cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1630
Views
3
Helpful
9
Replies

PEAP caching

wooiboontan
Level 1
Level 1

Hi,

We would like to deploy the LAP in remote site with IAS radius authentication from main office but we are facing the problem that in case of the connection to main office failure the authentication will fail. Is there a way to cache the credential for authenticated account?

The following is the connection of the WLAN:

IAS --- Router (main office) --- WAN --- Router (remote site) --- WLC --- AP1131

Appreciate your comments and suggestion.

9 Replies 9

mark.cronin
Level 2
Level 2

You may want to speak to Infoblox

I believe they were working on something that can help you

Mark

Leo Laohoo
Hall of Fame
Hall of Fame

Move your WLC to your main office and configure H-REAP.

H-Reap Design and Deployment Guide

http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

H-REAP Modes of Operation Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml

ybrid Remote Edge Access Point (H-REAP) Basic Troubleshooting

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml

Johannes Luther
Level 4
Level 4

First of all:

Do you have redundant authentication servers? So, is there one in the headquater and one in the remote site?

No, we only have a Radius at HQ. Seems like only the HREAP is the only solution which can keep established WLAN connection alive even if the MPLS/WAN connection to HQ go down.

Appreciate everyone comments.

Sorry, I don't get it :-)

If your WAN connection is going down, the authentication server won't be available. It doesn't matter if you are using HREAP or not. The HREAP AP would have to contact the central authentication server as well.

Sorry for bugging you - perhaps someone could enlighten me and solve that mystery what HREAP could do here.

You are right. When the WAN connection down no wireless client can get authenticate by the Radius but the existing authenticated wireless client can still access local network resources when using HREAP with central authentication local switching (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml). So far this is the only workaround I can found.

No, we only have a Radius at HQ. Seems like only the HREAP is the only solution which can keep established WLAN connection alive even if the MPLS/WAN connection to HQ go down.

Appreciate everyone comments.

You just have to make sure, that you won't use a session-timeout. This is very common in 802.1x installations. The client has to re-authenticate every "xx" minutes.

Leo Laohoo
Hall of Fame
Hall of Fame

Thanks for the rating.

One of the benefits (and I'm sure there's alot) of H-REAP is that you don't need a to deploy your WLC's off site. And when your sole WLC goes down for maintenance or faults, and as long as your LAP doesn't reboot, you still have wireless service.

Review Cisco Networking for a $25 gift card