In the process of implementing a Virtual WLC. Just want to find out about FlexConnect Local authentication process. My question is am I able to configure FlexConnect groups to send client athentication (PEAP Authentication) requests to a local RADIUS (MS NPS) server when LWAPs lose Connectivity to the vWLC.
FlexConnect Groups allow you to define the primary and or secondary radius in case the AP goes into standalone mode.
FlexConnect Groups and Backup RADIUS Servers
You can configure the controller to allow a FlexConnect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers can be used when the FlexConnect access point is in of these two modes: standalone or connected.
Thanks for the Quick response Scott. I've already configured Primary and Secondary RADIUS servers in my FlexConnect group. Is that all I have to do to allow APs to forward 802.1X requests when WLC is unavailable? Also I'm using MS NPS as my RADIUS. Do I have to create RADIUS client entries for all APs in the FlexConnect group?
You do not have to create a AAA client for each FlexConnect access point. Using FlexConnect Groups will define the radius when in standalone. FlexConnect groups take care of that. Old autonomous way you need to have each AP defined as a AAA client in radius.
Here is a good read
I enabled Local Authentication (PEAP) on a FlexConnect scenario and obviously not working. After just reading your post, I got the reason: requests are sourced by AP and this AP is not registered with the Radius Server. Thank you!
About using FlexConnect Groups not requiring the previous AP&RADIUS Server registration. How’s this possible?
Supposing AP transits in standalone mode and Local Authentication is enabled, BUT there is no registration on the RADIUS server for the authenticating AP, is this AP going to use the WLC IP from its configuration ?