Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

Hello Experts
We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
Questions:
1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
Thanks.

Hi
The LAN subnet is same for both Buildings connected via a dark fiber.
If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
Anyway if you want to do this & here is the answer for your specific queries.
1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
HTH
Rasika
**** Pls rate all useful responses ****

Similar Messages

  • FlexConnect local/central switched and Access-Accept Packets

    For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
    •  Full network access, local switched.
    •  Limited network access, central switched:
    ◦       To isolate traffic from the branch’s LAN.
    ◦       To force traffic through a firewall at the central site.
    ▪       To ease access rules management.
    ◦       Internet access only by default.
    ▪       Internet access is located at the central site.
    ▪       We expect to manage some exceptions to the rule.
    We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
    However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
    Authentication Attributes Honored in Access-Accept Packets (Airespace)
    VAP ID
    This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
    Source:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
    We then made an assumption that the following was possible:
    •  Create a second SSID
    ◦       Broadcast not enabled
    ◦       Central Switched
    •  Users would authenticate using the first SSID
    •  In it’s access-accept packet, the RADIUS server would return an
    Airespace-WLAN-Id attribute with the value of the second SSID.
    •      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
    So far, our tests showed no results.
    •  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
    •  If not, what would you recommend?
    For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
    Thank you very much,

    Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:
    Is the user part of this AD group and is this user on WLAN ID=1.
    You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

  • Centrally Switched and Flex Local Switched WLAN - same SSID

    Hi All
    I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
    We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
    My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
    My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
    Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
    *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
    My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
    If someone can verify the above I'd be very grateful.
    Many thanks in advance
    Mark

    Hi Mark
    My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
    When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
    Pls do not forget to rate our responses if that is useful to you
    HTH
    Rasika

  • FlexConnect VLAN Central Switching and guest WEB Auth

    Hi,
    I have a senario where all my AP's are flexconnect AP's, that is because og WVoIP.
    In most loacation I have a local intenet connection for guests, and beacuse of that the Guest SSID is locally sitched.
    I have a few small locations that do not have a local subnet for guests and on those locations I would like to centrally switch the guest trafic.
    I was looking at FlexConnect VLAN Central Switching to solve my problem, but as far as I can see this only works with 802.1x SSID's and aaa override.
    Is there no way to do FlexConnect VLAN Central Switching on SSID's with WEB auth or PSK?
    Hope some one can answer me.
    Thanks
    Aksel

    So create a new WLAN, the WLAN profile will be different that the original guest WLAN and assign it a WLAN ID of 16 or higher. This new WLAN will have the same setting as the original guest SSID except that local switching is not enabled.
    You now need to create AP Groups so you can specify site with local guest vlan's will use the original SSID and the sites with no guest local clan will use the new SSID you created.
    Here is a doc regarding AP Groups
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
    Sent from Cisco Technical Support iPhone App

  • Prime 1.3 can't updates switches and wlc

    Hello.
    I have Prime 1.3, two WLC 5508 and 8 switches 2960s
    I try update my devices through Prime, but I can't.
    When I start "Upgrade Analysis" and select switche (Catalyst WS-C2960S-24PS-L) and image (c2960s-universalk9-mz.150-2.SE2.bin) then click to "Run report"
    Prime shows me that "Image not Applicable for this Device"
    I try different images, but it does not help.
    And with WLC 5508 the same trouble.
    Maybee anybody know why Prime can't do right analysis and updates devices?

    I am having this same issue with Prime 1.3.  I can't deploy software to my 2504 or 5508 controllers.  I get the "Image not Applicable for this Device" message and it tells me there is "No Flash" when I try to deploy to individual devices.  I can manually load the exact same file to those controllers via a TFTP server and they upgrade just fine.  Help from cisco would be great on this.

  • Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

    Hello at all,
    is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
    All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
    To be more detailed:
    At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
    Thank you,
    Christian

    Hi Christian.
    This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
    "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
    In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
    FlexConnect VLAN Central Switching Summary
    Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
    •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
    •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
    •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
    •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
    Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
    •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
    •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
    •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
    Enjoy your weekend & I am sure you will be able to get this working.
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Flexconnect Local Switching Hosts Do Not Receive IP Addresses

    Hello,
    My WLC software version is 7.4.110.0. I have a branch office in my lab. The AP in my branch is configured as flexconnect with native VLAN of 700. The SSID that I have in the branch office is configured to do local switching. The show wlan is added below.
    My tunneled SSID still working and I can still receive IP addresses from it. My issue is last week I have the Flexconnect working with no problem, then this morning I can connect to the SSID, but I'm not receiving IP addresses for my test wireless clients.
    Thanks
    [code]
    WLAN Identifier.................................. 2
    Profile Name..................................... ACS Guest
    Network Name (SSID).............................. RMTGuest
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
       DHCP ......................................... Disabled
       HTTP ......................................... Disabled
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Maximum number of Clients per AP Radio........... 200
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    User Idle Timeout................................ 300 seconds
    --More-- or (q)uit
    User Idle Threshold.............................. 0 Bytes
    NAS-identifier................................... RK2WLC5508-01
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    WLAN IPv4 ACL.................................... unconfigured
    WLAN IPv6 ACL.................................... unconfigured
    mDNS Status...................................... Disabled
    mDNS Profile Name................................ unconfigured
    DHCP Server...................................... 172.28.27.130
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    PMIPv6 Mobility Type............................. none
    Quality of Service............................... Silver
    Per-SSID Rate Limits............................. Upstream          Downstream
    Average Data Rate................................   0                      0
    Average Realtime Data Rate.......................   0                      0
    Burst Data Rate..................................   0                      0
    Burst Realtime Data Rate.........................   0                      0
    Per-Client Rate Limits........................... Upstream          Downstream
    Average Data Rate................................   0                      0
    Average Realtime Data Rate.......................   0                      0
    --More-- or (q)uit
    Burst Data Rate..................................   0                      0
    Burst Realtime Data Rate.........................   0                      0
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Disabled
       Dynamic Interface............................. Disabled
       Dynamic Interface Priority.................... wlan
    Local EAP Authentication......................... Disabled
    --More-- or (q)uit
    Security
       802.11 Authentication:........................ Open System
       FT Support.................................... Disabled
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Enabled
             CCKM.................................... Disabled
             FT-1X(802.11r).......................... Disabled
             FT-PSK(802.11r)......................... Disabled
             PMF-1X(802.11w)......................... Disabled
             PMF-PSK(802.11w)........................ Disabled
          FT Reassociation Timeout................... 20
          FT Over-The-DS mode........................ Enabled
          GTK Randomization.......................... Disabled
          SKC Cache Support.......................... Disabled
    --More-- or (q)uit
          CCKM TSF Tolerance......................... 1000
       WAPI.......................................... Disabled
       Wi-Fi Direct policy configured................ Disabled
       EAP-Passthrough............................... Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       FlexConnect Local Switching................... Enabled
       flexconnect Central Dhcp Flag................. Disabled
       flexconnect nat-pat Flag...................... Disabled
       flexconnect Dns Override Flag................. Disabled
       FlexConnect Vlan based Central Switching ..... Disabled
       FlexConnect Local Authentication.............. Disabled
       FlexConnect Learn IP Address.................. Enabled
       Client MFP.................................... Optional
       PMF........................................... Disabled
       PMF Association Comeback Time................. 1
       PMF SA Query RetryTimeout..................... 200
       Tkip MIC Countermeasure Hold-down Timer....... 60
    AVC Visibilty.................................... Disabled
    --More-- or (q)uit
    AVC Profile Name................................. None
    Flow Monitor Name................................ None
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    KTS based CAC Policy............................. Disabled
    Assisted Roaming Prediction Optimization......... Disabled
    802.11k Neighbor List............................ Disabled
    802.11k Neighbor List Dual Band.................. Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Multicast Buffer................................. Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    802.11u........................................ Disabled
    MSAP Services.................................. Disabled
    [/code]

    is the VLAN still mapped on the AP, and allowed across the trunk?
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Configuration of Cisco WLC 2504 with Local LAN static IP and DHCP

    I want to configure Cisco WLC 2504 with Local LAN static IP and WLC 2504 with DHCP so that APs can be connect with controller.
    Currently i am using WLC 2504 with DHCP so can anyone suggest how to do that..

    Hi Sandeep
    The info is correct, if we're using code below 7.3.101.0.
    This issue is fixed via the below bug id.
    CSCto01390 Unable to ping AP's directly connected to a 2500 controller
    check the fix that is updated on 7.4, 7.5 RNE.
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn75.html
    Note
    Directly connected APs are supported only in Local mode.
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
    For quick and easy deployment Access Points can be connected directly to 2504 Wireless LAN Controller via two PoE (Power over Ethernet) ports
    Thanks
    Saravanan

  • Override centrally switched WLAN

    Hello.
    I need some advice on configuring a guest access for several remote sites on a 5508 WLC.
    I set up a guest WLAN which is centrally switched and authenticated. That works fine for the main location and most of the remote sites. My problem is now, that for some ( but not all ) remote sites, this WLAN has to be locally switched because of a different law situation. The access points in the remote sites are already configured as FlexConnect access points.
    Is there a way to override the central switching for some remote sites?
    Thanks in advance!
    Sven

    Sven,
    you can do this by configuring additional WLAN Profiles which contain the same SSIDs like your existing ones, but use local switching instead of central switching. You should use WLAN numbers > 16 so that the new profiles are not in the default group, then create a new ap group, configure your new profiles and add your APs.
    Let us know if you need a more detailed how-to.
    Regards
    Stefan

  • Iphones and WLC - WPA

    Hello All,
    Having a nightmare with iphones connecting to 2504 WLC.  I have WPA setup with PSK and laptops non apple connect ok.  My iphone is saying unable to join.  I roll back to No Security and iphone connects ok. 
    Seams to connect ok on native Vlan with WPA enabled but on tagged Vlans unable to join with Security.  Strange.
    Running 6.1.2 on iphone
    WLC
    Software Version
    7.4.100.0
    Field Recovery Image Version
    Any ideas?  I've turned off Aironet on the interface with tagged vlan but no change.
    Kindest Regards
    David

    Thanks for responding Scott
    Tried WEP and no joy either.    Just resetup WPA and not connecting see below settings
    Thanks
    Dave
    (Cisco Controller) >show wlan 3
    WLAN Identifier.................................. 3
    Profile Name..................................... Client
    Network Name (SSID).............................. Home
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
       DHCP ......................................... Disabled
       HTTP ......................................... Disabled
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Maximum number of Clients per AP Radio........... 200
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    User Idle Timeout................................ 300 seconds
    --More-- or (q)uit
    User Idle Threshold.............................. 0 Bytes
    NAS-identifier................................... BKWWLC01
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ client
    Multicast Interface.............................. Not Configured
    WLAN IPv4 ACL.................................... unconfigured
    WLAN IPv6 ACL.................................... unconfigured
    mDNS Status...................................... Enabled
    mDNS Profile Name................................ default-mdns-profile
    DHCP Server...................................... Default
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    Quality of Service............................... Silver
    Per-SSID Rate Limits............................. Upstream      Downstream
    Average Data Rate................................   0             0
    Average Realtime Data Rate.......................   0             0
    Burst Data Rate..................................   0             0
    Burst Realtime Data Rate.........................   0             0
    Per-Client Rate Limits........................... Upstream      Downstream
    Average Data Rate................................   0             0
    Average Realtime Data Rate.......................   0             0
    Burst Data Rate..................................   0             0
    --More-- or (q)uit
    Burst Realtime Data Rate.........................   0             0
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Disabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... 802.11b and 802.11g only
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Global Servers
       Accounting.................................... Global Servers
          Interim Update............................. Disabled
       Dynamic Interface............................. Disabled
       Dynamic Interface Priority.................... wlan
    Local EAP Authentication......................... Disabled
    --More-- or (q)uit
    Security
       802.11 Authentication:........................ Open System
       FT Support.................................... Disabled
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
          WPA2 (RSN IE).............................. Disabled
          Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Enabled
             CCKM.................................... Disabled
             FT-1X(802.11r).......................... Disabled
             FT-PSK(802.11r)......................... Disabled
             PMF-1X(802.11w)......................... Disabled
             PMF-PSK(802.11w)........................ Disabled
          FT Reassociation Timeout................... 20
          FT Over-The-DS mode........................ Disabled
          GTK Randomization.......................... Disabled
          SKC Cache Support.......................... Disabled
    --More-- or (q)uit
          CCKM TSF Tolerance......................... 1000
       WAPI.......................................... Disabled
       Wi-Fi Direct policy configured................ Disabled
       EAP-Passthrough............................... Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       FlexConnect Local Switching................... Disabled
       flexconnect Central Dhcp Flag................. Disabled
       flexconnect nat-pat Flag...................... Disabled
       flexconnect Dns Override Flag................. Disabled
       FlexConnect Vlan based Central Switching ..... Disabled
       FlexConnect Local Authentication.............. Disabled
       FlexConnect Learn IP Address.................. Enabled
       Client MFP.................................... Optional but inactive (WPA2 not configured)
       PMF........................................... Disabled
       PMF Association Comeback Time................. 1
       PMF SA Query RetryTimeout..................... 200
       Tkip MIC Countermeasure Hold-down Timer....... 60
    AVC Visibilty.................................... Disabled
    --More-- or (q)uit
    AVC Profile Name................................. None
    Flow Monitor Name................................ None
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    KTS based CAC Policy............................. Disabled
    Assisted Roaming Prediction Optimization......... Disabled
    802.11k Neighbor List............................ Disabled
    802.11k Neighbor List Dual Band.................. Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Multicast Buffer................................. Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    802.11u........................................ Disabled
    MSAP Services.................................. Disabled

  • Same wlan both locally switched and centrally switched

    Scenario:
    1 virtual wireless controller
    50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
    Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
    I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
    I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
    Regards,
    Massimo. 

    Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
    I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
    Regards
    Rasika
    **** Pls rate all useful responses ****

  • HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

    Hi All,
    I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
    I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
    Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
    to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
    The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
    switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
    for "local Switching" on the WLAN page.
    It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
    i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
    and also WPA-PEAP-MSChapv2. Both fails miserably.
    Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
    APs.Cant i do it with just a single WLAN?
    Thank you.
    Warmest regards,
    Azzafir Ariff Patel.

    For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
    http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

  • Flexconnect - Local Switching and DHCP Server Location

    Hello Friends, It is again a conceptual question.
    In Flex-connect Local Switching mode if the Client has to be get the IP address using DHCP, the DHCP server has to be local to the remote site and not centralized location. Though i know, Local switching means that the client traffic is bridged to the local network directly by the AP on the locally connected switch and does not pass through the controller, what does it mean to DHCP server location.
    For example, If I have 2 different WLANs (VLAN 2 and VLAN 3) configured Local Switching and its corresponding VLAN SVIs are configured in the Local L3 Switch and if the DHCP server is centrally located with the scopes for VLAN 2 and VLAN 3, will it have troubles?
    I see in my infrastructure we are working in that way [Local switching with centralized server]
    Thanks in advance
    SAIRAM

    It would be good to have DHCP server at local site.

  • Confused: Central Switching/Local Switching

    Was wondering if someone could explain local/central switching a little further, when it comes to HREAP/FlexConnect modes for CAPWAP AP's. 
    So in our environment, we're running 7.5.102.0 code on all of our WLC's.  We have a central WLC in two of our regions(US and Europe).  Each region provides internet services for the remote sites connected to it.  So a site in Chicago comes back to our central office over an MPLS for their internet services; just as a site in italy comes back to our central office in the UK for their internet service over MPLS.  These remote sites have AP's that are in FlexConnect mode back to the central WLC's. 
    My question......I understand that an AP in central switching mode tunnels the traffic back to the central controller, whereas local switching does not.  However, what does that mean?  If the WAN link goes down, how does local switching help?  The internet is still down, since that's how the internet is advertised back from the central location.  Does that just mean that local server can be accessed, over wireles, since we are in local switching mode?  Same question for authentciation;  Our AD servers are located at the central sites, with no AD servers at the remote sites.  In local authentication mode, how would an AP register a user, if the MPLS link is down?  Does it download some sort of cached directory for authentication? 
    Thanks for your help!

    Yes, in local switching mode, wireless client traffic locally switched at the branch (you have to defined their SVI on branch switch) and they can access any branch resources whiel WAN link is down. If internet servie is provided by your central office, then they won't get internet services while your WAN link is down.
    If you configured local authentication, yes WLC will pass credential (if WLC has user credential like WAP2-PSK or WEP) to AP where it can use for local authentication. If you are using dot1x with RADIUS & AD, then you should have redundancy  of these services in order to Branch AP to use these in a situation controller is unavailable.
    Following design guide should help you to understand this
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1103070
    Here is some of my notes related to different modes of operation of H-REAP/FlexConnect, that should help you as well
    http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • FlexConnect Local Auth. Usernames not showing in WLC/NCS

    Hi,
    I am working on a new install where the customer is using local RADIUS servers at each of their many campuses
    (for local dynamic VLAN assignment), while using a single set of controllers at the core of their network.
    For the record, we have set up a pair of 5508s (v 7.2.103.0) in their central data center with 3602i APs around the various campuses. We are using FlexConnect groups to locally authenticate and switch the users.
    Right now, the config is working great as far as authentication and local switching goes. The problem we are experiencing is that none of the authenticated usernames are being passed back to the controller (and ultimately NCS). This makes the tracking and troubleshooting of users difficult. Is there something I am missing here? I can't seem to find any fixes relevant to this issue in the 7.2.110.0 release notes.
    Maybe I am going about this wrong. I am very open to alternative solutions.
    Thanks.

    After discussing this issue with local Cisco folks, TAC and colleagues, it seems that locally authenticated user names are not passed to the controller (or NCS). It's not a bug, it's just the way it is.
    If you want the AP to authenticate and locally switch users while communication to the controller is down (i.e. loss of WAN link), no usernames are sent to the controller for logging or troubleshooting... even when AP to WLC communication is working fine. It's a trade-off of information (usernames) for uptime.
    If any Cisco wireless development folks are browsing, consider this a 'feature' I would like to see. Thanks.

Maybe you are looking for

  • In-box shows downloaded mail but I can't see it or reply to it

    Looking at the inbox I can see 4 lines of the received message; when I try to reply or just read it, I can't. Nothing is displayed and the cursor does not show for typing a reply.

  • How to store custom data in standard tables?

    How can I to store data in standard tables without creating a Z table? I want to store the next rows: SRD 100 R3D 100 SRD 110 R3D 110 SRD 120 R3D 120 SRD 130 R3D 130 But I prefer to avoid to use a Z table because the maintenance in a upgrade system.

  • Account documents for movement types..?

    hi all Can anybody explain me , what are the movement type will generate the accounting documents and for which are  all the movement types acounting document is must. Thanka sap-mm

  • Envt Parameters for Report Shipping

    Dear Experts, can any body tell me the significance of the following envt paramters. also can you suggest me standard Parameter Value for each 1) SRE_DS_CHECK_VALID - i have set to CUSTOMER . My customer is from USA. I am suppose to set or what shoul

  • IMovie can't see my Aperture videos.

    I imported a bunch of Canon 5D Mark II videos into aperture, launched iMovie and clicked on the 'Aperture library' entry. It only sees a few iPhone videos from last year, nothing new. I am forced to 'import' moving into iMovie by copying or moving th