Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue with Flexconnect Central-auth, Locally-switched, client not getting DHCP address



I’m facing the following scenario (refer to diagram.jpg):

  • Cisco WLC5508 with 7.6.110 in Datacenter
  • Cisco 1142 flexconnect AP in remote branch
  • External web authentication portal in another Datacenter (Apache based)
  • External RADIUS in the same machine as External Webauth


I want to deploy Flexconnect scenario, with Central Auth (External WebAuth) and Locally switched.

My main concern is about wireless clients not getting DHCP IP address. AP is successfully registered in WLC, and I have a SSID (SSID_1) with locally-switched,locally-authenticated with WPA-PSK, which is working fine. But another SSID (SSID_2) with locally-switched, central-auth is not working at all.

I’ve configured so far:

  • Flexconnect group with flexconnect ACL
  • WLAN with Layer 3 security with external web authentication
  • AP group to restrict SSID test to only two APs in selected branch
  • AP working in Flexconnect Mode and registered in WLC
  • External webauth with Apache/Tomcat
  • External RADIUS with FreeRADIUS + PostgreSQL user management (in the same machine with external webauth)

What I’ve got: SSID_1 is working, in the wireless client I select SSID_2 and it can’t connect. No DHCP, no wireless client found in Monitor->Client->Filter list by SSID_2 in WLC.  If I try with my iPad, I always get “Can’t connect to wireless network”.

One thing I missed in my config is WLAN-VLAN mapping, because in my branches I don’t have VLAN in order to separate guest traffic from management traffic. I’ll plan to do it, but now I don’t have any VLAN deployed in remote branch.

I will configure it like this:





Note: SSID_2 is “invalid_wlan_web”

If I don’t have VLAN deployment in remote branch, do I still need to configure VLAN Support and WLAN-VLAN mapping?

Two other questions I face:

  • Once deployed this scenario, I want to configure WPA-PSK in layer 2 security, and simultaneously in the same SSID, layer 3 webauth authentication. Is that possible? Mixing WPA-PSK with layer 3 webauth?
  • Is there any kind of traffic from WLC to External Webauth/RADIUS machine, other than UDP 1812/1813 RADIUS authentication traffic? I presume web access to external captive portal is made from wireless client, not by Cisco WLC. Is that correct?

Thank you very much.


Kind regards,

Libera TAC-Team.

New Member

Hi, Did your second scenario



Did your second scenario worked? I am looking for similar setup where I want to control guest user in remote branch.


Thank You, 

CreatePlease to create content