I am testing a senario when H-REAP AP losses connection to the WLC and the behavior does not seem to be correct.
basically I have two APs cofigured in H-REAP mode and joined a WLC, the APs and WLC are connected to the same switch. I have an ACS server doing the authentication. I have configured a H-REAP group, with the two H-REAP APs added in, and I have the ACS server configured in this H-REAP group.
I then created a SSID with local-switching enabled, and vlan-mapping configured. everything works fine when the H-REAP APs are connected to the WLC. I then shut down the port connecting to the WLC from the switch, I could authenticate in the first few seconds (I have added both H-REAP APs in the ACS as AAA clients, and from the logs I can confirm that the auth request was sent from the H-REAP APs not the WLC anymore noce i shut down the WLC port).
the porblem is that after few minites, authentication starts to fail and I noticed that auth request was sent via a different IP address from the H-REAP AP, then I connected to the console of the AP and noticed that the H-REAP AP was trying to discover WLC, and since the WLC port was down, so it reverts back to WLC discover through DHCP, which causing the address change and auth failure.
my understanding is that for H-REAP APs, they should go to standalone mode once connectivity to WLC is lost, and keep serving clients, and in this case, authenticate new clients via ACS as well, until the connectivity to the WLC is restored and go back to central-auth, local switching mode.
can anyone please confirm if what I have observed here is an expected behavior or anything I have missed out? to me this does not seem to be correct as if we lost WAN connectivity in real network, then H-REAP APs will start to reboot until connection to the WLC is restored.
I have AP dhcp server configured on the local switch, the topology looks like below:
WLC2504 <---> 3560 SW <---> H-REAP AP x2
central site switch <---> ACS
so the DHCP server is configured on the 3560 switch, both APs joined the 2504 and in H-REAP mode, authentication will be through the ACS server on the other side over the WAN link (I just used layer 3 interface to similute the WAN).
APs are placed on vlan 15 and users are mapped to vlan 20 on the local switch, so not on the same subnet, and two DHCP pools configued for APs and clients.
under the SSID configuration, I do not have "H-REAP local auth" checked under the advanced tab, only local switching is enabled.
WLC running code version 22.214.171.124.
regarding the debugs, do I collect from the AP side as the WLC is offline now? the console logs from the AP just showing the AP is going through normal joining process, like a local mode AP, I think even when the AP is assigned with static IP, it will be same behavior as it will revert back to DHCP if no WLC found as normal local mode AP join process.
so basically the behavior of the H-REAP AP seems to be the same as the local mode AP, which does not seem to be correct, I thought for H-REAP mode, AP should not reload or revert back to DHCP for WLC discovery, it should stay in standalone mode when connectivity to the WLC is lost.
I disconnect the WLC from the network by shutting down the switchport connecting to the WLC.
I have done another test with different platform, 5508 running 126.96.36.199 and 3500 series APs in H-REAP mode, with H-REAP APs assigned static IP address, this works as expected when I shut down the port connecting to the 5508, from the AP console log, it went into standalone mode and keeps searching for WLC, but no reload:
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...