Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3182
Views
10
Helpful
5
Replies

Roaming between flexconnect APs when WAN link down

Go to solution
alaugros2
Level 1
Level 1

‎04-04-2016 06:05 AM - edited ‎07-05-2021 04:51 AM

Hello,

My customer would like to migrate all APs in all sites to flexconnect. All APs on remote sites will join a central controller located in datacenter.

Users will connect to a locally switched WLAN. 802.1X authentication with EAP-TLS will be used to authenticate these users on this WLAN. The Radius server used for authentication is located in Datacenter. There is no backup authentication server on remote site.

My question is: in case of a WAN failure, will users already fully authenticated before the failure be able to roam from one flexconnect AP to another one in the same remote site ? Is there some limitations ?

Thank you for your help !

Arthur

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Freerk Terpstra
Level 7
Level 7

‎04-04-2016 02:42 PM

Be aware that with FlexConnect the point-of-presence (PoP) of the client will move with every roam. This basically means that the used VLAN(s) should be available for every access-point and that the client's MAC address will move with every roam. This can lead to MAC flaps, which is normal in this scenario but be aware of it.

By default clients cannot roam anymore when there is no active connection back to the controller because you use a central method for the authentication. Clients which stay associated with the same AP will be able to continue to work for as long as the session timeout is configured. There are two ways to make this more redundant which both require the use of FlexConnect groups.

The first scenario is that you use "external authentication" which means that the access-points will reach out to the external RADIUS server themselves when they are in standalone mode (not connected to the controller anymore). In your scenario the WAN link is down and I don't expect a local RADIUS server being available, so this is probably not a solution for you. The second scenario is "local authentication" which will turn you access-point into a local RADIUS server. By uploading the CA and the device certificate your access-points will be able to authenticate the client themselves.

Local authentication in standalone mode
1. Upload the certificates as PEM files (Commands -> Download file to Controller)
2. Reload the controller
3. Verify the certificates  (Security -> Advanced -> Vendor Certs)
4. Go to Wireless -> FlexConnect Groups
4.1 General -> Make sure the access-points are added (or primed in case of back-up controller)
4.2 General -> Check the "Enable AP Local Authentication" checkbox
4.3 Local Authentication -> Protocols -> Check the "Enable EAP TLS Authentication"
4.4 Local Authentication -> Protocols -> Check or click "EAP TLS Certificate download"
5. Click Apply in the right upper corner of the screen

Please rate useful posts... :-)

View solution in original post

5 Replies 5

Go to solution
Freerk Terpstra
Level 7
Level 7

‎04-04-2016 02:42 PM

Be aware that with FlexConnect the point-of-presence (PoP) of the client will move with every roam. This basically means that the used VLAN(s) should be available for every access-point and that the client's MAC address will move with every roam. This can lead to MAC flaps, which is normal in this scenario but be aware of it.

By default clients cannot roam anymore when there is no active connection back to the controller because you use a central method for the authentication. Clients which stay associated with the same AP will be able to continue to work for as long as the session timeout is configured. There are two ways to make this more redundant which both require the use of FlexConnect groups.

The first scenario is that you use "external authentication" which means that the access-points will reach out to the external RADIUS server themselves when they are in standalone mode (not connected to the controller anymore). In your scenario the WAN link is down and I don't expect a local RADIUS server being available, so this is probably not a solution for you. The second scenario is "local authentication" which will turn you access-point into a local RADIUS server. By uploading the CA and the device certificate your access-points will be able to authenticate the client themselves.

Local authentication in standalone mode
1. Upload the certificates as PEM files (Commands -> Download file to Controller)
2. Reload the controller
3. Verify the certificates  (Security -> Advanced -> Vendor Certs)
4. Go to Wireless -> FlexConnect Groups
4.1 General -> Make sure the access-points are added (or primed in case of back-up controller)
4.2 General -> Check the "Enable AP Local Authentication" checkbox
4.3 Local Authentication -> Protocols -> Check the "Enable EAP TLS Authentication"
4.4 Local Authentication -> Protocols -> Check or click "EAP TLS Certificate download"
5. Click Apply in the right upper corner of the screen

Please rate useful posts... :-)

Go to solution
alaugros2
Level 1
Level 1
In response to Freerk Terpstra

‎04-20-2016 05:38 AM

Thank you very much for your help.

This helps.

Arthur

0 Helpful

Go to solution
ConceptsL5
Level 1
Level 1
In response to Freerk Terpstra

‎10-20-2022 12:49 PM

Hello could you please share the configuration steps  for the external authentication method. I have 1 WLC and 3 sites. I have a radius server set up at each site. When the access point is in connected mode it should use the WLC to help authenticate. But in standalone mode I need it to contact a different server.

Thank you

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎04-04-2016 07:16 PM

When a FlexConnect access point can reach the controller (referred to as the connected mode), the controller assists in client authentication. When a FlexConnect access point cannot access the controller, the access point enters the standalone mode and authenticates clients by itself.

When a FlexConnect access point enters standalone mode, it disassociates all clients that are on centrally switched WLANs. For web-authentication WLANs, existing clients are not disassociated, but the FlexConnect access point stops sending beacons when the number of associated clients reaches zero (0). It also sends disassociation messages to new clients associating to web-authentication WLANs. Controller-dependent activities, such as network access control (NAC) and web authentication (guest access), are disabled, and the access point does not send any intrusion detection system (IDS) reports to the controller. Most radio resource management (RRM) features (such as neighbor discovery; noise, interference, load, and coverage measurements; use of the neighbor list; and rogue containment and detection) are disabled. However, a FlexConnect access point supports dynamic frequency selection in standalone mode.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#wp1224777

Go to solution
alaugros2
Level 1
Level 1
In response to mohanak

‎04-20-2016 05:40 AM

Thank you Mohanak ! This helps.

Arthur

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card