Hi I have a similar problem.

awatson20 · ‎08-16-2013

I have a location with 17 access points we will be configuring for FlexConnect mode. We plan on doing local switching, but central authentication for this wlan. I understand that a FlexConnect Group is required for CCKM fast roaming on flexconnect mode access points.

My question is do you also have to perform local authentication for CCKM to work, or do you simply just have to create a Flex Group and add the flex ap's to it?

Scott Fella · ‎08-17-2013

FlexConnect group requires you to put in a primary and backup radius server. The design for this is usually one in the remote site and one in the central site. If your not using 802.1x, then you don't need to worry about FlexConnect Groups. If your require them, then you assign AP's to the FlexConnect Group.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

awatson20 · ‎08-17-2013

We are doing 802.1x with central radius servers. I can specify them in the group configuration. I you do not specify, will it just use the radius config that's defined in the WLAN?

Sent from Cisco Technical Support iPhone App

Scott Fella · ‎08-17-2013

Yes that is correct. Client devices have to support CCKM also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

junajunction · ‎08-10-2014

Hi I have a similar problem. i have confiured radius in WLAN already and so even if i give the backup radius server details in flexconnect grous they do not fallback to these. how does the radius priority go, does it choose the radius server defined in wlan first or the ones defined in flexconnect groups.

Rasika Nayanajith · ‎08-10-2014

Hi

How did you configure your WLAN (FlexConnect Central Authentication/Local Authentication ?) & your FlexConnect AP Groups. Flexconnect group defind AAA servers used, when AP is standalone mode (when AP lost communication to central WLC). I hope you are testing this simulating WAN link failure.

"In order to increase the resiliency of the branch, administrators can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers are used only when the FlexConnect AP is not connected to the controller."

If you have enabled both "APLocal Authentication" & defined "Primary & Backup RADIUS Server" Under FlexConnect Group configuration then this is how it works.

"This feature can be used in conjunction with the FlexConnect backup RADIUS server feature. If a FlexConnect Group is configured with both backup RADIUS server and local authentication, the FlexConnect AP always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally, the Local EAP Server on FlexConnect AP itself (if the primary and secondary are not reachable)."

Above information is from Mobility Design Guide 7.3.

Also refer this Ciscolive presentation about Brach Wireless to learn more about these configs(slide 32-42 discuss FlexConnect AP groups & backup scenarios)

BRKEWN-2016 - Branch Office Wireless LAN Design (2014 San Francisco)

Pls do not forget to rate our responses if it is useful

HTH

Rasika

junajunction · ‎09-16-2014

Thank you Manannalage. This means that the remote AP's will always use WLC as its primary authentication and then if the WLC is not available due to WAN issues , it would fall back to the Primary backup radius server in the remote office and then to secondary and at the end to Local authentication. am i correct?

Also can i make the local radius server in remote office to authenticate first even before the wlc as we have latency problems in some of the remote offices.This way the users don't have to rely on the wan link. is this possible?

Thank you for the support, Arjun

FlexConnect Group with CCKM-Fast Roaming