Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question about H-REAP

Afternoon,

I am thinking of pushing out the H-REAP configuration to all my AP's on my local site for redundancy. I have read reems and reems of documentation on the matter but just want to throw a couple of ideas and questions around.

Using PSK (WAP) If I set my HREAP AP's to Locally Authenticated/Locally Switched - Whilst the AP is in connected mode, is roaming maintained by the controller as if the AP was in normal LWAP mode? In other words - whilst the HREAP AP is in connected state, it doesn't actually function any differently than if it was in normal "Local" mode until it's CAPWAP control plane connection drops?

Many Thanks

Tim

5 REPLIES
Hall of Fame Super Silver

Question about H-REAP

Tim,

When using a layer 2 encryption method (wpa/tkip psk or wpa2/aes psk), the encryption and ecryption is handled by the AP.  802.1x, however has to have authentication method come back to the wlc if the ap's are in local mode.  If using 802.1x and ap's are in h-reap mode, then it is suggested you use h-reap groups. These group of ap's will share the same cckm, radius and ssid's.

-Scott
*** Please rate helpful posts ***
New Member

Question about H-REAP

Scott,

Thanks for your reply but you misunderstood my question.

The operation during "local authentication, local switching" (authentication and switching handled by AP) is only valid when in Standalone mode (or when the AP cannot see the controller).

My question is, when the AP CAN see the controller (therefore is in Connected mode), does its operation differ at all (in regards to fast roaming when using WAP2-PSK) from the an AP that isn't in H-REAP mode.

Hall of Fame Super Silver

Question about H-REAP

No it doesn't differ, because the ap does all the layer 2 encryption/decryption.  I just wanted to show you a difference when using pre-shared key vs. 802.1x.

-Scott
*** Please rate helpful posts ***
New Member

Question about H-REAP

So, to summarise. If the AP is in H-REAP mode and the SSID is Local Auth/Local Switch - when the AP is in connected mode and can see the controller, it's operation does not differ at all from a non-HREAP AP - and fast roaming and other features etc... WILL work with PSK-WAPv2 as normal. This is until the AP goes into Standalone state.

Hall of Fame Super Silver

Question about H-REAP

When an h-reap ap is in local auth/local switching, the operation for wpa(2)tkip/aes does not differ, only on 802.1x.  Fast roaming is really meant for 802.1x and key caching on the AP so that the device doesn't have to perform a full auth.  Pre-shared key is fast enough roaming because it doesn't have to perform all the steps an 802.1x client has to do.

-Scott
*** Please rate helpful posts ***
427
Views
0
Helpful
5
Replies