When an access point boots up,
it looks for a controller. If it finds one, it joins the controller, downloads
the latest software image and configuration from the controller, and
initializes the radio. It saves the downloaded configuration in nonvolatile
memory for use in standalone mode.
Once the access point is
rebooted after downloading the latest controller software, it must be converted
to the FlexConnect mode. This can be done using the GUI or CLI.
A FlexConnect access point can
learn the controller IP address in one of these ways:
If the access point has been
assigned an IP address from a DHCP server, it can discover a controller through
the regular CAPWAP or LWAPP discovery process.
OTAP is no longer supported on
the controllers with 18.104.22.168 and later releases.
If the access point has been
assigned a static IP address, it can discover a controller through any of the
discovery process methods except DHCP option 43. If the access point cannot
discover a controller through Layer 3 broadcast, we recommend DNS resolution.
With DNS, any access point with a static IP address that knows of a DNS server
can find at least one controller.
If you want the access point to
discover a controller from a remote network where CAPWAP or LWAPP discovery
mechanisms are not available, you can use priming. This method enables you to
specify (through the access point CLI) the controller to which the access point
is to connect.
When a FlexConnect access point
can reach the controller (referred to as the connected mode), the controller
assists in client authentication. When a FlexConnect access point cannot access
the controller, the access point enters the standalone mode and authenticates
clients by itself.
The LEDs on the access point
change as the device enters different FlexConnect modes. See the hardware
installation guide for your access point for information on LED patterns.
When a client associates to a
FlexConnect access point, the access point sends all authentication messages to
the controller and either switches the client data packets locally (locally
switched) or sends them to the controller (centrally switched), depending on
the WLAN configuration. With respect to client authentication (open, shared,
EAP, web authentication, and NAC) and data packets, the WLAN can be in any one
of the following states depending on the configuration and state of controller
central authentication, central
switching—In this state, the controller handles client authentication, and all
client data is tunneled back to the controller. This state is valid only in
central authentication, local
switching—In this state, the controller handles client authentication, and the
FlexConnect access point switches data packets locally. After the client
authenticates successfully, the controller sends a configuration command with a
new payload to instruct the FlexConnect access point to start switching data
packets locally. This message is sent per client. This state is applicable only
in connected mode.
FlexConnect local switching, central authentication deployments, if there is a
passive client with a static IP address, it is recommended to disable the Learn
Client IP Address feature under the
local authentication, local switching—In this state, the
FlexConnect access point handles client authentication and switches client data
packets locally. This state is valid in standalone mode and connected mode.
In connected mode, the access
point provides minimal information about the locally authenticated client to
the controller. The following information is not available to the controller:
Local authentication is useful where you
cannot maintain a remote office setup of a minimum bandwidth of 128 kbps with
the round-trip latency no greater than 100 ms and the maximum transmission unit
(MTU) no smaller than 576 bytes. In local authentication, the authentication
capabilities are present in the access point itself. Local authentication
reduces the latency requirements of the branch office.
Local authentication can only
be enabled on the WLAN of a FlexConnect access point that is in local switching
Notes about local
authentication are as follows:
Guest authentication cannot be
done on a FlexConnect local authentication-enabled WLAN.
Local RADIUS on the controller
is not supported.
Once the client has been
authenticated, roaming is only supported after the controller and the other
FlexConnect access points in the group are updated with the client information.
Local authentication in
connected mode requires a WLAN configuration.
When locally switched clients
that are connected to a FlexConnect access point renew the IP addresses, on
joining back, the client continues to stay in the run state. These clients are
not reauthenticated by the controller.
authentication down, switch
down—In this state, the WLAN disassociates existing clients and stops sending
beacon and probe requests. This state is valid in both standalone mode and
authentication down, local
switching—In this state, the WLAN rejects any new clients trying to
authenticate, but it continues sending beacon and probe responses to keep
existing clients alive. This state is valid only in standalone mode.
When a FlexConnect access point
enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or
WPA2-PSK authentication enter the “local authentication, local switching” state
and continue new client authentications. In controller software release 4.2 or
later releases, this configuration is also correct for WLANs that are
configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these
authentication types require that an external RADIUS server be configured. You
can also configure a local RADIUS server on a FlexConnect
access point to support 802.1X
in a standalone mode or with local authentication.
Other WLANs enter either the
“authentication down, switching down” state (if the WLAN was configured for
central switching) or the “authentication down, local switching” state (if the
WLAN was configured for local switching).
When FlexConnect access points
are connected to the controller (rather than in standalone mode), the
controller uses its primary RADIUS servers and accesses them in the order
specified on the RADIUS Authentication Servers page or in the
config radius auth add
CLI command (unless the server order is overridden for a
particular WLAN). However, to support 802.1X EAP authentication, FlexConnect
access points in standalone mode need to have their own backup RADIUS server to
A controller does not use a
backup RADIUS server. The controller uses the backup RADIUS server in local
You can configure a backup
RADIUS server for individual FlexConnect access points in standalone mode by
using the controller CLI or for groups of FlexConnect access points in
standalone mode by using either the GUI or CLI. A backup server configured for
an individual access point overrides the backup RADIUS server configuration for
When a FlexConnect access point
enters standalone mode, it disassociates all clients that are on centrally
switched WLANs. For web-authentication WLANs, existing clients are not
disassociated, but the FlexConnect access point stops sending beacons when the
number of associated clients reaches zero (0). It also sends disassociation
messages to new clients associating to web-authentication WLANs.
Controller-dependent activities, such as network access control (NAC) and web
authentication (guest access), are disabled, and the access point does not send
any intrusion detection system (IDS) reports to the controller. Most radio
resource management (RRM) features (such as neighbor discovery; noise,
interference, load, and coverage measurements; use of the neighbor list; and
rogue containment and detection) are disabled. However, a FlexConnect access
point supports dynamic frequency selection in standalone mode.
is used on FlexConnect access points at a remote site, the clients get the IP
address from the remote local subnet. To resolve the initial URL request, the
DNS is accessible through the subnet's default gateway. In order for the
controller to intercept and redirect the DNS query return packets, these
packets must reach the controller at the data center through a CAPWAP
connection. During the web-authentication process, the FlexConnect access
points allows only DNS and DHCP messages; the access points forward the DNS
reply messages to the controller before web-authentication for the client is
complete. After web-authentication for the client is complete, all the traffic
is switched locally.
If your controller is configured for NAC,
clients can associate only when the access point is in connected mode. When NAC
is enabled, you need to create an unhealthy (or quarantined) VLAN so that the
data traffic of any client that is assigned to this VLAN passes through the
controller, even if the WLAN is configured for local switching. After a client
is assigned to a quarantined VLAN, all of its data packets are centrally
switched. See the Configuring Dynamic Interfaces section for information about
creating quarantined VLANs and the Configuring NAC Out-of-Band section for
information about configuring NAC out-of-band support.
When a FlexConnect access point enters into a standalone mode,
the following occurs:
If the access point fails to
establish the ARP, the following occurs:
The access point attempts to
discover for five times and if it still cannot find the controller, it tries to
renew the DHCP on the ethernet interface to get a new DHCP IP.
The access point will retry for
five times, and if that fails, the access point will renew the IP address of
the interface again, this will happen for three attempts.
If the three attempts fail, the
access point will fall back to the static IP and will reboot (only if the
access point is configured with a static IP).
Reboot is done to remove the
possibility of any unknown error the access point configuration.
Once the access point reestablishes a connection
with the controller, it disassociates all clients, applies new configuration
information from the controller, and allows client connectivity again.