Dynamic Channel Assignment Question

Similar Messages

• WLC5500 :: disable Dynamic Channel Assignment (DCA) for a group of APs

  Hi,
  Is it possible to disable DCA for a couple of APs and manually force the channels assignment ?
  Thks
  DV

  Yes it's possible.
  Go to Wireless >  All APs > Choose the protocol > Choose the WAP.  Change the channel and power settings.

• Switching Dynamic Channels after HSDIO settings have been committed

  Hello.  I'm trying to find a way to switch between two dynamic channels in a waveform after the HSDIO waveform is initated. 
  Would someone point me to an example or reference where I could learn how this is done?
  For example: 
  I have a PXI-6561 in a 1062Q chasssis.  I am assigning channels 0-3 as dynamic and using HSDIO write to populate the 4 channels from a waveform.  
  I need channels 0 and 1 to be un-disrupted and repeating (all channels are the same lenght).  Channel 2 is data sent to an IC and channel 3 is used for queing updated data.   I'd like to HSDIO write to channel 3 and then, when the write process has completed, I would like to swap channels 3 and 2 before the waveform begins another cycle.  
  I have tried this by re-calling the Assign Dynamic Channels node.  This did not work because Assign Dynamic Channels does not work after the waveform has been initiated.  
  A very similar question was addressed on this forum at the below link.  This did not work for me because the waveform is already commited when I want to make the switch. 
  http://forums.ni.com/t5/Digital-I-O/HSDIO-Dynamic-​Generation-of-Digital-Signals-on-Separate-Non/td-p​...
  Also, I'm open to suggestions about a better way to accomplish this.
  Thank You,
  Sean

  Hi Sean,
  I have been looking in to your question and I have not been able to find a way to do this without a brief stop to reload the waveform. 
  The way data is encoded for HSDIO makes switching channels after the data has been committed  not possible unfortunately. You could try to use scripting and trigger the waveform to swap the location of the data, but this would have to be done in Windows and the waveform must be reloaded into onboard memory. The script would be small so reloading that is not a huge time sink. The worst of it is having to reload the entire waveform, but this cannot be worked around.
  Recommendations to improve performance would be to have a large onboard memory and load as much as you can into it initially to prevent reloading several times. If the first pattern takes 1Mbit of data per channel on one channel, you can load around 60 patterns with the data on different channels, for instance. Then you can create the script to address each pattern by its waveform name.
  It is unfortunately the way we have to work with the board at this time. However, this actually would be a great application for an FPGA on one of our FlexRIO modules. You could use this in order to do this task specifically. 
  Please let me know if you have any questions!
  Stephanie S.
  Application Engineer
  National Instruments

• Dynamic VLAN Assignment + NPS

  Hello,
  I'm planning a deployment with the following:
  5508 WLC running 7.0.222.0
  NCS 1.0.2.29
  50+ 3502i AP's
  Windows 2008 R2 running NPS
  EAP-TLS for authentication
  The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.
  I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.
  My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?
  [64] Tunnel-Type
  [65] Tunnel-Medium-Type
  [81] Tunnel-Pvt-Group-ID
  Any advice would be greatly appreicated!
  Thanks

  Thanks Steve for your quick response.
  I did everything as per your recommendation and it still doesnt work.
  Do you mind providing me a remote assistance, do you have Skype?
  Or your prefer that I provide you a set of logs, tell me which one and I will do so.
  SSID:TT
  @IP WLC: 172.20.252.70
  NPS: 172.20.1.16
  config rule NPS: service-Type: NAS Prompt
                           Tunnel-Type: VLAN
                           Tunnel-pvt-group-ID:10
                           Tunnel-Meduim-Type:802
  log WLC:
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 256, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844:      [0000] 80 36

• Dynamic vlan assignment with 1242AG and IAS not working

                     I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
  IAS and AD is running on Windows Server 2003
  Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
  PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
  Tunnel-Medium-Type > 802
  Tunnel-Pvt-Group-ID > vlanid
  Tunnel-Type > VLAN
  On the AP:
  Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
  I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
  Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

  Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
  I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
  I see I don't have that line "aaa authorization network default group rad_eap",
  So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
  Thanks,
  Jason

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• Dynamic VLAN assignment and Layer 3 switching on 300 series

  I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
  So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right?
  I'm new to VLAN configuration and layer 3 switching so I wanted to check my understanding. Doesn't this limitation significantly reduce the usefulness of the DVA feature?
  I may well be confused and missing something regarding how this is typically used..

  Hello Glenn,
  Your concept about packet forwarding is correct. With a layer 2 switch, there must be something directing traffic with multiple subnets for intervlan communication or something that provides an IP route to give the request a path back for the request.
  The usefulness for the DVA feature, is not particularly limited to the switch as the switch will correctly assign the VLAN for you, as VS the L3 switch mode, you're dealing with IP addresses. In any scenario, you're going to require a router to get to the internet since the switch does not support NAT.
  Additionally, if you're router does not support VLAN, the L3 switch feature would still be the solution since you should be able to make a static route pointing back to the switch to allow any subnet to traverse the single media. It would still beg the question, how to assign VLAN dynamically.
  The answer, although (in my opinion is terrible) would be GVRP.  But, this application would require ALL of your network cards to be GVRP Enable / Capable which most likely is not the scenario for you (or most anyone else for that matter).

• Persistent Channel 13 Dynamic Channel Assigment (DCA)

  Dear WiFi Experts,
  Why is AP still choosing channel 13 when Dynamic Channel Assigment is enabled and channels 1,6,11 are the only channels selected/checked in the DCA list?
  Can't the AP choose only 1, 6, and 11 and nothing more?
  WLC country code is set to SA (Saudi Arabia).
  WLC code 7.0.98

  HI ,
  It chooes the best channel.
  Just info:
  Here is the list of channels (and frequencies) of the ISM (industrial, scientific and medical band) (2.4 GHz) used in the WiFi technology:
  Channel 1: 2.412 MHz        
  Channel 2: 2.417 MHz        
  Channel 3: 2.422 Mhz        
  Channel 4: 2.427 Mhz        
  Channel 5: 2.432 Mhz        
  Channel 6: 2.437 Mhz        
  Channel 7: 2.442 Mhz        
  Channel 8: 2.447 Mhz        
  Channel 9: 2.452 Mhz        
  Channel 10: 2.457 MHz        
  Channel 11: 2.462 MHz        
  Channel 12: 2.467 MHz        
  Channel 13: 2.472 MHz        
  Channel 14: 2.484 MHz
  If you want then you can manually change Channle per AP:
  Here is the process:
  1. Login WLC GUI
  2. Go to Wireless > Access Points > 802.11a/802.11b then on far right side of AP from drop dpwn menu click on configure.
  Under RF channel assignment you can change the channle manually.
  Regards
  Dont forget to rate helpful posts

• Dynamic value assignment to a particular column in a vertical ALV

  Hi Friends,
  In the present program ALV has 44 fields and output row is only one(with some field editable).
  My requirement is to change present output to vertical ALV and editable field should be available
  as editable.
  Now I have changed this to transposed ALV manually(not dynamically) with required fields editable.
  Now there is 44 rows and two column "FIELD and "VALUE'.Some values in the second column is editable.
  Previously output was like this:
  field1   field2  field3 ...
  val1     val2    val3   ...
  Now output is like:
  FIELD   VALUE
  field1  value1(type INT)
  field2  value2(type char5) Editable(need F4 help)
  field3  value3(type date)
  My present structure declaration is:
  types: begin of ty_itab,
          field type char 50,
          value type char70,
          celltab type lvc_t_styl,(for editing some values in VALUE column).
         end of ty_itab.
  data: itab type standard table of ty_itab.
  Now the second column i have declared as CHAR70 which contains only char
  values because to put all differt types of values to one single column named
  'VALUE'.
  But as field1 field2 field3... had differnt type of value like integer char date...I need to validate some values
  (specially those which are editable) before saving to custom DB table.
  So I need dynamic value assignment to VALUE column when preparing internal table for display.
  What I want to say is that VALUE column should be able to contain different type of values like INT, DATE, CHAR...etc
  Is the requirement is feasible?
  If yes then How should I declare the structure and populate different type of values within single column 'VALUE'.
  Also is it possible to have F4 helps in the second column (VALUE)???

  Hi Manab,
  I did something comparable: We have a very complex transaction with several subscreens with multiple fields to be filled with complex logic to create a very special contract. The requirement was to create a method to create a copy of this contract being able to apply some changes.
  I created a wizard (transaction SBPT_WIZARD_BUILDER - Wizard-Builder) to accomplish that. I grouped all the fields to just 3 logical groups and thius created 3 stesp where the user gets an ALV as you describe, but we have the rows like FIELD  with the new value editable. Additionally I have hidden fields with table name and field name so that I can determine the characteristics (datatype) at run time.
  The value fields are just strings (every ALV field is a text field on the surface).
  For editable fields, you have an event DATA_CHANGED. I used this method as a handler for the event:
  (I will leave out the wizard part here - maybe a good idea for a blog to explain that)
  METHOD handle_data_changed.
      CALL FUNCTION 'RS_CONV_EX_2_IN'
        EXPORTING
           input_external                     = <mod>-value
           table_field                        = ls_tabfield
  I also created handlers for F1 and F4
  Handler for CL_GUI_ALV_GRID->ONF1
  METHOD handle_f1.
      CALL FUNCTION 'HELP_OBJECT_SHOW_FOR_FIELD'
        EXPORTING
          called_for_tab   = lv_tabname
          called_for_field = lv_fieldname
        EXCEPTIONS
          object_not_found = 1
          sapscript_error  = 2
          OTHERS           = 3.
  Handler for CL_GUI_ALV_GRID->HANDLE_F4
  METHOD handle_f4.
    CALL FUNCTION 'F4IF_FIELD_VALUE_REQUEST'
      EXPORTING
        tabname    = lv_tabname
        fieldname  = lv_fieldname
      TABLES
        return_tab = lt_return_tab
      EXCEPTIONS
        OTHERS     = 5.
      er_event_data->m_event_handled = abap_true.
  * if er_event_data->m_event_handled is not set to abap_true, system will handle it.
  * In this context the message 'Keine Eingabehilfe verfügbar' will be displayed
  ENDMETHOD.
  This is just an excerpt from my project. It shows that you can do more in ALV as you knew.
  I tried to post a little more but the formatting break down, possibly a result of the character limit
  Regards,
  Clemens

• Dynamic Component Creation Question

  I have a process that looks up fields names from a database. I then loop through and create HtmlInputText components dynamically. The question I have is how do I create a value binding to these components? I have been trying to think of a way to create a separate class that can be applied to each field name I retrieve from the database. But I just can't think of a good solution for this. I assume people have had to do this before.
  Thanks

  Let it bind to a List<String> or Map<String, String>. To get/set elements in a List you can use the brace notation, e.g. #{list[0]} for the 1st element (list.get(0)). For map you can use the key name as propertyname, e.g. #{map.key} for the entry associated with key "key" (map.get("key")).

• Dynamic VLAN assignment on SG300

  Cisco documentation states that dynamic vlan assignment via RADIUS should provide the following IETF values:
  The RADIUS user attributes used for the VLAN ID assignment are:
  IETF 64 (Tunnel Type)—Set this to VLAN.
  IETF 65 (Tunnel Medium Type)—Set this to 802
  IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID
  I have done so with an Aruba Clearpass RADIUS server - but the Access-Accept message being sent below:
  Radius:IETF:Tunnel-Medium-Type     6
  Radius:IETF:Tunnel-Private-Group-Id     4
  Radius:IETF:Tunnel-Type     13
  is being received by the SG300 in some way that's not being interpreted correctly. Log files indicate that the IETF values are not what is expected:
  07-Aug-2014 18:58:41 :%SEC-W-SUPPLICANTUNAUTHORIZED: username teststudent with MAC 00:11:25:d8:42:83 was rejected on port gi2 because Radius accept message does not contain VLAN ID
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored - tag should be 0
  07-Aug-2014 18:58:41 :%AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored - tag should be 0
  Is there something I'm missing here? These same values sent by the Clearpass RADIUS server are working for other switches such as Extreme and Brocade.
  Thanks,
  Aaron

  Hi Aleksandra,
  Here are the values from a packet capture of the Access-Accept message:

• Dynamic vlan assignment does not work

  Hello,
  I have been trying to configure dynamic vlan assignment for the employee wlan. Trying to put the employee on vlan 20
  Here are the components used
  WLC: 2100 Software version: 7.0.240.0
  AP: 3502I    IOS version: 12.4  Mini IOS version: 7.0
  Radius server: tried mutiple radius servers (rsa radius , free radius)
  On the WLC:
  1. Created a AAA server.
  2. Along with management interface(vlan 10), configured dynamic interfaces (vlan 20, vlan 30)
  3. AP manager interface is on vlan 40
  4. Created WLAN assigned to management interface-- WPA2 (AES) , 802.1x
  5. on AAA servers tab - checked authentication servers and assigned the AAA server. authentication priority order is set to only radius
  Here, I have 2 options for radius overwrite.
  one on the AAA servers tab
  second on the Advanced tab
  I have selected both. or one at a time
  Ports between WLC and switch is a trunk
  On the AP:
  1. Local mode
  2. Port between AP and switch switchport access  - vlan 40
  On radius server:
  configured WLC's management interface as client
  and assigned the following attributes
  tunnel-type := vlan
  tunnel-medium-type = ieee-802
  tunnel-private-group-id = 20
  When i try to authenticate with an iphone it is successful. But it puts me on the same interface as management interface (vlan10). When i do the packet capture i do see the access-accept but i dont see the attributes.
  when i use a radius test utility against the radius server I do receive all the attributes.
  Im a newbie on this. Iam i missing something here? any help will be much appreciated.

  Kindly check the following link for reference.
  sample configuration link
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70intf.html
  Trouble shooting link
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• Flexconnect dynamic VLAN assignment doubt

  Hi, all,
  I am trying to understand how FlexConnect with dynamic VLAN assignment works. We have the need to dynamically put people in different VLANs based on their AD groups (all employees use the same SSID), I can understand that in traditional CAPWAP mode, AP just tunnels all traffic to WLC, WLC is the authenticator and it knows  what users' identities are and can encapsulate user traffic to different VLANs before send the traffic to the switch it connects. Here is the part I don't understand:
  1) If APs are operating in Flexconnect mode (APs are trunking to switches), how does each AP know what VLAN tag to put a specific user traffic on? AP is not authenticator, it knows nothing about associated client's AD identify. How does WLC convey the dynamical VLAN information to APs?
  2) I want to eliminate WLCs in remote offices by letting all remote office APs join HQ WLC with FlexConnect mode, I can keep the same VLAN mapping scheme in remote office switching environment, in some offices I want to do local authentication (Domain controller + Radius Server), looks like I can specify Radius server in FlexConnect group, in this case will APs become authenticator? Since Radius clients have to be explicitly configured on NPS/Radius server side, does this means I have to statically configure each AP's IP?
  3) I have over a dozen APs in HQ which are operating at FlexConnect mode, but the SSID's "local central authentication" checkbox is not checked, if I want to have local authentication in remote office,  seems that I have to turn on "local authentication" on this SSID, does that mean I have to add each and everyone of those HQ APs to Radius/NPS server client list?
  Thanks,

  Hi ,
  1) Aps knows about Vlans as we can define them inside the Flex connect groups. This is the same way we define flex connect ACLs which are pushed to the Flex APs and are returned by the Radius server later on.
  2) If you are going for Central authentication + local switching ....WLCs will always act like central authenticator and would talk to the radius server. If you have some radius servers at the local site and you want them to use without going through the central authentication..you can do that using (local authentication + local switching). Yes, In this case AP will be authenticator and would be AAA client to be added in the Radius server.
  3)yes ,,you are correct. If you want that your AP should do authentication and talk to the local radius server at the site , it has to be added in the Radius server.
  Regards
  Dhiresh
  **Please rate helpful posts**