Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

flex connect with a per user ACL with APs locally switched

Hi all,
Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.

Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
Thanks

Sent from Cisco Technical Support iPad App

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: flex connect with a per user ACL with APs locally switched

Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9

As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
5 REPLIES
Hall of Fame Super Silver

Re: flex connect with a per user ACL with APs locally switched

Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9

As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: flex connect with a per user ACL with APs locally switched

Thanks Scott for that. I looked in the 7.6 manual and couldn't find any reference to per user ACL in flex connect mode. Does anyone know if we just use the airspace ACL in ISE and reference the flex connect ACL setup on the WLC?

Also my next question about IP addresses for both the WLC and the APs.. I have a management vlan setup that only IT admins have access to. Is it ok to put the APs and WLC on this management vlan knowing that regular users won't be able to access the subnet?

Sent from Cisco Technical Support iPad App

Hall of Fame Super Silver

Re: flex connect with a per user ACL with APs locally switched

It is still supported in v7.6 since it was introduced I'm v7.5. Yes you can put the WLC and AP's on that subnet if you want. I prefer to keep then in their own subnet though.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: flex connect with a per user ACL with APs locally switched

Many thanks Scott. I'll put the APs on this management subnets to secure unauthorized users from accessing the devices.
Does anyone know if I use the airspace ACL in ISE for the per user ACL, and the call the flex connect ACL on the WLC, or do I configure just a regular ACL on the WLC?

Sent from Cisco Technical Support iPad App

Hall of Fame Super Silver

Re: flex connect with a per user ACL with APs locally switched

I believe you need to call a WLC acl.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
326
Views
0
Helpful
5
Replies
CreatePlease login to create content