Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

FlexConnect Local Authentication

Hi Guys,

In the process of implementing a Virtual WLC. Just want to find out about FlexConnect Local authentication process. My question is am I able to configure FlexConnect groups to send client athentication (PEAP Authentication) requests to a local RADIUS (MS NPS) server when LWAPs lose Connectivity to the vWLC.

Thanks in Advance

Hall of Fame Super Silver

FlexConnect Groups allow you

FlexConnect Groups allow you to define the primary and or secondary radius in case the AP goes into standalone mode.

FlexConnect Groups and Backup RADIUS Servers

You can configure the controller to allow a FlexConnect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers can be used when the FlexConnect access point is in of these two modes: standalone or connected.

*** Please rate helpful posts ***

Thanks for the Quick response

Thanks for the Quick response Scott. I've already configured Primary and Secondary RADIUS servers in my FlexConnect group. Is that all I have to do to allow APs to forward 802.1X requests when WLC is unavailable? Also I'm using MS NPS as my RADIUS. Do I have to create RADIUS client entries for all APs in the FlexConnect group?

Thanks in Advance

Hall of Fame Super Silver

You do not have to create a

You do not have to create a AAA client for each FlexConnect access point. Using FlexConnect Groups will define the radius when in standalone. FlexConnect groups take care of that. Old autonomous way you need to have each AP defined as a AAA client in radius. Here is a good read
*** Please rate helpful posts ***

Hi Scott,I enabled Local

Hi Scott,

I enabled Local Authentication (PEAP) on a FlexConnect scenario and obviously not working. After just reading your post, I got the reason: requests are sourced by AP and this AP is not registered with the Radius Server. Thank you!

About using FlexConnect Groups not requiring the previous AP&RADIUS Server registration. How’s this possible?

Supposing AP transits in standalone mode and Local Authentication is enabled, BUT there is no registration on the RADIUS server for the authenticating AP, is this AP going to use the WLC IP from its configuration ?