Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4598
Views
0
Helpful
3
Replies

WLC Flexconnect vs 802.1x Local authentication

Go to solution
m.chartier
Level 1
Level 1

‎07-04-2016 07:54 AM - edited ‎07-05-2021 05:21 AM

Hi, 

Can someone clarify this point :

We have some AP groupe and Flexconnect Groups and some are used in our branchs offices. We want to use the feature of local authentication with a radius server on some branch to be able to have wifi in case of a WAn failure. 

When the AAA will be configured in the flexconnect groups, if I put the server on the branch as primary and another server a secondary, does all the 802.1x queries will goes to the branch server, even when the WAN is available? In the SSID config, the main 802.1x server is in our primary datacenter...but we want to keep 802.1x traffic locally even if the WAN if available.

Thanks,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP

‎07-04-2016 03:05 PM 

When the AAA will be configured in the flexconnect groups, if I put the server on the branch as primary and another server a secondary, does all the 802.1x queries will goes to the branch server, even when the WAN is available?

For the APs that belong to given FlexConnect AP group, authentication request should go to server configure under FlexConnect group.

Refer below for details on FlexConnect design

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎07-04-2016 06:28 PM

If a FlexConnect is configured with both a backup RADIUS server and local authentication, the FlexConnect access point always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect access point itself (if the primary and secondary are not reachable).

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#15636

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rasika Nayanajith
VIP
VIP

‎07-04-2016 03:05 PM 

When the AAA will be configured in the flexconnect groups, if I put the server on the branch as primary and another server a secondary, does all the 802.1x queries will goes to the branch server, even when the WAN is available?

For the APs that belong to given FlexConnect AP group, authentication request should go to server configure under FlexConnect group.

Refer below for details on FlexConnect design

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

Go to solution
Freerk Terpstra
Level 7
Level 7
In response to Rasika Nayanajith

‎07-05-2016 03:25 PM

It is unnatural to doubt you, but are you sure? :-)

When the WAN is available the access-point is no longer in standalone mode and the WLC should be used again. If you always want to use the settings configured within the FlexConnect group you also need to enable the "FlexConnect local authentication" option within the WLAN I thought?

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎07-04-2016 06:28 PM

If a FlexConnect is configured with both a backup RADIUS server and local authentication, the FlexConnect access point always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect access point itself (if the primary and secondary are not reachable).

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#15636

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card