Cisco Support Community
Community Member

WLC N+1 HA Behaviour for Roaming and Re-authentication with FlexConnect

I am going to setup N+1 HA between a 7510 Flex WLC and 5508 WLC (HA-SKU). Currently the APs are in FlexConnect mode with all SSIDs locally switching.

Some SSIDs are PSK which I understand will be fine during failover and clients will not lose connectivity, and new clients can still connect while the AP associates to the backup controller.

The other SSIDs are 802.1X with central RADIUS authentication. Upon failover I understand these clients continue to work, but no new authentications can occur. Will existing clients need to or reassociate or reauthenticate to the backup controller once joined? And once they do will there be any connectivity loss from their perspective? From what I see is they remain authenticated until session expiry when they must reauthenticate, and shouldn't lose connectivity like a normal reauthentication (if the AP can now reach the central auth server).

Also not sure how to go with roaming, do I just make sure the primary and backup WLCs are in the same mobility group?



Yeap, since you deployed it

Yeap, since you deployed it via flexconnect, there should be no issue with client connectivity with regards to standard PSK type access. Though it could take a minute or so for the APs to failover to the secondary WLC i.e., for them to become manageable. PS: Dont forget to configure the APs "HA" tab setting :) :) :)

For your concerns, below are the answers:

1. Upon failover, do my users need to re-authenticate?
-Depends, where did you configure RADIUS authentication? If you configured it via the WLANs page, then expect your users will need to re-authenticate. But if you configured it on the AP itself, your users should not be required to authenticate. In technical terms, that's Central Authentication and Local Authentication respectively

-The second option(Local Authentication) is quite some work though SINCE YOU NEED TO ADD/ALLOW EACH AP TO COMMUNICATE WITH YOUR RADIUS SERVER AND ADD TO THAT THE ADDITIONAL CONFIG ON THE WLC AND APs. This can be a hassle on the admin side.

2. Assuming you are using a centralized authen. setup----The users may re-authenticate, but if your setup is transparent from the user, they do not need to do anything in case of failover. They will ljust feel a slight downtime since their device is current re-authenticating. 
-EX1: Let's assume the ff. SSID, assuing SSID-X is broadcasting WPA2-EAP auth with its user database in your RADIUS server. The EAP profile/config has already been setup and you as the ADMIN you let them hardcode their username/password during your configuration with them. In case of failover, the user willl not need to do anything. This example is TRANSPARENT to the user.

-EX2: Let's assume the same SSID, HOWEVER, you as the admin set the Wireless profile in their computers that the users need to enter their username and password everytime. Well this is the non-transparent method and in case of failover, your users will need to authenticate

1. As for me, i'd recommend, with your current setup, is just accept the re-authentication process for your RADIUS users. If you still want no downtime, then i'd propose to purchase a fully licensed 5508 and have them AP-SSO with your existing XD

2. I'd advise you to split the load example, 50 APs on WLC1 and 50APs on WLC2. However, since your 5508 is in HA-SKU, it looks like we cannot do this.

-FlexConnect Design Guide

-I would highly recommend that you read this one! :D

Hope this helps!
Don't forget to rate if you found this helpful :)

CreatePlease to create content