cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11237
Views
0
Helpful
6
Replies

Flexconnect local authentication (PSK) - Is it really local or not?

ldeoliveira
Level 1
Level 1

I am a bit unclear about the Local Authentication feature of Flexconnect.

According to the documentation, if local authentication is selected on a flex-connect AP, as long as the WLC is reachable, the authentication will be forwarded to the WLC. However, if the WLC becomes unreachable, then authentication is handled locally by the AP.


This doesn't make sense. Isn't the whole point of local authentication to ensure that traffic between the WLC and AP is reduced so it doesn't have to travel up the WAN if the WLC is located in a datacentre somewhere?

Also, does anyone know how often the PSK is synched between the WLC and the APs?

2 Accepted Solutions

Accepted Solutions

In your scenario the AP will always handle authentication. However if you change the PSK under the WLAN Settings on the WLC this will then propagate out to those APs.

So the only traffic you should see across your WAN will be CAPWAP Control traffic.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

View solution in original post

mohanak
Cisco Employee
Cisco Employee

local authentication, local switching—In this state, the FlexConnect access point handles client authentication and switches client data packets locally. This state is valid in standalone mode and connected mode.

In connected mode, the access point provides minimal information about the locally authenticated client to the controller. The following information is not available to the controller:

Policy type

Access VLAN

VLAN name

Supported rates

Encryption cipher

Local authentication is useful where you cannot maintain a remote office setup of a minimum bandwidth of 128 kbps with the round-trip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local authentication, the authentication capabilities are present in the access point itself. Local authentication reduces the latency requirements of the branch office.

View solution in original post

6 Replies 6

Ric Beeching
Level 7
Level 7

It is a bit convoluted to begin with!

If you want to do only local authentication without having to auth across the WAN to your WLC then select FlexConnect Local Auth under the WLAN ID settings.

If you want to do both then it will centrally auth by default and switch to Local Auth if the WAN goes down and the AP enters standalone mode. This is only if local switching is also enabled.

For synching of PSKs - as soon as you make a change to the PSK that will cause the WLC to synch with any APs requiring it so effectively it is instantaneous.

Ric

-----------------------------
Please rate helpful / correct posts

Hi Ric,

Thanks for stepping in and trying to clarify. To be honest, I still don't get it.

The requirement is for local switching. We don't want the Wi-Fi traffic to travel up the WAN link to the controller (this is for a small branch office that doesn't have a controller, just APs).

So what you're saying is that if local switching is enabled, then authentication will first go via WLC then via the local APs when these enter standby mode (ie. cannot reach any WLC)? What is the advantage of authenticating through the WLC if the AP can do that locally?

cheers

Leo

In your scenario the AP will always handle authentication. However if you change the PSK under the WLAN Settings on the WLC this will then propagate out to those APs.

So the only traffic you should see across your WAN will be CAPWAP Control traffic.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

My Wireless Structure is same SSID (For example: Internal_Staff ) for all location and office.

We had 2 x 2504 HA, setup on DataCenter. And all Branch office through VPN to connect the DataCenter WLC. Branch office APs use flexconnect using same SSID with local network address. Also we using Radius Server for authentication.

My question is: Can I use the " Local Authentication " on primary rather than " Central Authen ". 

If your aps are flexconnect and you have radius server on local side for authenticating wireless clients, then yes, you can use local authentication. 

mohanak
Cisco Employee
Cisco Employee

local authentication, local switching—In this state, the FlexConnect access point handles client authentication and switches client data packets locally. This state is valid in standalone mode and connected mode.

In connected mode, the access point provides minimal information about the locally authenticated client to the controller. The following information is not available to the controller:

Policy type

Access VLAN

VLAN name

Supported rates

Encryption cipher

Local authentication is useful where you cannot maintain a remote office setup of a minimum bandwidth of 128 kbps with the round-trip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local authentication, the authentication capabilities are present in the access point itself. Local authentication reduces the latency requirements of the branch office.

Review Cisco Networking for a $25 gift card