Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

H-REAP in central auth and Local switching has any fallback auth method?

Hi,

In a H-REAP solution with central authentication and Local switching, do we have any fallback method of authentication in case of the controller failure or WAN link to controller fails. Like WPA/WPA2 PSK authentication for the H-REAP LWAPP in standalone mode.

merci,

arun

2 ACCEPTED SOLUTIONS

Accepted Solutions

H-REAP in central auth and Local switching has any fallback auth

What security do you plan to use?

If you are using PSK, you are fine as the keys live on the AP. So if you lose the controller, clients will still authenticate. If you are using 802.1X, thats a different story.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Silver

Re: H-REAP in central auth and Local switching has any fallback

You can... Just remember you are limited to 25 AP's per hreap groups. Bu you can have more than one hreap group per site.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
9 REPLIES

H-REAP in central auth and Local switching has any fallback auth

What security do you plan to use?

If you are using PSK, you are fine as the keys live on the AP. So if you lose the controller, clients will still authenticate. If you are using 802.1X, thats a different story.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Silver

H-REAP in central auth and Local switching has any fallback auth

Just to add..... When using 802.1x for central authentication. you can't fallback to a PSK.  For 802.1x, your best choice is a local radius server and using h-reap groups.  This way you can set the primary to the radius at the local site and the central site is backup in case the local radius stops working.

-Scott
*** Please rate helpful posts ***
New Member

H-REAP in central auth and Local switching has any fallback auth

Even if we use H-REAP groups, if we lose the connectivity to the WLC Users will not be authenticated right?

merci,

arun

Hall of Fame Super Silver

Re: H-REAP in central auth and Local switching has any fallback

If your using PSK or have a local radius and AD (802.1x) your clients can still function.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Re: H-REAP in central auth and Local switching has any fallback

Think of it link this. If you use radius (EAP) and its at the central office and you lose the link you also lose the ability to authenticate, right.

If you use local radius (As Scott mentioned) or PSK these reside local and your clients will still authenticate.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: H-REAP in central auth and Local switching has any fallback

Thanks for the info George and Scott. So if we have the H-REAP groups configured on th WLC and point the authentication to a onsite/local Radius for the Remote site. Even if we lose the connectivity to the WLC over WAN, new clients can authenticate via the local Radius server which is configured in the H-REAP group. Am i right?

Also can we have the H-REAP Group point the authentication to a Radius server in a different site which is reachable from both the WLC located site and H-REAP AP located site?

Hall of Fame Super Silver

Re: H-REAP in central auth and Local switching has any fallback

You can... Just remember you are limited to 25 AP's per hreap groups. Bu you can have more than one hreap group per site.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Silver

Re: H-REAP in central auth and Local switching has any fallback

Scott if you have more than 1 HREAP group at a site don't you break roaming? I thought I remember seeing that when you are roaming between two HREAP groups it won't be a seamless roam, you actually have to deauth and come back in which would cause voice delays for example.

Hall of Fame Super Silver

Re: H-REAP in central auth and Local switching has any fallback

Correct... But that is why you group your AP's correctly. At least you have seamless roaming between AP's in the same group. The issue I see is large hreap deployments. Your choice is to either not use hreap groups and do PSK or if you are doing 802.1x, at least use hreap groups.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
1059
Views
0
Helpful
9
Replies
CreatePlease login to create content