Central Authentication / Local Switching for Mesh?

Similar Messages

• High CAPWAP traffic when locally switched

  Hello all,
  We're seeing an ongoing issue where several APs accross multiple sites log the error, "%CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST., 12)", then disassociates from the controller, and reassociates almost immediately.  The issue is the users get disassociated from the AP and call the helpdesk.
  A counter measure at one site was to add the CAPWAP traffic (udp ports 5246 & 5247)  to the controller in our QOS Platinum policy (setting the DSCP bit to 'ef'), but that doesn't seem to help.
  We're using Flexconnect with central authentication, local switching.
  A couple of questions:
  1) The Platinum queue on the QOS is showing over 500 kbps when the only thing put in that queue is the CAPWAP traffic - there aren't any phones.  Why so much bandwidth for authentication and control traffic?
  2) What is happening with the APs that they can't talk to the controller that causes the issue in the first place?  Bandwidth doesn't seem to be an issue.
  Below are some config and outputs:
  AP-1242#show capwap reap status
  AP Mode:         REAP, Connected
  Radar detected on:
  AP-1242#show capwap reap association
  REAP Data Switching: Local
  2960#show int fa0/22
    Hardware is Fast Ethernet
    Full-duplex, 100Mb/s, media type is 10/100BaseTX
    Last input 00:00:22, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 23000 bits/sec, 13 packets/sec
    5 minute output rate 208000 bits/sec, 48 packets/sec
       37478173 packets input, 13839718021 bytes, 0 no buffer
       Received 2818773 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 502342 multicast, 0 pause input
       0 input packets with dribble condition detected
       118634332 packets output, 36491262361 bytes, 0 underruns
       0 output errors, 0 collisions, 1 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  2811#show policy-map interface multilink 1
  Service-policy output: MPLS-QOS
      queue stats for all priority classes:
         queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 300637/46124112
      Class-map: PLATINUM (match-any)
        300637 packets, 46124112 bytes
        30 second offered rate 28000 bps, drop rate 0 bps
        Match: ip dscp ef (46)
          300637 packets, 46124112 bytes
          30 second rate 28000 bps
        Priority: 18% (552 kbps), burst bytes 13800, b/w exceed drops: -16
  Any help is appreciated.

  Hi Jeff,
  I think you are hitting a bug (CSCse92856) specific to 1242 AP. Solution given is "Enable Proxy ARP on the default-gateway device of your AP". You can try that & see.
  Even I cannot view detail of this bug as of insufficient access permission.Therefore I do not know more details about this bug fix & which software version affected,etc. Better you contact Cisco TAC & get more information.
  I found this infomration here
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml
  One other reason that H-REAP APs do not join WLCs is if the Proxy ARP is disabled on the gateway for the H-REAP APs. From the AP console, this message is logged:
  *Jul 29 14:04:10.897: LWAPP_CLIENT_ERROR_DEBUG: 
  Retransmission count for packet exceeded more than max(CHANGE_STATE_EVENT , 1)
  This can be caused by Cisco bug ID CSCse92856. This problem applies only to AP1130 and AP1240. This problem does not apply to AP1000s, AP1100, or AP1200.
  This problem occurs when these conditions are met:
  HREAP mode is used in the WLAN. Local mode is not affected by this issue. Native VLAN mapping is required.
  The APs have to be on a different IP subnet than the AP Manager of the WLCs.
  Proxy ARP is disabled on the default gateway for the AP.
  The H-REAP AP gets the default gateway from a DHCP server.
  In order to resolve this issue, enable Proxy ARP on the default gateway router of the AP
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Same wlan both locally switched and centrally switched

  Scenario:
  1 virtual wireless controller
  50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
  Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
  I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
  I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
  Regards,
  Massimo. 

  Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
  I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
  Regards
  Rasika
  **** Pls rate all useful responses ****

• Centrally Switched and Flex Local Switched WLAN - same SSID

  Hi All
  I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
  We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
  My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
  *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
  My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
  If someone can verify the above I'd be very grateful.
  Many thanks in advance
  Mark

  Hi Mark
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
  Pls do not forget to rate our responses if that is useful to you
  HTH
  Rasika

• Centralized Auth. / Local Switching - Common SSID

  Hi All,
  I'm looking at a design where I would have a few remote sites and a centralized WLC.  My requirement would be to have a common SSID advertised across the remote sites and have that SSID locally switch; so to note tunnel all the traffic across the WAN back to the central site.
  I know the feature I'm looking for is H-REAP with Centralized Authentication and Local switching...but I'm unsure of the second part...which is to have a common SSID across the remote sites.  How do I accomplish the second part?  I heard mention of using AP Groups in another post.  Just looking for more direction.

  You're all correct except on the last part.
  what you want to do is configure your SSID in advanced options to enable HREAP Local switching.
  Then only the APS at remote site you move to HREAP mode one by one.
  From there, all the APs you configured as HREAP will be locally switching traffic and the APs in local mode will still forward traffic through the controller.
  I hope this clarifies ?
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

  Hi All,
  I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
  I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
  Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
  to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
  The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
  switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
  for "local Switching" on the WLAN page.
  It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
  i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
  and also WPA-PEAP-MSChapv2. Both fails miserably.
  Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
  APs.Cant i do it with just a single WLAN?
  Thank you.
  Warmest regards,
  Azzafir Ariff Patel.

  For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
  http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

• Confused: Central Switching/Local Switching

  Was wondering if someone could explain local/central switching a little further, when it comes to HREAP/FlexConnect modes for CAPWAP AP's. 
  So in our environment, we're running 7.5.102.0 code on all of our WLC's.  We have a central WLC in two of our regions(US and Europe).  Each region provides internet services for the remote sites connected to it.  So a site in Chicago comes back to our central office over an MPLS for their internet services; just as a site in italy comes back to our central office in the UK for their internet service over MPLS.  These remote sites have AP's that are in FlexConnect mode back to the central WLC's. 
  My question......I understand that an AP in central switching mode tunnels the traffic back to the central controller, whereas local switching does not.  However, what does that mean?  If the WAN link goes down, how does local switching help?  The internet is still down, since that's how the internet is advertised back from the central location.  Does that just mean that local server can be accessed, over wireles, since we are in local switching mode?  Same question for authentciation;  Our AD servers are located at the central sites, with no AD servers at the remote sites.  In local authentication mode, how would an AP register a user, if the MPLS link is down?  Does it download some sort of cached directory for authentication? 
  Thanks for your help!

  Yes, in local switching mode, wireless client traffic locally switched at the branch (you have to defined their SVI on branch switch) and they can access any branch resources whiel WAN link is down. If internet servie is provided by your central office, then they won't get internet services while your WAN link is down.
  If you configured local authentication, yes WLC will pass credential (if WLC has user credential like WAP2-PSK or WEP) to AP where it can use for local authentication. If you are using dot1x with RADIUS & AD, then you should have redundancy  of these services in order to Branch AP to use these in a situation controller is unavailable.
  Following design guide should help you to understand this
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1103070
  Here is some of my notes related to different modes of operation of H-REAP/FlexConnect, that should help you as well
  http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Locally Switched / Centrally Switched on Flex Connect AP

  Hi All,
  Scenario (is this possible)
  I have HQ Site (Site A) -with the WLC
  I have a remote site (Site B) with one AP.
  Site A has Internet Breakout. Site B doesn't
  Is it possible with this one AP to have Multiple SSIDs, some of which are switched locally at the remote site and some which are switched centrally back at the HQ?
  E.G I want to have SSID for the data vlan at Site B. Any Laptop connecting to this is dropped onto the Data VLAN.
  I also want to have a GUEST SSID for Internet but have this traffic be tunneled back to HQ and use Internet Breakout there.
  Is this possible?
  Thanks

  On the advanced tab of the WLAN you can enable that SSID for FC Local Switching.  The AP then needs to be in Flexconnect mode.  You then go to the FC tab of the AP and define the local VLANs for the locally switched WLANs.  There will be 2 lists of SSIDs, locally switched and centrally switched.  Obviously you don't define VLANs for the centrally switched WLANs.
  Whatever you define on the AP will overwrite the interface on the WLC.
  AP Groups and FC Groups are not needed.

• Cisco ISE Local Web Authentication via Switch

  Hello,
  I have Cisco ISE 1.2 and I need local webauthentication for clients.
  I want to send webauthentication link via switch.
  I made a research for it but I meet ACS documents :
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/WebAuth/WebAuth_Dep_Guide.html#wp393321
  and ISE central webauthentication documents for it.
  Is there local webauth in ISE via switch?
  Thanks,
  Alparslan

  Hello Alparslan,
  Please check the following link,
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/113362-config-web-auth-ise-00.html

• FlexConnect Central Switching for GuestWLAN

  Hi All,
  I plan on setting up a new WLAN network.
  5 office locations, a single WLC in the primary DC at the moment. Each 5 office location is routed over a L3 link
  If I have a guest WLAN (vlan 30) that it available at each site and want to centrally switch it, do I set the WLC DHCP server on the WLC 'vlan30 interface' to that of the 'management' interface if I have the DHCP setup locally on the WLC? I assume because this guest network is centrally switched, the actual assigned IP of the guest network does not matter if it not in the same supernet of the remote site?
  For regular business WLANs (data/voice) that are set for local switching, is there any DHCP settings that need to be setup on the WLC, or does the client automatically get a IP based on the local subnet (using the ip-helper on that L3 interface?) assuming the AP is setup as trunk at the remote (with native vlan set as management vlan).

  do I set the WLC DHCP server on the WLC 'vlan30 interface' to that of the 'management' interface if I have the DHCP setup locally on the WLC?
  Yes, if you use WLC as your  DHCP server for guest users, you have to use WLC management IP as DHCP server address on vlan 30 (assuming it is for guest)
  For regular business WLANs (data/voice) that are set for local switching, is there any DHCP settings that need to be setup on the WLC, or does the client automatically get a IP based on the local subnet (using the ip-helper on that L3 interface?) assuming the AP is setup as trunk at the remote (with native vlan set as management vlan).
  As long as you do FlexConnect local switching with required vlan mapping in each WLAN, you do not required DHCP server setting on WLC interface where that WLAN assign to. All traffic locally switched & use helper address configured under SVI of that locally switched vlan.
  Refer this configuration guide for more details
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010001000.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• TACACS login 1st attend fail and prompt for local switch password

  Hi,
  The switch will prompt us the local switch password after we key in wrong username and password when prompt by the switch. We are wondering is this behave correct or normal?
  This is because any hacker can just try on first the login which is prompt by TACACS then they can try hacking to the switch using the switch local password.
  This there any work around that each attend is prompts for TACACS login? Only when TACACS server is down will be prompt by the switch local login?

  Hi Farrukh,
  Here is the tacacs-server setting:
  tacacs-server host 10.130.209.23
  tacacs-server host 10.130.209.24
  tacacs-server directed-request
  tacacs-server key xxx
  Result is the same even I have remove those two commands.
  I ahve attached the debug result obtain from the switch without those two commands.
  And below is the scenario on the login when the debug is turn on:
  Username: ivan
  Password:
  Password:
  % Authentication failed
  User Access Verification
  Username: TanCH
  Password:
  Password:
  % Authentication failed
  User Access Verification
  Username: siah
  Password:
  Password:
  % Authentication failed
  =---------------------------------------------------------------=
  All Access to this system will be LOGGED.
  All UNAUTHORISED access is PROHIBITED and will be dealt with seriously.
  =---------------------------------------------------------------=
  User Access Verification
  Username: ivancheng
  Password:
  SWB1111>exit

• Locally switched Guest WLAN with Web Authentication

  I have a remote location that has its own internet pipe.  I have set up a new guest SSID and set to switch locally and changed the AP mode to Flex connect. When I connect to the new SSID, I get an IP address from the local LAN, but the Web redirection page will not load. Is this because the local LAN does not have a route to the WLC virtual interace of 1.1.1.1? Is there a way to tunnel just the web authentication portion of traffic and locally switch everything else?

  You are close in your understanding.
  If you want to use the web portal services on the WLC then you need to bring that traffic back to the WLC.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Setting Locally Switched VLAN Id for HREAP'd ap's?

  I am using HREAP on a number of AP's to fulfill a need of my end-users to have wireless devices connect to a locally hosted resource on a sites network.  Getting the AP's to operate correctly has not been an issue (for the most part), and getting the "Locally Switched VLAN's" functional was not a problem.  However, when I routinely go back through my AP's to check on them or to look t-shoot an unrelated issue I have noticed that some of the AP's have retained the Locally Switched VLAN mapping (i.e.: WLAN Id=5, Profile Name = test ssid, VLAN Id = 123) and some of them resolve the VLAN Id to 1 (for example).
  Is the anyone that may have experienced this and can offer or point me towards a resolution?
  I am also curious if I can configure the Locally switched vlans directly to my WiSM's instead of to each individual HREAP'd AP?
  BTW: I have a wireless environment of 1242, 1252, and 1142 ap's with WiSM's on a 65xx w/ sup720.
  Thanks for the help.

  I saw similar behavior at a client site running 6.0.181.0 & 6.0.196.0 code, what I found the issue to be was that when you set the native vlan and hit apply the AP took a minute to initate a reboot (or so it appeared) and when I set the VLAN Mappings they weren't actually being applied.
  I found if I set the AP to H-REAP and applied that then waited about 3-4 minutes, then enabled VLAN Support and set Native VLAN, apply that, wait 3-4 minutes, then set my VLAN Mappings that the issue went away.
  Not sure if that's the same issue your running into but it's worth a shot.. I tried tons of things before discovering that pattern.. Incidentally it didn't seem to behave that way in 4.0 code nor does it seem to behave that way in 7.0 code.
  Hope this helps...
  Please rate useful posts.
  Thanks,
  Kayle

• L2vpn interworking options for Local Switching

  Hi All
  theres not much offered by cisco for interworking local attachment circuits for atom l2vpn. ive looked it up, but im specifically wondering about the FR-ethernet/vlan or PPP-ethernet/vlan couldnt find any references for those. are these possible locally on the same router. what are the supported platforms.
  Thank you
  -Glen

  Hello Glen,
  here's some documentation about local switching:
  http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/28sblcl.html
  http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html
  Hope that helps.
  Antonio

• I've just downloaded the add-on - Quick Locale Switcher but don't know how to access it because there doesn't appear to be a button for it on the Firefox toolbar?

  I've just downloaded the add-on - Quick Locale Switcher but don't know how to access it because there doesn't appear to be a button for it on the Firefox toolbar?

  With any extension, look at the add-on page for that item in Mozilla Add-ons: https://addons.mozilla.org/en-US/firefox/<br />
  *Answers can usually be found there: https://addons.mozilla.org/en-US/firefox/addon/1333/<br />
  *Also the developer's home page for the extension (the link is on the above page): http://www.captaincaveman.nl/firefox-extensions-quick-locale-switcher.aspx<br />
  *Also see if there is a forum on the developer's home page (there is for this one): http://forum.captaincaveman.nl/default.aspx?g=topics&f=12