Solved: H-REAP in central auth and Local switching has any fallback auth method?

arun.mohan · ‎12-06-2011

Hi,

In a H-REAP solution with central authentication and Local switching, do we have any fallback method of authentication in case of the controller failure or WAN link to controller fails. Like WPA/WPA2 PSK authentication for the H-REAP LWAPP in standalone mode.

merci,

arun

George Stefanick · ‎12-06-2011

What security do you plan to use?

If you are using PSK, you are fine as the keys live on the AP. So if you lose the controller, clients will still authenticate. If you are using 802.1X, thats a different story.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Scott Fella · ‎12-14-2011

You can... Just remember you are limited to 25 AP's per hreap groups. Bu you can have more than one hreap group per site.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

George Stefanick · ‎12-06-2011

What security do you plan to use?

If you are using PSK, you are fine as the keys live on the AP. So if you lose the controller, clients will still authenticate. If you are using 802.1X, thats a different story.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎12-06-2011

Just to add..... When using 802.1x for central authentication. you can't fallback to a PSK. For 802.1x, your best choice is a local radius server and using h-reap groups. This way you can set the primary to the radius at the local site and the central site is backup in case the local radius stops working.

-Scott
*** Please rate helpful posts ***

arun.mohan · ‎12-13-2011

Even if we use H-REAP groups, if we lose the connectivity to the WLC Users will not be authenticated right?

merci,

arun

Scott Fella · ‎12-14-2011

If your using PSK or have a local radius and AD (802.1x) your clients can still function.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎12-14-2011

Think of it link this. If you use radius (EAP) and its at the central office and you lose the link you also lose the ability to authenticate, right.

If you use local radius (As Scott mentioned) or PSK these reside local and your clients will still authenticate.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

arun.mohan · ‎12-14-2011

Thanks for the info George and Scott. So if we have the H-REAP groups configured on th WLC and point the authentication to a onsite/local Radius for the Remote site. Even if we lose the connectivity to the WLC over WAN, new clients can authenticate via the local Radius server which is configured in the H-REAP group. Am i right?

Also can we have the H-REAP Group point the authentication to a Radius server in a different site which is reachable from both the WLC located site and H-REAP AP located site?

Scott Fella · ‎12-14-2011

You can... Just remember you are limited to 25 AP's per hreap groups. Bu you can have more than one hreap group per site.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

blakekrone · ‎12-14-2011

Scott if you have more than 1 HREAP group at a site don't you break roaming? I thought I remember seeing that when you are roaming between two HREAP groups it won't be a seamless roam, you actually have to deauth and come back in which would cause voice delays for example.

Scott Fella · ‎12-14-2011

Correct... But that is why you group your AP's correctly. At least you have seamless roaming between AP's in the same group. The issue I see is large hreap deployments. Your choice is to either not use hreap groups and do PSK or if you are doing 802.1x, at least use hreap groups.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***