4/15/2018 Cisco Wireless LAN Controller Configuration Guide, Release 7.

lease 7.2 - Chapter 15 - Configuring FlexConnect [Cisco Wireless LAN Contr…

FlexConnect Authentication Process

When an access point boots up, it looks for a controller. If it finds one, it joins the controller, downloads the latest
software image and configuration from the controller, and initializes the radio. It saves the downloaded
configuration in nonvolatile memory for use in standalone mode.

Note Once the access point is rebooted after downloading the latest controller software, it must be converted to
the FlexConnect mode. This can be done using the GUI or CLI.

A FlexConnect access point can learn the controller IP address in one of these ways:

If the access point has been assigned an IP address from a DHCP

server, it can discover a controller through the regular CAPWAP or
LWAPP discovery process.

Note OTAP is no longer supported on the controllers with 6.0.196 code and above.

If the access point has been assigned a static IP address, it can

discover a controller through any of the discovery process methods
except DHCP option 43. If the access point cannot discover a
controller through Layer 3 broadcast, we recommend DNS
resolution. With DNS, any access point with a static IP address that
knows of a DNS server can find at least one controller.
If you want the access point to discover a controller from a remote
network where CAPWAP or LWAPP discovery mechanisms are not
available, you can use priming. This method enables you to specify
(through the access point CLI) the controller to which the access
point is to connect.

Note For more information about how access points find controllers, see “Controlling Lightweight Access
Points,” or the controller deployment guide
at: http://www.cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html

When a FlexConnect access point can reach the controller (referred to as the connected mode), the controller
assists in client authentication. When a FlexConnect access point cannot access the controller, the access point
enters the standalone mode and authenticates clients by itself.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#pgfId-1224777 1/5
4/15/2018 Cisco Wireless LAN Controller Configuration Guide, Release 7.2 - Chapter 15 - Configuring FlexConnect [Cisco Wireless LAN Contr…

Note The LEDs on the access point change as the device enters different FlexConnect modes. See the
hardware installation guide for your access point for information on LED patterns.

When a client associates to a FlexConnect access point, the access point sends all authentication messages to
the controller and either switches the client data packets locally (locally switched) or sends them to the controller
(centrally switched), depending on the WLAN configuration. With respect to client authentication (open, shared,
EAP, web authentication, and NAC) and data packets, the WLAN can be in any one of the following states
depending on the configuration and state of controller connectivity:

central authentication, central switching—In this state, the controller

handles client authentication, and all client data is tunneled back to
the controller. This state is valid only in connected mode.
central authentication, local switching—In this state, the controller
handles client authentication, and the FlexConnect access point
switches data packets locally. After the client authenticates
successfully, the controller sends a configuration command with a
new payload to instruct the FlexConnect access point to start
switching data packets locally. This message is sent per client. This
state is applicable only in connected mode.
local authentication, local switching—In this state, the FlexConnect
access point handles client authentication and switches client data
packets locally. This state is valid in standalone mode and
connected mode.
In connected mode, the access point provides minimal information about the locally authenticated client to
the controller. The following information is not available to the controller:

– Policy type

– Access VLAN

– VLAN name

– Supported rates

– Encryption cipher

Local authentication is useful where you cannot maintain a remote office setup of a minimum bandwidth of
128 kbps with the round-trip latency no greater than 100 ms and the maximum transmission unit (MTU) no
smaller than 500 bytes. In local authentication, the authentication capabilities are present in the access
point itself. Local authentication reduces the latency requirements of the branch office.

Note Local authentication can only be enabled on the WLAN of a FlexConnect access point that is in local
switching mode.

Notes about local authentication are as follows:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#pgfId-1224777 2/5
4/15/2018 Cisco Wireless LAN Controller Configuration Guide, Release 7.2 - Chapter 15 - Configuring FlexConnect [Cisco Wireless LAN Contr…

– Guest authentication cannot be done on a FlexConnect local authentication-enabled WLAN.

– Local RADIUS on the controller is not supported.

– Once the client has been authenticated, roaming is only supported after the controller and the other
FlexConnect access points in the group are updated with the client information.

– Local authentication in connected mode requires a WLAN configuration.

Note When locally switched clients that are connected to a FlexConnect access point renew the IP addresses,
on joining back, the client continues to stay in the run state. These clients are not reauthenticated by the
controller.

authentication down, switch down—In this state, the WLAN

disassociates existing clients and stops sending beacon and probe
requests. This state is valid in both standalone mode and connected
mode.
authentication down, local switching—In this state, the WLAN rejects
any new clients trying to authenticate, but it continues sending
beacon and probe responses to keep existing clients alive. This
state is valid only in standalone mode.
When a FlexConnect access point enters standalone mode, WLANs that are configured for open, shared, WPA-
PSK, or WPA2-PSK authentication enter the “local authentication, local switching” state and continue new client
authentications. In controller software release 4.2 or later releases, this configuration is also correct for WLANs
that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these authentication types require
that an external RADIUS server be configured. You can also configure a local RADIUS server on a FlexConnect
access point to support 802.1X in a standalone mode or with local authentication.

Other WLANs enter either the “authentication down, switching down” state (if the WLAN was configured for
central switching) or the “authentication down, local switching” state (if the WLAN was configured for local
switching).

When FlexConnect access points are connected to the controller (rather than in standalone mode), the controller
uses its primary RADIUS servers and accesses them in the order specified on the RADIUS Authentication
Servers page or in the config radius auth add CLI command (unless the server order is overridden for a
particular WLAN). However, to support 802.1X EAP authentication, FlexConnect access points in standalone
mode need to have their own backup RADIUS server to authenticate clients.

Note A controller does not use a backup RADIUS server. The controller uses the backup RADIUS server in local
authentication mode.

You can configure a backup RADIUS server for individual FlexConnect access points in standalone mode by
using the controller CLI or for groups of FlexConnect access points in standalone mode by using either the GUI
or CLI. A backup server configured for an individual access point overrides the backup RADIUS server
configuration for a FlexConnect.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#pgfId-1224777 3/5
4/15/2018 Cisco Wireless LAN Controller Configuration Guide, Release 7.2 - Chapter 15 - Configuring FlexConnect [Cisco Wireless LAN Contr…

When a FlexConnect access point enters standalone mode, it disassociates all clients that are on centrally
switched WLANs. For web-authentication WLANs, existing clients are not disassociated, but the FlexConnect
access point stops sending beacons when the number of associated clients reaches zero (0). It also sends
disassociation messages to new clients associating to web-authentication WLANs. Controller-dependent
activities, such as network access control (NAC) and web authentication (guest access), are disabled, and the
access point does not send any intrusion detection system (IDS) reports to the controller. Most radio resource
management (RRM) features (such as neighbor discovery; noise, interference, load, and coverage
measurements; use of the neighbor list; and rogue containment and detection) are disabled. However, a
FlexConnect access point supports dynamic frequency selection in standalone mode.

Note • For Wi-Fi Protected Access version 2 (WPA2) in FlexConnect standalone mode or local-auth in connected
mode or cckm fast-roaming in connected mode, only Advanced Encryption Standard (AES) is supported.

For Wi-Fi Protected Access (WPA) in FlexConnect standalone mode

or local-auth in connected mode or cckm fast-roaming in connected
mode, only Temporal Key Integrity Protocol (TKIP) is supported.
WPA2 with TKIP and WPA with AES is not supported in standalone
mode, local-auth in connected mode, and CCKM fast-roaming in
connected mode.

Note If your controller is configured for NAC, clients can associate only when the access point is in connected
mode. When NAC is enabled, you need to create an unhealthy (or quarantined) VLAN so that the data
traffic of any client that is assigned to this VLAN passes through the controller, even if the WLAN is
configured for local switching. After a client is assigned to a quarantined VLAN, all of its data packets are
centrally switched. See the “Configuring Dynamic Interfaces” section for information on creating
quarantined VLANs and the “Configuring NAC Out-of-Band Integration” section for information on
configuring NAC out-of-band support.

Note Even after configuring WLAN Override to stop transmitting locally switched WLAN on both radios, the
WLAN still appears in the H-REAP VLAN mapping configuration on the AP.

When a FlexConnect access point enters into a standalone mode, the following occurs:

The access point checks whether it is able to reach the default

gateway via ARP. If so, it will continue to try and reach the controller.
If the access point fails to establish the ARP, the following occurs:

The access point attempts to discover for five times and if it still
cannot find the controller, it tries to renew the DHCP on the ethernet
interface to get a new DHCP IP.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#pgfId-1224777 4/5
4/15/2018 Cisco Wireless LAN Controller Configuration Guide, Release 7.2 - Chapter 15 - Configuring FlexConnect [Cisco Wireless LAN Contr…

The access point will retry for five times, and if that fails, the access
point will renew the IP address of the interface again, this will
happen for three attempts.
If the three attempts fail, the access point will fall back to the static
IP and will reboot (only if the access point is configured with a static
IP).
Reboot is done to remove the possibility of any unknown error the
access point configuration.
Once the access point reestablishes a connection with the controller, it disassociates all clients, applies new
configuration information from the controller, and reallows client connectivity.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#pgfId-1224777 5/5