Hi Carl, I would beg to

carl_townshend · ‎07-21-2014

Hi All

Can someone please answer me the following

We have 3 large sites, there will be a WLC located on 2 of the sites, then AP's dotted around all of the sites.

My questions are

1.In this scenario would you use flex connect mode?

2.Can you use 802.1X PEAP, if both controllers are lost will only local auth work like wpa etc?

3.will roaming work in flex connect mode?

Is there anything else I need to know ? and is this an OK design ?

cheers

Carl

Sandeep Choudhary · ‎07-21-2014

HI Carl,

Suggestion:

If you have WLCs in 2 location out of 3 then iw ill suggest that buy for 3rd one also.

So that each location will have own WLC to handle AP trafiic.

Then you can have RADIUS server at Centrel location and can configure 802.1x PEAP.

1.In this scenario would you use flex connect mode?

I will not use but If you dont have enough budget then you can use Fledxonnect.

2.Can you use 802.1X PEAP, if both controllers are lost will only local auth work like wpa etc?

Yes it will work.

3.will roaming work in flex connect mode?

Yes, It will work.

HREAP MOde of Operation:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81680-hreap-modes.html

Regards

Dont forget to rate helpful posts

abwahid · ‎09-12-2014

Hi,

1. i will not use flex connect if i have budget to purchase 3 WLC for 3 site, anyhow in you case flex-connect will work fine, if your 3rd site internet link / bandwidth is OK.

2. It will work

3. It will work

This design is OK, it will work.

jordanburnett · ‎09-16-2014

1.In this scenario would you use flex connect mode?

If you cannot afford another WLC, flexconnect mode should work fine. Flexconnect local switching could save you some bandwidth on the WAN or site-to-site links--you may want to look into that.

2.Can you use 802.1X PEAP, if both controllers are lost will only local auth work like wpa etc?

You can use PEAP, and even if both controllers are lost, you can still configure the AP or FlexConnect group with AAA/RADIUS servers directly. In the case of both controllers failing, the AP will act as the authenticator and will send authentication requests directly to the RADIUS server (instead of the WLC).

The other option is to use local RADIUS users. The flexconnect APs will store a copy of the local user DB and can authenticate clients locally. Obviously this is not ideal as you will probably need to have the users change the username/password they are using in their supplicant.

Note that in this case you will need to add the APs to the list of allowed authenticators in your RADIUS server (add them as Network Access Devices (NADs) in ISE, for example).

3.will roaming work in flex connect mode?

Yes..assuming that you have configured the AAA servers for failover scenario in flexconnect group as stated above OR you have clients re-authenticate using local RADIUS user accounts (each Flexconnect AP will have a local copy of the local RADIUS user database to re-authenticate clients upon roaming).

tomathur · ‎09-22-2014

Hi Carl,

I would beg to differ from others here. I would actually recommend using APs in Flexconnect mode to save money and bandwidth. The whole purpose behind developing the Flex mode was to save money and bandwidth on across the WAn links.

++ You can deploy all the APs in the 3rd site as flexconnect APs with local switching. This way all the data traffic for the clients would directly be switched to the distribution system from the local AP and would not traverse back to the WLC.

++ You need to have all the Flex APs at same site to be in same Flexconnect group to enable seamless roaming of clients on that site.

++ In case of a link failure between the WLC and the remote site , the AP will automatically start working as a standalone AP.

++ Rest all the queries have been brilliantly answered by other friends of ours.

Cheers,

Tony

AP's in flex connect - authentication etc