cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
997
Views
15
Helpful
3
Replies

Local Radius as Backup in Flexconnect 9800-CL

Nydo89
Beginner
Beginner

Hi all,

 

I have a hard time understanding and configuring the following:

 

- we have a 9800-CL WLC in the headquarter where we also have a central Radius Server

- SSID is configured for Flexconnect and working with Central Auth and Local Switching in the remote sites

 

We want to achieve the following:

- When WAN is down we want to use a local available Radius Server at the remote Sites as backup

- When WAN is back up the clients shall use the headquarters Radius again

 

How to configure this on the 9800? 

WLC Version is 17.3

 

Thanks for your help!

1 Accepted Solution

Accepted Solutions

Arshad Safrulla
VIP Alumni
VIP Alumni

1. You need to create local Radius servers and put them under the group called local and create central radius servers and put them under the group "central".

2. Under the policy profile select "Central Auth" if you need WLC to be handling the Authentication as primary.

3. Add the Central Radius server group under the policy profile.

4. Go to Flex profile>>Local Authentication>>Radius Server Group and select the local radius server group.

 

This way in the connected mode AP will authenticate clients using the central Radius server and in standalone mode AP will use it's locally configured radius servers. Remember you need to add each AP or complete AP management subnet in the local radius server as NAD's.

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

If you configure both the Radius Server (Primary HQ , Secondary as Local ) , if the Primary one not reachable it has only Option to reach Local one right ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thx for your reply:

- So I do configure both Radius Servers and put them in one Radius Group

- Then put this Server Group in the Method List

- Assign this Method List in the WLAN Profile under Security - AAA - Authentication List

 

What do I have to check in the Policy Profile then?

- Central Authentication and Central Association or not? Because it is kind of both then.

Arshad Safrulla
VIP Alumni
VIP Alumni

1. You need to create local Radius servers and put them under the group called local and create central radius servers and put them under the group "central".

2. Under the policy profile select "Central Auth" if you need WLC to be handling the Authentication as primary.

3. Add the Central Radius server group under the policy profile.

4. Go to Flex profile>>Local Authentication>>Radius Server Group and select the local radius server group.

 

This way in the connected mode AP will authenticate clients using the central Radius server and in standalone mode AP will use it's locally configured radius servers. Remember you need to add each AP or complete AP management subnet in the local radius server as NAD's.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: