Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

FlexConnect local/central switched and Access-Accept Packets

For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
•  Full network access, local switched.
•  Limited network access, central switched:
◦       To isolate traffic from the branch’s LAN.
◦       To force traffic through a firewall at the central site.
▪       To ease access rules management.
◦       Internet access only by default.
▪       Internet access is located at the central site.
▪       We expect to manage some exceptions to the rule.

We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.

However, we found an interesting bit in the documentation pages regarding RADIUS attributes:

Authentication Attributes Honored in Access-Accept Packets (Airespace)



This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]


We then made an assumption that the following was possible:
•  Create a second SSID

◦       Broadcast not enabled

◦       Central Switched
•  Users would authenticate using the first SSID
•  In it’s access-accept packet, the RADIUS server would return an
Airespace-WLAN-Id attribute with the value of the second SSID.

•      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.

So far, our tests showed no results.

•  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
•  If not, what would you recommend?

For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.


Thank you very much,

Hall of Fame Super Silver

Your WLAN is defined with as

Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:

Is the user part of this AD group and is this user on WLAN ID=1.

You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

*** Please rate helpful posts ***
CreatePlease to create content