Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Flexconnect Clarifications

Dear Folks, 


Could you please clarify related with the below scenario for Flex Connect Scenario. We have a location MDF in HQ, in which where we placed the controller and ISE placed. We have remote locations and local dhcp servers in each site.

The objective is for the users to access wireless in remote sites, which the controller is located in HQ also ISE too . Wireless Users will get DHCP from local and 802.1x Authentication from ISE , which is in HQ. 

Couple of Points to get clarified 

1. In HQ, It is pretty straightforward, as the number of vlans related with the setup needs to be added and through LOCAL mode it works fine. Lets say for Eg: AP - Management Vlan is Vlan 50 , Emp Vlan is 51 . In this case, for 802.1x , the particular SSID will be mapped to Authentication Server IP which is ISE and its shared key. Is this correct based on best practices?

2. In Remote Site 1, if i have vlan 20 for Staff and DHCP assigned locally . How can i have wireless connected to controller  in HQ ?

Lets say the port in which the AP is connected , i need to mention it as trunk port and native vlan as Vlan 50 ( which is the AP-Manager IP ) . Is it right ? 

In the controller , what we need to is provision the remote site AP in HQ , change the ip to static as per remote site 1  ip schema and then in controller change AP to VLAN mapping , that mentions EMP SSID will tag to remote site vlan ip . It is not necessary to add the remote site vlans in the main controller interfaces too .  Is this correct based on best practices ? 

3. How will the remote site AP users authenticate through 802.1x using ISE ? I know locally ( ie. in HQ  its possible ( as the AP's there are connected in local mode) , is there any configuration to do for flex connect ? 

Well just to ensure , what i understood related with Flexconnect scenario and deployment steps is correct . Please advise and help if i am wrong in the concept or anything to be added. 

Appreciate your kind help and support 


Regards ,


New Member

Hi Sid, how did u get on?i

Hi Sid, how did u get on?

i want to achieve the same thing with a single ssid and local and flex APs and 802.1x auth with ISE.

with ISE I have to create two sets of authz policies, one for local mode APs and one for FLEX APs because data VLAN at branch is different from DATA VLAN at HQ.

i can't figure out how to set the conditions in ISE as the controller only sends it's name in RADIUS attribute I need to distinguish between flex and local mode APs.



Cisco Employee

Hi, If you configure a wlan



If you configure a wlan only for flexconnect local switching, authentication still occurs 'centrally' through the controller, just like a centrally switched wlan (as would be the case with local mode APs).


There is the option of having your flex APs perform the authentication themselves (flex connect local authentication).  In this scenario, the flex APs would need to be configured as AAA NAS' on the radius server.


The controller does not need to have dynamic interfaces that correlate to the remote site flex locally switched vlans.


not sure if this answers all of your questions.  please advise if not.




New Member

Just to update you on my

Just to update you on my issue.

I have kind of resolved it now that I can push per user ACLs on both Flex and Local Mode APs on the same SSID means that I can use the same set of AuthZ rules as i no longer need to push VLANs any more.



Hello Sid,Please go through

Hello Sid,

Please go through the following links to clarify your understanding with FlexConnect.

Hope that helps.