Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PEAP caching

Hi,

We would like to deploy the LAP in remote site with IAS radius authentication from main office but we are facing the problem that in case of the connection to main office failure the authentication will fail. Is there a way to cache the credential for authenticated account?

The following is the connection of the WLAN:

IAS --- Router (main office) --- WAN --- Router (remote site) --- WLC --- AP1131

Appreciate your comments and suggestion.

9 REPLIES
Community Member

Re: PEAP caching

You may want to speak to Infoblox

I believe they were working on something that can help you

Mark

Hall of Fame Super Gold

Re: PEAP caching

Move your WLC to your main office and configure H-REAP.

H-Reap Design and Deployment Guide

http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml

H-REAP Modes of Operation Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml

ybrid Remote Edge Access Point (H-REAP) Basic Troubleshooting

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml

Re: PEAP caching

First of all:

Do you have redundant authentication servers? So, is there one in the headquater and one in the remote site?

Community Member

Re: PEAP caching

No, we only have a Radius at HQ. Seems like only the HREAP is the only solution which can keep established WLAN connection alive even if the MPLS/WAN connection to HQ go down.

Appreciate everyone comments.

Re: PEAP caching

Sorry, I don't get it :-)

If your WAN connection is going down, the authentication server won't be available. It doesn't matter if you are using HREAP or not. The HREAP AP would have to contact the central authentication server as well.

Sorry for bugging you - perhaps someone could enlighten me and solve that mystery what HREAP could do here.

Community Member

Re: PEAP caching

You are right. When the WAN connection down no wireless client can get authenticate by the Radius but the existing authenticated wireless client can still access local network resources when using HREAP with central authentication local switching (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml). So far this is the only workaround I can found.

Community Member

Re: PEAP caching

No, we only have a Radius at HQ. Seems like only the HREAP is the only solution which can keep established WLAN connection alive even if the MPLS/WAN connection to HQ go down.

Appreciate everyone comments.

Re: PEAP caching

You just have to make sure, that you won't use a session-timeout. This is very common in 802.1x installations. The client has to re-authenticate every "xx" minutes.

Hall of Fame Super Gold

Re: PEAP caching

Thanks for the rating.

One of the benefits (and I'm sure there's alot) of H-REAP is that you don't need a to deploy your WLC's off site. And when your sole WLC goes down for maintenance or faults, and as long as your LAP doesn't reboot, you still have wireless service.

629
Views
3
Helpful
9
Replies
CreatePlease to create content