I have a location with 17 access points we will be configuring for FlexConnect mode. We plan on doing local switching, but central authentication for this wlan. I understand that a FlexConnect Group is required for CCKM fast roaming on flexconnect mode access points.
My question is do you also have to perform local authentication for CCKM to work, or do you simply just have to create a Flex Group and add the flex ap's to it?
FlexConnect group requires you to put in a primary and backup radius server. The design for this is usually one in the remote site and one in the central site. If your not using 802.1x, then you don't need to worry about FlexConnect Groups. If your require them, then you assign AP's to the FlexConnect Group.
Hi I have a similar problem. i have confiured radius in WLAN already and so even if i give the backup radius server details in flexconnect grous they do not fallback to these. how does the radius priority go, does it choose the radius server defined in wlan first or the ones defined in flexconnect groups.
How did you configure your WLAN (FlexConnect Central Authentication/Local Authentication ?) & your FlexConnect AP Groups. Flexconnect group defind AAA servers used, when AP is standalone mode (when AP lost communication to central WLC). I hope you are testing this simulating WAN link failure.
"In order to increase the resiliency of the branch, administrators can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers are used only when the FlexConnect AP is not connected to the controller."
If you have enabled both "APLocal Authentication" & defined "Primary & Backup RADIUS Server" Under FlexConnect Group configuration then this is how it works.
"This feature can be used in conjunction with the FlexConnect backup RADIUS server feature. If a FlexConnect Group is configured with both backup RADIUS server and local authentication, the FlexConnect AP always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally, the Local EAP Server on FlexConnect AP itself (if the primary and secondary are not reachable)."
Thank you Manannalage. This means that the remote AP's will always use WLC as its primary authentication and then if the WLC is not available due to WAN issues , it would fall back to the Primary backup radius server in the remote office and then to secondary and at the end to Local authentication. am i correct?
Also can i make the local radius server in remote office to authenticate first even before the wlc as we have latency problems in some of the remote offices.This way the users don't have to rely on the wan link. is this possible?
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...