Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Flexconnect EAP issues

Hi guys,

I connected one AIR-LAP1141N to an existing WLC deployment using FlexConnect Local Switching. The AP registered and tests went well using WPA2 and PSK.

Next I want to keep the same Local Switching and Central Authentication still use 802.1x. There are two Radius servers configured on that site as existing local APs use Win 2008 Active Directory.

I tried to follow http://mrncciew.com/2013/03/12/h-reap-with-radius/ still after creating FlexConnect Group I got stuck (I followed the GUI config section). First of all creating this group is mandatory? What about FlexConnect ACL used in VLAN-ACL Mapping, WLAN-ACL Mapping and WebPolicies are these tabs mandatory to be configured or can I use the defaults?

Logs I see in WLC CLI is:

*dot1xMsgTask: Nov 06 13:29:21.763: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3136 Max EAP identity request retries (3) exceeded for client 70:18:8b:c6:8a:b8

13 REPLIES
Hall of Fame Super Silver

Re: Flexconnect EAP issues

FlexConnect Groups helps when using 802.1x for fast roaming. I have used it and also have not used it without any issues. I think the 802.1x setup might be wrong either on the client side or possible the radius server. The easy test for this is not to use the FlexConnect Group and test authentication. I would also test 802.1x with a local mode AP if you can. You want to get 802.1x working first before creating FlexConnect Groups and adding AP's to that group. Take a look at the logs on the radius server also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Flexconnect EAP issues

Hi Scott,

Thanks for answering.

So I can pull out the AP from FlexConnectGroup for now. Basically FlexConnectGroups are just for an easier "global policy push"?

Next, is there a document where I can see the required config for Windows Clients when using Win 2008 as Radius server?

I went to the computer wireless EAP settings and changed from User or computer authentication to User authentication and now it works. This should be Radius_Win2008_server related, right?

Next step would be to try local authentication. On this task is it possible to set up a fallback from Central Authentication to Local Authentication when Central_Radius_Servers are not available?

Hall of Fame Super Silver

Re: Flexconnect EAP issues

You need to know what type of 802.x you want to use. User only allows for PEAP with AD credentials. Computer allows only for domain computers. These are setup on your radius policies and the WLC really only needs to configured for WPA2/AES and 802.1x. Your client configuration has to match the policy you create on the radius server.

As far as redundancy, you are better off with another radius server as AD credentials and or computer accounts can't be stored locally on the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Flexconnect EAP issues

I totally agree, Scott!

As said there are two Radius Servers defined on the Security --> AAA --> Radius which are used by all local-mode APs configured.

For all FlexConnect APs I want to use one of these two and if WAN link fails then use the on-site AD_Radius2008_server. Is this possible and how can I achieve this?

Hall of Fame Super Silver

Re: Flexconnect EAP issues

If you have redundant radius, you can either setup the priority on the WLAN or by using FlexConnect Groups. All it is, is adding the radius servers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Flexconnect EAP issues

So this is that simple, nice!

How should I do this: I saw Rasika left blank Primary Radius Server and added the AP_local_server as the Secondary one.

Is this the right way?

Also WLAN used by Local-mode APs you recommend configuring the Primary Radius Server and Secondary or using the WLC defaults?

Hall of Fame Super Silver

Flexconnect EAP issues

It depends on what you want as primary or backup and depends on what code version.  you can leave that to None as it will use the primary that is configured on the WLC and the local radius server as the backup.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: Flexconnect EAP issues

Just to clarify, In my post I have used WLC 7.0.116.0 code. Since then Cisco added lots of impromvent to this FlexConnect feature.

So if you are working with a later code (7.2.x to 7.6.x), please do not rely too much on my post as that is only applicable to 7.0.116.0 code configuration & may not have all the feature available in later releases.

HTH

Rasika

Flexconnect EAP issues

Thank you guys! We are fortunate to have you here!

Rasika, is there in plan to update that article to a newer 7.5-.6 version?

From a configuration point of view, why is such a difference between AP Groups configuration options and FlexConnect Groups? Is there a logic behind this?

Also does 7.2 or above permit you to delete an object altough this is used/reffered in another config/tab/object?

Hall of Fame Super Silver

Re: Flexconnect EAP issues

From a configuration point of view, why is such a difference between AP Groups configuration options and FlexConnect Groups? Is there a logic behind this?

> These are two separate features. In short, AP Groups allow you to choose what APs will have what ssid and what interface to use for that WLAN. FlexConnect Group only applies to AP's in FlexConnect and is used to provide fast roaming for a group of 25 or less AP's.

Also does 7.2 or above permit you to delete an object altough this is used/reffered in another config/tab/object?

> Many times you have to disable a WLAN or radio prior to removing a feature that was enabled.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Flexconnect EAP issues

Thanks Scott! I really appreciate it.

Hall of Fame Super Silver

Re: Flexconnect EAP issues

No problem.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
VIP Purple

Re: Flexconnect EAP issues

Hi Florin,

I wish I get time to do a post on this feature with recent releases. I had to learn all features of 7.0.116 as it was in ccie v2.0 lab exam. That's the reason for all my post on that code.

If I get a chance I will do this and let you know

Rasika

Sent from Cisco Technical Support iPhone App

239
Views
23
Helpful
13
Replies