Hello @Arshad Safrulla

I was wondering if you can do mac filtering on access points (local switching), because our current setup is a central auth (Local WLC database Mac Filtering + PSK) and local switching? (We have WLC3504 with Air1815i APs on remote sites)

Yes, but will that allow me to use that authentication method as a failover method if my authentication towards my Central WLC fails?

So what you are saying is I have to configure the flexconnect group and enable Local Auth on the FC group and add my ISE server, and that will allow me on cases when Central Auth (WLC Mac Filtering) isn't reachable it will switch to the ISE Server?

Also there will still be another problem because my ISE Server and the WLC are on the same central site and are reached through the same routes and connections, so once the WLC is down (I mean on cases when I won't probably have VPN connection to my Central Site) ISE will be down too and I will also lose that failover authentication too.

---

@Ermir Morina wrote:

So what you are saying is I have to configure the flexconnect group and enable Local Auth on the FC group and add my ISE server, and that will allow me on cases when Central Auth (WLC Mac Filtering) isn't reachable it will switch to the ISE Server?

---

Yes, you need to add each AP as a network device and configure the required Radius policies

---

Also there will still be another problem because my ISE Server and the WLC are on the same central site and are reached through the same routes and connections, so once the WLC is down (I mean on cases when I won't probably have VPN connection to my Central Site) ISE will be down too and I will also lose that failover authentication too.

---

Yes in that case this will not work, you may have to deploy a PSN node in the branch.

Wouldn't enabling local authentication on access points ruin the functionality of central authentication? 

And also does creating local users on APs and also enabling local authentication allow this setup to work and to function as a authentication failover method ( after my connection to the WLC is shut ) without any problem? 

Thanks a lot for the discussion and your prompt replies, I am so grateful.

Idea of this is that as long as the ISE is reachable from the remote site wireless users will authenticate centrally.  if you have a PSN in the remote site itself, then clients will authenticate against it even when the WAN is down.

ok I just verified this on my LAB. When you have local ap local auth enabled and radius servers configured under FC group AP will directly speak to the ISE for AAA services. (AP is the NAD not WLC) irrespective AP is connected or standalone.

When the AP lcoal auth is not ticked WLC is authenticating the client against ISE when WLC is reachable to the client (connected) and when the WLC is not reachable (standalone) AP is authenticating the client to the local ISE.

So to answer your first question, this is a design decision where you have to consider all the pros and cons and do the design accordingly. As for your second question, yes creating local users will help you to have a failover mechanism. But if you are worried about security, recommendation would be to have a local PSN at the site.