ISE with FlexConnect AP

fatalXerror · ‎09-26-2016

Hi Guys,

Good Day!

Just want to ask if you have already a deployment like this.

We have local standalone ISE and a wireless LAN in which the WLC resides in another country. The AP is configured as FlexConnect (locally switched, local authentication) and the users needs to authenticate to the standalone ISE via the FlexConnect AP.

Does the FlexConnect AP supports RADIUS protocol for the authentication of users to the ISE? And does the AP supports CoA so that ISE can return VLAN, DACLs, etc? Because I believed if your AP is configured as FlexConnect (local switch, local authentication), your AP will not communicate to the WLC as far as the authentication is concerned?

Thanks.

Gagandeep Singh · ‎09-27-2016

FlexConnect, previously known as Hybrid Remote Edge Access Point (HREAP) mode, is supported with central authentication configuration deployment starting from WLC 7.2.110.0. For additional details regarding FlexConnect support, refer to the release notes for the applicable wireless controller platform.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html#79546

Cisco ISE Central Web Authentication (CWA)

Customers may choose to use Cisco ISE as their guest management solution. Using Mac Based Authentication (MBA) on a open network, Cisco ISE can instruct the AP to redirect the client to the guest portal hosted on the Cisco ISE server. After the client satisfies the guest portal requirements, Cisco ISE will instruct the AP using CoA to grant elevated network access.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Change_of_Authorization_with_RADIUS_(CoA)

Regards

Gagan

PS: rate helpful posts!!!!!