Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Flexconnect authentication with radius server in remote site


Hi Guys, I will give a description of current flexconnect setup. we have ap's both in flexconnect mode in remote offices and in Local mode in Head office. The wlan ssid is same in both remote and headoffice (the ssid's are enabled with flex connect). The ssid authentication for headoffice users are configured with a windows 2008 radius server added in wlc and the ip address of the radius server in given under the wlan->Security->AAA server

the remote office ap's are added in flexconnect groups and the primary and backup radius servers are given in them. The primary and backup radius server given inside the flexconnect group are locally available servers in remote office.

Now problem. currently all the remote office users are also getting authenticated from the head office radius server. while the head office is unavailable they use the flexconnect group radius server. i want the remote office users to authenticate from the radius servers defined in the flexconnect groups as primary. and fall back to local authentication in ap, if the remote office radius server becomes unavailable. how to achieve this?

Everyone's tags (1)
Cisco Employee

Hi,That should happen


That should happen perfectly. What is yur WLC version ? In earlier versions of flexconnect like 7.2 , you would define the Radius servers on AAA page and then select them inside the flex cgroups.


In later version like 7.4 , you can define new local site radius server in the Flex connect group , Primary and secondary with shared keys. Go to flex AP console to see if those are pushed. Now you have added AAA radius server in the AAA client but have you also configured AAA client i.e flex APs in the local radius server ? 

> Is the SSID configured for Flec local Auth and Flex local switching under advanced tab ?




Please rate helpful posts

Community Member

Hi Dhiresh,wlc is of version

Hi Dhiresh,

wlc is of version 7.4 and the primary/secondary radius servers are configured in flexconnect Ap's.

The flexconnect Ap's are also defined in the local radius servers with the shared keys.

The SSID's are configured for flex local switching

with flexconnect local auth turned on the clients get connected but the auth does not happen from the radius server, as radius server logs does not show any connection.

i need to get the ap's to auth from the local radius server in remote ofc.


Thank you for the reply


Cisco Employee

Hi,I have checked it long


I have checked it long back multiples times and it should work. ..let me do a fresh check.





Community Member

Hi Dhiresh, i tried the same

Hi Dhiresh, i tried the same again today. The remote ap's are using the remote radius server for auth when the controller becomes unreachable for them. And once the controller connectivity is back for the ap's they switch back to central authentication. but this has not solved my problem of primary auth from remote radius server.still checking for some way to prioritize the radius server from the flexconnect groupsthanks you, Arjun

CreatePlease to create content