Solved: Re: Preparing for conversion from PSK to 802.1x

inlandprinting · ‎09-24-2019

I've been tasked with setting up Certificate based authentication on our wireless network. i'm close but am looking for advise from anyone who might have done this or something similar. we have a semi-complex architecture. One primary facility and three satellite facilities that are geographically diverse. Currently i'm running Local mode AP's at the primary facility where the WLC is, and Flexconnect at all the satellite facilities.

I've got the certificate auto-enrollment policies in place and they work fine, and i've got a test SSID setup which works fine for the primary site. is there a way to do a gradual transition at the Flex connect sites by using two different SSID's on the same vlan? what i'm running up against is the inability to map the test SSID to flexconnect AP's because they already have the Vlan mapped on a different SSID.

error is "nWlan-Vlan mapping only allowed for locally switched Wlan"

.

inlandprinting · ‎09-26-2019

figured it out. the new network was not setup for Flexconnect local switching. enabled that option and it let me add it.

View solution in original post

Flavio Miranda · ‎09-24-2019

Hi

I have different SSID mapped to the same vlan. Are you doing it on AP level or flexconnect group level?

-If I helped you somehow, please, rate it as useful.-

inlandprinting · ‎09-25-2019

I'm not real sure how to answer that. for now lets disregard my primary facility because it works fine there but the AP's are in local mode.

the satellite facilities are in flexconnect mode. I handle SSID assignments via Ap Groups, and Vlan mappings via Flexconnect groups. I add the SSID to the AP group (whish should make the SSID broadcast on all AP's in the group). then i go to flex connect group and add a vlan mapping for Wlan ID 19 to Vlan 10. this is where i get my error. because Vlan 10 is already mapped on Wlan ID 3.

If I go to the flex connect tab on one of the group AP's once the SSID has been added to the group and click on Vlan mappings it shows the two SSID's I expect and then the new one with no Vlan assignment is listed under centrally switched Wlans.

Flavio Miranda · ‎09-25-2019

If you take a look on the attached pic, we´re going to see different wlan ids mapped to the same vlan. I took this form my wlc.

Do you have on the satellite site the vlan you are trying to map, right ?

inlandprinting · ‎09-25-2019

only difference is I don't have the override Vlan option checked. not sure what that does.

inlandprinting · ‎09-25-2019

I checked the override Vlan option and tried again, but got the same results.

Flavio Miranda · ‎09-25-2019

Which WLC model and version do you have?

Do you have the vlan locally created on the satellite site?

-If I helped you somehow, please, rate it as useful.-

inlandprinting · ‎09-25-2019

i'm running 8.2.166.0 on a 5508. The vlans are all created at all sites, but I can't imagine the WLC would be aware or care about that.

Flavio Miranda · ‎09-25-2019

The WLC does not, but the AP yes. After all, you are telling him to drop client´s traffic on the local network, right? You need to have AP port as trunk with the switch and native vlan in order to the AP talk with WLC and local network.

-If I helped you somehow, please, rate it as useful.-

inlandprinting · ‎09-26-2019

I see what you're saying. although this would have nothing to do with setting up the configuration on the WLC you are correct. my APs are on ports configured as trunk ports with the desired Vlans set as allowed.

inlandprinting · ‎09-26-2019

figured it out. the new network was not setup for Flexconnect local switching. enabled that option and it let me add it.