Chapter 7 FlexConnect

FlexConnect Groups

FlexConnect Groups

Because all of the FlexConnect APs at each branch site are part of a single FlexConnect Group,

FlexConnect Groups ease the organization of each branch site.


FlexConnect Groups are not analogous to AP Groups.

The FlexConnect Group is primarily designed to solve the following challenges:

How can wireless clients perform 802.1X authentication and access Data Center services if the controller fails?

How can wireless clients perform 802.1X authentication if WAN link between Branch and Data

Center fails?

Is there any impact on branch mobility during WAN failures?

Does the FlexConnect Solution provide no operational branch downtime?

You can configure the controller to allow a FlexConnect AP, in standalone mode, to perform full 802.1X authentication to a backup RADIUS server.


Backup RADIUS accounting is not supported.

In order to increase the resiliency of the branch, administrators can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers are used only when the

FlexConnect AP is not connected to the controller.

Configuring FlexConnect Groups

Complete the following procedure to configure FlexConnect groups to support Local Authentication using Local Extensible Authentication Protocol (LEAP), when FlexConnect is either in connected or standalone mode.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Click New under Wireless > FlexConnect Groups.

Assign Group Name Store 1 (similar to the configuration in

Figure 7-8


Click Apply when the Group Name is set.

Click the newly created Group Name Store 1.

Click Add AP.

Check the Enable AP Local Authentication box in order to enable Local Authentication when the AP is in standalone mode.

Check the Select APs from current controller box in order to enable the AP Name drop-down menu.

Choose the AP from the drop-down that needs to be part of this FlexConnect Group.


Enterprise Mobility 7.3 Design Guide


Chapter 7 FlexConnect

Step 9

Click Add after the AP is chosen from the drop-down.

FlexConnect Groups

Step 10

Repeat steps 7 and 8 to add all of the APs to this FlexConnect group Store 1.


Maintaining 1:1 ratio between the AP-Group and FlexConnect group simplifies network management.

Step 11

Step 12

Click the Local Authentication tab then the Protocols tab and check the Enable LEAP Authentication box.

Click Apply after the check box is set.


If you have a backup controller, make sure the FlexConnect groups are identical and AP MAC address entries are included per FlexConnect group.

Step 13

Step 14

Step 15

Step 16

Under Local Authentication, click Local Users.

Set the Username, Password and Confirm Password fields, then click Add to create user entry in the

LEAP server residing on the AP.

Repeat step 13 until your local username list is exhausted. You cannot configure or add more than 100 users.

Click Apply after entering all local user information. The user count is verified.


Step 17

Step 18

Step 19

Step 20

From the top pane, click WLANs.

Click WLAN ID number that was created during the AP Group creation. In this example, WLAN 17

Under WLAN > Edit for WLAN ID 17, click Advanced.

Check the FlexConnect Local Auth box in order to enable Local Authentication in connected mode.

Enterprise Mobility 7.3 Design Guide


FlexConnect Groups

Chapter 7 FlexConnect


Local Authentication is supported only for FlexConnect with Local Switching. Always make sure to create the FlexConnect Group before enabling Local Authentication under WLAN

CLI Verification

Client authentication state and switching mode can quickly be verified using this CLI command on the


(Cisco Controller) >show client detail 00:24:d7:2b:7c:0c

Client MAC Address............................... 00:24:d7:2b:7c:0c

Client Username.................................. N/A

AP MAC Address................................... d0:57:4c:08:e6:70

Client State..................................... Associated

FlexConnect Data Switching............................ Local

FlexConnect Authentication............................ Local

Local Authentication

Figure 7-9

illustrates clients continuing to perform 802.1X authentication even after the FlexConnect

Branch APs lose connectivity with the controller. As long as the RADIUS/ACS server is reachable from the Branch site, wireless clients will continue to authenticate and access wireless services.


Enterprise Mobility 7.3 Design Guide


Chapter 7 FlexConnect

FlexConnect Groups

In other words, if the RADIUS/ACS is located inside the Branch, then clients will authenticate and access wireless services even during a WAN outage.

Figure 7-9 Local Authentication—AP Authenticator


This feature can be used in conjunction with the FlexConnect backup RADIUS server feature. If a

FlexConnect Group is configured with both backup RADIUS server and local authentication, the

FlexConnect AP always attempts to authenticate clients using the primary backup RADIUS server first, followed by the secondary backup RADIUS server (if the primary is not reachable), and finally, the

Local EAP Server on FlexConnect AP itself (if the primary and secondary are not reachable).

Local EAP

You can configure the controller to allow a FlexConnect AP in standalone or connected mode to perform

LEAP or EAP-FAST authentication for up to 100 statically configured users. The controller sends the static list of user names and passwords to each FlexConnect AP of that particular FlexConnect Group when it joins the controller. Each AP in the group authenticates its own associated clients.

This feature is ideal for customers who are migrating from a standalone AP network to a lightweight

FlexConnect AP network and are not interested in maintaining a large user database or adding another hardware device to replace the RADIUS server functionality available in the standalone AP.

CCKM/OKC Fast Roaming

FlexConnect Groups are required for Cisco's Centralized Key Management (CCKM) and Opportunistic

Key Caching (OKC) fast roaming to work with FlexConnect APs. Fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different AP.

This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one AP to another. The FlexConnect APs need to obtain the CCKM/OKC cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller.


Enterprise Mobility 7.3 Design Guide


Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF


Table of contents