Issue with Flexconnect Central-auth, Locally-switched, client not getting DHCP address
I’m facing the following scenario (refer to diagram.jpg):
Cisco WLC5508 with 7.6.110 in Datacenter
Cisco 1142 flexconnect AP in remote branch
External web authentication portal in another Datacenter (Apache based)
External RADIUS in the same machine as External Webauth
I want to deploy Flexconnect scenario, with Central Auth (External WebAuth) and Locally switched.
My main concern is about wireless clients not getting DHCP IP address. AP is successfully registered in WLC, and I have a SSID (SSID_1) with locally-switched,locally-authenticated with WPA-PSK, which is working fine. But another SSID (SSID_2) with locally-switched, central-auth is not working at all.
I’ve configured so far:
Flexconnect group with flexconnect ACL
WLAN with Layer 3 security with external web authentication
AP group to restrict SSID test to only two APs in selected branch
AP working in Flexconnect Mode and registered in WLC
External webauth with Apache/Tomcat
External RADIUS with FreeRADIUS + PostgreSQL user management (in the same machine with external webauth)
What I’ve got: SSID_1 is working, in the wireless client I select SSID_2 and it can’t connect. No DHCP, no wireless client found in Monitor->Client->Filter list by SSID_2 in WLC. If I try with my iPad, I always get “Can’t connect to wireless network”.
One thing I missed in my config is WLAN-VLAN mapping, because in my branches I don’t have VLAN in order to separate guest traffic from management traffic. I’ll plan to do it, but now I don’t have any VLAN deployed in remote branch.
I will configure it like this:
Note: SSID_2 is “invalid_wlan_web”
If I don’t have VLAN deployment in remote branch, do I still need to configure VLAN Support and WLAN-VLAN mapping?
Two other questions I face:
Once deployed this scenario, I want to configure WPA-PSK in layer 2 security, and simultaneously in the same SSID, layer 3 webauth authentication. Is that possible? Mixing WPA-PSK with layer 3 webauth?
Is there any kind of traffic from WLC to External Webauth/RADIUS machine, other than UDP 1812/1813 RADIUS authentication traffic? I presume web access to external captive portal is made from wireless client, not by Cisco WLC. Is that correct?
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...