Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Flexconnect configuration

Hello Support Community,

I'm facing some issues in the implemantation of flexconnect this is why I have some questions:

1- With flexconnect (local authentication/local switching) we can only use WPA for the authentication and web athentucation doesn't work, is it correct?

2- By using WPA in the case (local authentication/local switching) I cannot get an historical of the users who connecte and left. How can I catch their mac address or any other informations to identify each user?

3- Now in the (central authentication/local switching), how can I maintain the user connected for 20 days for example without re-authentication.

Normally on the release 7.5.102.0 the user can authenticated via web auth can be allowed to sleep for 1h – 720h (with 12h as default) without having to re-auth.

4- What is the risk by disabling "Session Timeout"?

5- With the flexconnect, does the mode (central authentication/central switching) exist? if yes how can I configure it and what is its advantage comparing to an AP which is in local mode not in flex mode?

Could you kindly answers and help me to go out with this mode?

Regards

9 REPLIES
VIP Purple

Flexconnect configuration

HI,

As per my knowledge:

1- With flexconnect (local authentication/local switching) we can only use WPA for the authentication and web athentucation doesn't work, is it correct?

local authentication, local switching

In this state, the H REAP access point handles client authentications and switches client data packets locally. This state is valid only in Standalone mode and only for authentication types that can be handled locally at the access point. When a hybrid-REAP access point enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the local authentication, local switching state and continue new client authentications.

*** Webauth is not supported while AP in Standalone mode.

2- By using WPA in the case (local authentication/local switching) I cannot get an historical of the users who connecte and left. How can I catch their mac address or any other informations to identify each user?

I never tested this but i think you can not find the mac address.. whcih are connected ...

3- Now in the (central authentication/local switching), how can I maintain the user connected for 20 days for example without re-authentication.

Check the links below.

4- What is the risk by disabling "Session Timeout"?

If you configure session timeout as 0, it means disabling session-timeout, in case of open system, and 86400 seconds for all other system types.

session timeout means that your authenticated user session expires in 1800 seconds, it is not an activity or idle timeout.  So depending on your authentication method, this could cause your client to disconnect.

5- With the flexconnect, does the mode (central authentication/central switching) exist? if yes how can I configure it and what is its advantage comparing to an AP which is in local mode not in flex mode?

Could you kindly answers and help me to go out with this mode?


Yes exist.

central authentication, central switching—In this state, for the given WLAN, the access point forwards all client authentication requests to the controller and tunnels all client data back to the controller, as well. This state is valid only when the access point's CAPWAP control path is up. This means the H REAP is in Connected mode. Any WLAN that is tunneled back to the controller is lost during WAN outage, no matter the authentication method.

Local mode AP need a WLC at respective location but in flexc mode AP can be managed from centrel wlc.

Here are the design and deplyment guide:

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/71250-h-reap-design-deploy.html

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81680-hreap-modes.html#cl

Regards

Dont forget to rate helpful posts

New Member

Flexconnect configuration

Thank you for your explanation but it's not yet clear for the third question regarding find a way to maintain the client connected "Normally on the release 7.5.102.0 the user can authenticated via web auth can be allowed to sleep for 1h – 720h (with 12h as default) without having to re-auth".

Hall of Fame Super Silver

Re: Flexconnect configuration

Sleeping client is a feature that works when layer 2 encryption is open and when using WebAuth. This allows the WLC to cache the Mac for 0-30 days and allows users not to have to login to a WebAuth page for the set duration configured for sleeping clients. Without sleeping client enabled, the idle timer or session timer dictates how long a user will be in before they have to login the WebAuth page again.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Flexconnect configuration

in the last release 7.6, is the controller cashing the MAC for 0-30 days?

Hall of Fame Super Silver

Flexconnect configuration

v7.5 and v7.6 are the same as far as sleeping clients... if you configure it, it will be used, if you don't, then it will not be.  You set the time frame for the sleeping client, by default it is not enabled.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
New Member

Flexconnect configuration

Then, disabling "timeout session" is not to avoid? (security side)

Hall of Fame Super Silver

Flexconnect configuration

What do you mean.... session timeout is a hard timeout when the client is in the RUN state.  Clients will move from the RUN state to the Sleeping Client when the idle timer expires and if the Sleeping Client is configured.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
New Member

Flexconnect configuration

in other words: what are the inconvenients of disabling the "session timeout"?

Hall of Fame Super Silver

Re: Flexconnect configuration

Some devices actually work better with it disabled. WebAuth you need to in erase the session timer or disable it which makes it 24 hours. If using anything other than WebAuth then leave it at default 1800. That's what I typically do. No security risk.... There were some bugs and the work around was to disable this also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
398
Views
5
Helpful
9
Replies
CreatePlease login to create content