication like below.

 

351041

 

Is this a scenario thinkable ?

0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to julbvt

‎04-04-2019 04:16 AM

Yes sorry, I should have worded answer 1 more clearly. That will work too :)
-----------------------------
Please rate helpful / correct posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card