Could you please clarify related with the below scenario for Flex Connect Scenario. We have a location MDF in HQ, in which where we placed the controller and ISE placed. We have remote locations and local dhcp servers in each site.
The objective is for the users to access wireless in remote sites, which the controller is located in HQ also ISE too . Wireless Users will get DHCP from local and 802.1x Authentication from ISE , which is in HQ.
Couple of Points to get clarified
1. In HQ, It is pretty straightforward, as the number of vlans related with the setup needs to be added and through LOCAL mode it works fine. Lets say for Eg: AP - Management Vlan is Vlan 50 , Emp Vlan is 51 . In this case, for 802.1x , the particular SSID will be mapped to Authentication Server IP which is ISE and its shared key. Is this correct based on best practices?
2. In Remote Site 1, if i have vlan 20 for Staff and DHCP assigned locally . How can i have wireless connected to controller in HQ ?
Lets say the port in which the AP is connected , i need to mention it as trunk port and native vlan as Vlan 50 ( which is the AP-Manager IP ) . Is it right ?
In the controller , what we need to is provision the remote site AP in HQ , change the ip to static as per remote site 1 ip schema and then in controller change AP to VLAN mapping , that mentions EMP SSID will tag to remote site vlan ip . It is not necessary to add the remote site vlans in the main controller interfaces too . Is this correct based on best practices ?
3. How will the remote site AP users authenticate through 802.1x using ISE ? I know locally ( ie. in HQ its possible ( as the AP's there are connected in local mode) , is there any configuration to do for flex connect ?
Well just to ensure , what i understood related with Flexconnect scenario and deployment steps is correct . Please advise and help if i am wrong in the concept or anything to be added.
If you configure a wlan only for flexconnect local switching, authentication still occurs 'centrally' through the controller, just like a centrally switched wlan (as would be the case with local mode APs).
There is the option of having your flex APs perform the authentication themselves (flex connect local authentication). In this scenario, the flex APs would need to be configured as AAA NAS' on the radius server.
The controller does not need to have dynamic interfaces that correlate to the remote site flex locally switched vlans.
not sure if this answers all of your questions. please advise if not.
I have kind of resolved it now that I can push per user ACLs on both Flex and Local Mode APs on the same SSID means that I can use the same set of AuthZ rules as i no longer need to push VLANs any more.