Solved: Should I be using HREAP groups?

mscherting · ‎11-01-2012

What do they buy me?

I have lots of HREAP APs at the far end of WAN links. Most are single AP installations. I want the enterprise traffic switched to a local vlan to access local resources, and guest traffic sent back to the WLCs. If the WAN link drops no endpoint traffic leaves the site. Currently associated/authenticated clients should maintatin their connections, right?

Local authentication in the event of a WAN outage is not a feasible option.

Any other features or capabilities I'm missing out on?

Just curious.

Thanks!

Scott Fella · ‎11-01-2012

Should you use HREAP Groups... well unless you are putting a radius at each location, then no. It will not buy you anything. The one thing you must note that if the client session timeout and or if the device has to reauth, then the 802.1x client will not be able to join the wireless. PSK acts differently than 802.1x, so you will just have to weight the options and understand the risk.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎11-01-2012

Should you use HREAP Groups... well unless you are putting a radius at each location, then no. It will not buy you anything. The one thing you must note that if the client session timeout and or if the device has to reauth, then the 802.1x client will not be able to join the wireless. PSK acts differently than 802.1x, so you will just have to weight the options and understand the risk.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

mscherting · ‎11-01-2012

Thanks, just wanted to make sure I wasn't missing out on any cool features.

Local RADUIS and/or PSK are not options. If the WAN link is down long enough for the .1x sessions to time out, I've got bigger fish to fry.

Saravanan Lakshmanan · ‎11-01-2012

Flexconnect AP do support local auth for LEAP and EAP Fast only, if you worry about WAN connection failure and ok with this available security.

d-berlinski · ‎11-02-2012

Won't HREAP groups improve roaming?

Sent from Cisco Technical Support iPhone App

Scott Fella · ‎11-02-2012

Benefit for clients that support CCKM/OKC

Controller software releases 7.0.116.0 and later contain these new H REAP group features:

Local authentication—This feature is now supported even when H REAP access points are in Connected Mode.

OKC Fast Roaming—H REAP Groups are required for CCKM/OKC fast roaming to work with H REAP access points. Fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different access point. This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to another. The H REAP access points need to obtain the CCKM/OKC cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller. If, for example, you have a controller with 300 access points and 100 clients that might associate, sending the CCKM/OKC cache for all 100 clients is not practical. If you create an H REAP Group comprising a limited number of access points (for example, you create a group for four access points in a remote office), the clients roam only among those four access points, and the CCKM/OKC cache is distributed among those four access points only when the clients associate to one of them. This feature, along with Backup Radius and Local Authentication (Local-EAP), ensures no operational downtime for your branch sites.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***