Cisco Support Community
Community Member

Flexconnect dynamic VLAN assignment doubt

Hi, all,

I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows  what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:

1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?

2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?

3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office,  seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?



Cisco Employee

Hi , 1) Aps knows about Vlans

Hi ,


1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.

2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.

3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.




**Please rate helpful posts**

Community Member

Thanks for your answers,1) I

Thanks for your answers,

1) I understand that, my question was how does the AP know VLAN to user identity mapping ... in Flexconnect group VLAN mapping, the flexconnect ACLs are null in my case

Regarding 2) and 3), seems that  "local authentication" is not practical in deployment, for one, each AP will be an authenticator will add too much configuration overhead on Radius servers (imagine hundreds of APs in Flexconnect mode doing local authentication), for two, a SSID has to be either local authenticated or central authenticated, not mixed and match, how are we going to deal with the situation that  smaller remote sites that do not have local Radius servers?

We have remote sites that are going to over 200ms RTT away, would that impose a problem for central authentication?

CreatePlease to create content