cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3705
Views
14
Helpful
13
Replies

FlexConnect Groups 802.1x Authentication

Florin Barhala
Level 6
Level 6

Hi guys,

I have a vWLC running 7.5 and several locations running FlexConnect.

One SSID is using 802.1x with PEAP on Windows 2008. I have started the config with Local Switching and Central Authentication.

I defined on Security Radius the right server, setup PSK and authentication works fine, from all over the sites.

 

I also setup FlexConnect groups so each site's APs belong to a specific FlexConnect group. As we speak I used only the newest tab: Wlan Vlan mapping, which worked pretty fine (I found out the hard way, it's dependant of AP Groups setup).

 

Now I want to enable FlexConnect Local Auth and for that I configured one primary server on the FlexConnect group General Tab: I added the IP and the PSK in use. But auth now, doesn't work.

 

I read the documentation, still I find it pretty vague, what am I missing here? Do I still need to define each AP as Radius client on the Win_Radius_Server?

 

Many thanks,

Florin.

13 Replies 13

If you are testing WAN link down scenario (where AP operate as standalone mode) then your local radius server should knows APs as it will forward the RADIUS request to server.

Do you have local RADIUS server ?

HTH

Rasika

Hi Rasika,

FlexConnect is configured for local switching and central authentication; Radius servers are configured on Security Radius. There are two: one Radius server in the same subnet with vWLC and APs and one at 4 hops away. All works fine.

But when I go to Wlan and tick Local Authentication, no client can get access to that Wlan. 

Obviously I am missing some configuration, but what? To mention that both APs and vWLC are in the same subnet, and I didn't stop the vWLC yet.

When you enable this "Local Auth" option, any of your RADIUS gets any hits from client request ? 

If you do "debug client <client-mac>" you would get some clue what's going on. Which state client get stuck dot1X-REQD or DHCP-REQD, etc ?

HTH

Rasika

*** Pls rate all useful responses ****

I honestly didn't check. I will have a look tomorrow, but meanwhile back to my original question:

 - when using FlexConnect Groups do I still need to define each of the AP group member as a Radius Client on the RADIUS Server?

YES, if you want this setup to work even WLC is not reachable scenarios.

HTH

Rasika

Ok, so this is needed for Standalone mode.

What if the WLC is still available? What are then the requirements?

If WLC availabe in your branch & APs are in "connected mode"  then RADIUS Auth requrest coming from clients are handled by WLC. So your RADIUS server should see the request coming from WLC management & not from APs directly.

In "standalone mode" APs will directly forwarded those to RADIUS server as WLC is no longer in the picture.

HTH

Rasika

**** Pls rate all useful responses ***

Thanks for the explanation Rasika, it makes sense.

Now back to my scenario, my first round of tests is keeping APs in connected mode. Furthermore I am using the same identical Radius Server.

It's just when I tick Local Authentication, it stops working; removing that option and switching back, it all works. From this I assume enabling Local Authentication requires additional configuration, but what am I missing?

Hi guys,

2 months later and I made some steps close to this. For anyone that wants to use FlexConnect Local Authentication here are the steps:

1. Use FlexConnect Groups (General tab\AAA) and add at least one primary Radius server.

2. Make sure you add all your APs from that FlexConnect Group as Radius Clients on your Radius Server.

3. Tick FlexConnect Local Authentication in WLAN (Advanced tab)

 

And now it works. The question is: if one WLAN uses FlexConnect CentralAuthentication and either WLC fails or APs simply cannot access the WLC is there any method/option that all APs would automatically transition to FlexConnect LocalAuthentication?

 

HI Florin,

 

Probably you have already received answer for last question but in case someone else has the same question, I would say there is no way to do that automatic transition.

Jaime

Hi mate,

 

Thanks for dropping by; as we speak I got the same answer: no possibility for the switch over.

Hello Florin,

I want to know how you declare the access point on the radius server in order to enable the authentication request send directly by the access point?

Thanks

Regards

Hi All, 

I am trying to configure flexgroup radius server which points to local ISE PSN in branch thinking that it will override global radius server which is configured under corporate ssid on a centralized controller but it does not seems to be working.

users are still being authenticated from global radius server. I know this flexconnect group radius should work for ap in standalone and connected mode. My aps are in connected mode currently.

hope to see some help on this.

Review Cisco Networking for a $25 gift card