Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

FlexConnect Local Auth. Usernames not showing in WLC/NCS

Hi,

I am working on a new install where the customer is using local RADIUS servers at each of their many campuses

(for local dynamic VLAN assignment), while using a single set of controllers at the core of their network.

For the record, we have set up a pair of 5508s (v 7.2.103.0) in their central data center with 3602i APs around the various campuses. We are using FlexConnect groups to locally authenticate and switch the users.

Right now, the config is working great as far as authentication and local switching goes. The problem we are experiencing is that none of the authenticated usernames are being passed back to the controller (and ultimately NCS). This makes the tracking and troubleshooting of users difficult. Is there something I am missing here? I can't seem to find any fixes relevant to this issue in the 7.2.110.0 release notes.

Maybe I am going about this wrong. I am very open to alternative solutions.

Thanks.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

FlexConnect Local Auth. Usernames not showing in WLC/NCS

I believe this is normal, since the ap is the authenticator and traffic does not pass back to the WLC, so the WLC does not have that information unlike if the WLAN was centrally switched and the WLC was the authenticator.

-Scott
*** Please rate helpful posts ***
6 REPLIES
Hall of Fame Super Silver

FlexConnect Local Auth. Usernames not showing in WLC/NCS

I believe this is normal, since the ap is the authenticator and traffic does not pass back to the WLC, so the WLC does not have that information unlike if the WLAN was centrally switched and the WLC was the authenticator.

-Scott
*** Please rate helpful posts ***
Community Member

FlexConnect Local Auth. Usernames not showing in WLC/NCS

Thanks for the reply, Scott. My thinking is that so much other 'telemetry' about the connection is sent to the controller, it only seems natural that the username would be part of that info... For example- the WLC reports the IP address, SNR and RSSI, of the client.

FlexConnect Local Auth. Usernames not showing in WLC/NCS

Hello Jon, Scott:

My flexconnect practical experience is shallow, but just something came to my mind: why don't we use central switching, local authentication? This way the traffic goes back to the WLC (and NCS is able to collect information) while authentication still works locally?

Does that work for your scenario Jon?

Rating useful replies is more useful than saying "Thank you"
Community Member

FlexConnect Local Auth. Usernames not showing in WLC/NCS

Hi Amjad,

Central switching is definitely not an option here, as client traffic would make unecessary trips across WAN links to be switched (and routed back to the campus for local traffic).

-Jon

Community Member

FlexConnect Local Auth. Usernames not showing in WLC/NCS

After discussing this issue with local Cisco folks, TAC and colleagues, it seems that locally authenticated user names are not passed to the controller (or NCS). It's not a bug, it's just the way it is.

If you want the AP to authenticate and locally switch users while communication to the controller is down (i.e. loss of WAN link), no usernames are sent to the controller for logging or troubleshooting... even when AP to WLC communication is working fine. It's a trade-off of information (usernames) for uptime.

If any Cisco wireless development folks are browsing, consider this a 'feature' I would like to see. Thanks.

Cisco Employee

FlexConnect Local Auth. Usernames not showing in WLC/NCS

your observation is right, if learn client ip enabled under the flexconnect section then we can see the client's ip when AP is on connected mode, also it grabs other info like snr and rssi using the capwap control channel, however the username info is part of radius transaction that goes off of capwap control channel and doesn't hit the controller when local auth is enabled on WLAN's advanced tab or local authentication on AP itself. However, it is always possible to send the username to wlc from AP once the AP have the info when AP on connected mode.It is a valid ask work with your AM to get this addressed.

1089
Views
0
Helpful
6
Replies
CreatePlease to create content