Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1419
Views
15
Helpful
3
Replies

Local Radius as Backup in Flexconnect 9800-CL

Go to solution
Nydo89
Level 1
Level 1

‎10-04-2021 02:41 AM

Hi all,

 

I have a hard time understanding and configuring the following:

 

- we have a 9800-CL WLC in the headquarter where we also have a central Radius Server

- SSID is configured for Flexconnect and working with Central Auth and Local Switching in the remote sites

 

We want to achieve the following:

- When WAN is down we want to use a local available Radius Server at the remote Sites as backup

- When WAN is back up the clients shall use the headquarters Radius again

 

How to configure this on the 9800? 

WLC Version is 17.3

 

Thanks for your help!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-04-2021 04:04 AM

1. You need to create local Radius servers and put them under the group called local and create central radius servers and put them under the group "central".

2. Under the policy profile select "Central Auth" if you need WLC to be handling the Authentication as primary.

3. Add the Central Radius server group under the policy profile.

4. Go to Flex profile>>Local Authentication>>Radius Server Group and select the local radius server group.

 

This way in the connected mode AP will authenticate clients using the central Radius server and in standalone mode AP will use it's locally configured radius servers. Remember you need to add each AP or complete AP management subnet in the local radius server as NAD's.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-04-2021 02:49 AM

If you configure both the Radius Server (Primary HQ , Secondary as Local ) , if the Primary one not reachable it has only Option to reach Local one right ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Nydo89
Level 1
Level 1
In response to balaji.bandi

‎10-04-2021 02:59 AM

Thx for your reply:

- So I do configure both Radius Servers and put them in one Radius Group

- Then put this Server Group in the Method List

- Assign this Method List in the WLAN Profile under Security - AAA - Authentication List

 

What do I have to check in the Policy Profile then?

- Central Authentication and Central Association or not? Because it is kind of both then.

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-04-2021 04:04 AM

1. You need to create local Radius servers and put them under the group called local and create central radius servers and put them under the group "central".

2. Under the policy profile select "Central Auth" if you need WLC to be handling the Authentication as primary.

3. Add the Central Radius server group under the policy profile.

4. Go to Flex profile>>Local Authentication>>Radius Server Group and select the local radius server group.

 

This way in the connected mode AP will authenticate clients using the central Radius server and in standalone mode AP will use it's locally configured radius servers. Remember you need to add each AP or complete AP management subnet in the local radius server as NAD's.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card