The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To organize and manage your FlexConnect access points, you can create FlexConnect Groups and assign specific access points to them.
All of the FlexConnect access points in a group share the same backup RADIUS server, CCKM, and local authentication configuration information. This feature is helpful if you have multiple FlexConnect access points in a remote office or on the floor of a building and you want to configure them all at once. For example, you can configure a backup RADIUS server for a FlexConnect rather than having to configure the same server on each access point.
For more information about FlexConnect deployment considerations, see the FlexConnect chapter of the Enterprise Mobility Design Guide.
You can configure the controller to allow a FlexConnect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers can be used when the FlexConnect access point is in of these two modes: standalone or connected.
FlexConnect Groups are required for CCKM fast roaming to work with FlexConnect access points. CCKM fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different access point. This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to another. The FlexConnect access points need to obtain the CCKM cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller. If, for example, you have a controller with 300 access points and 100 clients that might associate, sending the CCKM cache for all 100 clients is not practical. If you create a FlexConnect that includes a limited number of access points (for example, you create a group for four access points in a remote office), the clients roam only among those four access points, and the CCKM cache is distributed among those four access points only when the clients associate to one of them.
Note | CCKM fast roaming among FlexConnect and non-FlexConnect access points is not supported. |
Note | FlexConnect Groups is needed for CCKM to work. Flex group needs to be created for CCKM, 11r , and OKC , only then the caching can happen on an AP. The group name must be same between APS for a fast roaming to happen for 11r/CCKM. The group can be different for OKC as final check is done at Cisco WLC. |
Starting with the Cisco Wireless LAN Controller Release 7.0.116.0, FlexConnect groups accelerate Opportunistic Key Caching (OKC) to enable fast roaming of clients. OKC facilitates fast roaming by using PMK caching in access points that are in the same FlexConnect group.
OKC prevents the need to perform a full authentication as the client roams from one access point to another. FlexConnect groups store the cached key on the APs of the same group, accelerating the process. However, they are not required, as OKC will still happen between access points belonging to different FlexConnect groups and will use the cached key present on the Cisco WLC, provided that Cisco WLC is reachable and APs are in connected mode.
To see the PMK cache entries at the FlexConnect access point, use the show capwap reap pmk command. This feature is supported on Cisco FlexConnect access points only. The PMK cache entries cannot be viewed on Non-FlexConnect access points.
Note | The FlexConnect access point must be in connected mode when the PMK is derived during WPA2/802.1x authentication. |
When using FlexConnect groups for OKC or CCKM, the PMK-cache is shared only across the access points that are part of the same FlexConnect group and are associated to the same controller. If the access points are in the same FlexConnect group but are associated to different controllers that are part of the same mobility group, the PMK cache is not updated and CCKM roaming will fail but OKC roaming will still work.
Note | Fast roaming works only if the APs are in the same FlexConnect group for APs in FlexConnect mode, 802.11r . |
You can configure the controller to allow a FlexConnect access point in standalone mode to perform LEAP, EAP-FAST, PEAP, or EAP-TLS authentication for up to 100 statically configured users. The controller sends the static list of usernames and passwords to each FlexConnect access point when it joins the controller. Each access point in the group authenticates only its own associated clients.
This feature is ideal for customers who are migrating from an autonomous access point network to a lightweight FlexConnect access point network and are not interested in maintaining a large user database or adding another hardware device to replace the RADIUS server functionality available in the autonomous access point.
Note |
You have to provision a certificate to the AP because the AP has to send the certificate to the client. You must download the Vendor Device Certificate and the Vendor Certification Authority Certificate to the controller. The controller then pushes these certificates to the AP. If you do not configure a Vendor Device Certificate and the Vendor CA Certificate on the controller, the APs associating with the FlexConnect group download the self-signed certificate of the controller, which may not be recognized by many wireless clients.
With EAP-TLS, AP does not recognize and accept client certificate if the client root CA is different from the AP root CA. When you use Enterprise public key infrastructures (PKI), you must download a Vendor Device Certificate and Vendor CA Certificate to the controller so that the controller can push the certificates to the AP in the FlexConnect group. Without a common client and AP root CA, EAP-TLS fails on the local AP. The AP cannot check an external CA and relies on its own CA chain for client certificate validation.
The space on the AP for the local certificate and the CA certificate is around 7 Kb, which means that only short chains are adapted. Longer chains or multiple chains are not supported.
For information about the number of FlexConnect groups and access point support for a Cisco WLC model, see the data sheet of the respective Cisco WLC model.
You can configure VLAN Support and VLAN ID on a per FlexConnect group basis. This allows all APs in a FlexConnect group to inherit the VLAN configuration from the FlexConnect group including VLAN support, Native VLAN, and WLAN-VLAN mappings.
When the override flag is set at the FlexConnect Group, modification of VLAN Support, Native VLAN ID, WLAN-VLAN mappings, and Inheritance-Level at the AP is not allowed.
An Inheritance-Level configuration is available at the FlexConnect AP. You have to set this to “Make VLAN AP Specific” to configure any AP-Specific VLAN Support, Native VLAN ID and VLAN-WLAN mappings on the AP. Note that you can modify this only when the override flag at the group is disabled.
To achieve this on the WLC GUI, choose Make VLAN AP Specific from the drop-down list.
, click on the AP name. In the FlexConnect tab, selectWhen you upgrade to Release 8.1, if the FlexConnect group has WLAN-VLAN mappings, then after an upgrade, VLAN support is enabled and native VLAN is set to 1. Otherwise, the VLAN support remains disabled on the FlexConnect group. The override flag on the FlexConnect Group is disabled.
When you downgrade from Release 8.1, the VLAN Support and Native VLAN ID is on a per AP basis, and the WLAN-VLAN mappings follow the previous inheritance model.
Default FlexGroup is a container where FlexConnect access points (APs), which are not a part of an administrator-configured FlexConnect group, are added automatically when they join the Cisco Wireless Controller. The Default FlexGroup is created and stored when the controller comes up (after upgrading from an earlier release. Note that a reload of the 8.3 will not create the group again. It will only restore the existing Default FlexGroup configuration.) This group cannot be deleted or added manually. Also, you cannot manually add or delete APs to the Default FlexGroup. The APs in the Default FlexGroup inherit the common configuration of the group. Any change in the group configuration is propagated to all the APs in the group.
When a group created by an admin is deleted, all the APs from that group are moved to the Default FlexGroup and inherit the configuration of this group. Similarly, APs that are removed manually from other groups are also added to the Default FlexGroup.
When an AP from the Default FlexGroup is added to a customized group, the existing configuration (from the Default FlexGroup) is deleted and the configuration from the customized group is pushed to the AP. If there is a standby controller, the Default FlexGroup and its configuration are also synchronized to it.
The AP provides FlexConnect group name during the join process. The AP could have received this group name either through cloud provisioning or through Cisco WLC configuration. There are various scenarios involved in deciding the final FlexConnect group, when an AP joins and they are listed in the table below:
FlexConnect Group Received from AP |
Status in Cisco WLC |
Final Group Information/Configuration Setn to AP |
Type of Entry (Based on Priority) |
---|---|---|---|
Group1 |
Group1 not present; AP entry not present in any group |
Default FlexGroup |
Admin |
Group1 |
Group1 present but maximum entries reached; AP entry not present in any group |
Default FlexGroup |
Admin |
Group1 |
Group1 present, but AP entry not present in any group |
Group1 |
Cloud |
Group1 |
Group1 present, but AP entry present as part of a different group, Group2 (added by admin) |
Group2 |
Admin |
Group1 |
Group1 present, but AP entry exists in a different group, Group2 learnt earlier through cloud |
Group1 |
Cloud |
No Group/Default Group |
AP entry exists as part of Group2 (either through admin configuration or learnt via cloud) |
Group2 |
Admin/Cloud |
Whenever the final type of entry is cloud, the AP entry gets added to the corresponding FlexConnect group. Also, when the FlexConnect group received from AP is different from the resultant group, a trap is raised to inform the admin about the conflict. The show flexconnect group detail group-name aps command displays the conflict value.
The following features are not supported:
The following features are supported:
VLAN support (native VLAN, WLAN-VLAN mapping)
VLAN ACL mapping
WebAuth, web policy, local split mapping
Local authentication users
RADIUS authentication
Central DHCP or NAT-PAT
Flex AVC
VLAN name ID mapping
Multicast override
The Default FlexGroup configuration is retained after downgrading from 8.3 to an earlier release (8.2 and earlier). It will be treated as a configurable group, where you can add or delete APs. However, the FlexConnect APs will not be able to join this group by default.
A FlexConnet AP, which is not part of any FlexConnect group, will join the Default FlexGroup and inherit configuration from the group. If a Default FlexGroup already exists in the system, it will be renamed during the upgrade, and a message is logged with the name of the renamed group.
You cannot use the following CLIs to add or delete a Defaut FlexGroup or AP to a group:
config flexconnect group default-flexgroup{add | delete}
config flexconnect group default-flexgroup ap{add | delete}
Note | The Defaut FlexGroup does not have a default configuration. |
When you delete an AP from the customized flex group, the VLAN support is also deleted from that AP.
Configuring FlexConnect Groups
Step 1 | Add add or delete a FlexConnect Group by entering this command: |
Step 2 | Configure a
primary or secondary RADIUS server for the FlexConnect group by entering this
command:
config flexconnect group group_name radius server auth{add | delete} {primary | secondary} server_index |
Step 3 | Configure a
primary or secondary RADIUS server for the FlexConnect group by entering this
command:
config flexconect group group-name radius server auth {{add {primary | secondary} ip-addr auth-port secret} | {delete {primary | secondary}}} |
Step 4 | Add an access point to the FlexConnect Group by entering this command: |
Step 5 | Configure local
authentication for a FlexConnect as follows:
|
Step 6 | Configure a
Web Policy ACL on a
FlexConnect group by entering this command:
config flexconnect group group-name web-policy policy acl {add | delete} acl-name |
Step 7 | Configure local
split tunneling on a per-FlexConnect group basis by entering this command:
config flexconnect group group_name local-split wlan wlan-id acl acl-name flexconnect-group-name {enable | disable} |
Step 8 | To set
multicast/broadcast across L2 broadcast domain on overridden interface for
locally switched clients, enter this command:
config flexconnect group group_name multicast overridden-interface {enable | disable} |
Step 9 | Configure
central DHCP per WLAN by entering this command:
config flexconnect group group-name central-dhcp wlan-id {enable override dns | disable | delete} |
Step 10 | Configure the DHCP overridden interface for FlexConnect group, use the configflexconnectgroupflexgroupdhcpoverridden-interfaceenablecommand. |
Step 11 | Configure policy
acl on FlexConnect group by entering this command:
config flexconnect group group_name policy acl {add | delete} acl-name |
Step 12 | Configure
web-auth acl on flexconnect group by entering this command:
config flexconnect group group_name web-auth wlan wlan-id acl acl-name {enable | disable} |
Step 13 | Configure
wlan-vlan mapping on flexconnect group by entering this command:
config flexconnect group group_name wlan-vlan wlan wlan-id{add | delete}vlan vlan-id |
Step 14 | To set efficient
upgrade for group, enter this command:
config flexconnect group group_name predownload {enable | disable | master | slave} ap-name retry-count maximum retry count ap-name ap-name |
Step 15 | Save your changes by entering this command: save config |
Step 16 | See the current list of flexconnect groups by entering this command: |
Step 17 | See the details for a specific FlexConnect Groups by entering this command: |
Step 1 | Choose Wireless > FlexConnect Groups. The FlexConnect Groups window is displayed. |
Step 2 | Click the Group Name link of a FlexConnect Group. The FlexConnect Groups > Edit window is displayed. |
Step 3 | Click FlexConnect AP link. The FlexConnect Group AP List window is displayed. |
Step 4 | To move an AP that is currently in Default FlexGroup, select the corresponding Group Name from the New Group Name drop-down list, after selecting the APs from the FlexConnect APs list. |
Step 5 | To add an AP to the new group, click Move. |
Step 6 | Click Apply. |
Step 7 | Click Save Configuration. |
Step 1 |
show flexconnect group detail
default-flexgroup
Displays the configuration of the Default FlexGroup and the APs that are a part of it. Example: (Cisco Controller) >show flexconnect group detail default-flex-group Number of APs in Group: 1 AP Ethernet MAC Name Status Mode -------------------- -------------------- --------------- ---------------- a8:9d:21:b2:26:88 APa89d.21b2.2688 Joined Flexconnect Efficient AP Image Upgrade ..... Disabled Master-AP-Mac Master-AP-Name Model Manual Group Radius Servers Settings: Type Server Address Port ------------- ---------------- ------- Primary Unconfigured Unconfigured Secondary Unconfigured Unconfigured Group Radius AP Settings: AP RADIUS server............ Disabled EAP-FAST Auth............... Disabled LEAP Auth................... Disabled EAP-TLS Auth................ Disabled --More-- or (q)uit EAP-TLS CERT Download....... Disabled PEAP Auth................... Disabled Server Key Auto Generated... No Server Key.................. <hidden> Authority ID................ 436973636f0000000000000000000000 Authority Info.............. Cisco A_ID PAC Timeout................. 0 HTTP-Proxy Ip Address....... 0.0.0.0 HTTP-Proxy Port............. 0 Multicast on Overridden interface config: Disabled DHCP Broadcast Overridden interface config: Disabled Number of User's in Group: 0 FlexConnect Vlan-name to Id Template name: none Group-Specific Vlan Config: Vlan Mode.................... Disabled Override AP Config........... Disabled Group-Specific FlexConnect Wlan-Vlan Mapping: WLAN ID Vlan ID -------- -------------------- WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat |
Step 2 | show ap config general
ap-name
Displays the AP-specific syslog server settings for an AP. Example: (Cisco Controller) >show ap config general APa89d.21b2.2688 Cisco AP Identifier.............................. 0 Cisco AP Name.................................... APa89d.21b2.2688 Universal AP..................................... Yes Universal AP Prime Status........................ NDP Country code..................................... US - United States Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-AB AP Country code.................................. US - United States AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A Switch Port Number .............................. 2 MAC Address...................................... a8:9d:21:b2:26:88 IP Address Configuration......................... DHCP IP Address....................................... 8.1.2.186 IP NetMask....................................... 255.255.255.0 Gateway IP Addr.................................. 8.1.2.1 NAT External IP Address.......................... None CAPWAP Path MTU.................................. 1485 DHCP Release Override............................ Disabled Telnet State..................................... Globally Disabled Ssh State........................................ Globally Disabled Cisco AP Location................................ default location Cisco AP Floor Label............................. 0 Cisco AP Group Name.............................. default-group Primary Cisco Switch Name........................ Primary Cisco Switch IP Address.................. 8.1.2.2 Secondary Cisco Switch Name...................... Secondary Cisco Switch IP Address................ Not Configured Tertiary Cisco Switch Name....................... Tertiary Cisco Switch IP Address................. Not Configured Administrative State ............................ ADMIN_ENABLED Operation State ................................. REGISTERED Mirroring Mode .................................. Disabled AP Mode ......................................... FlexConnect Public Safety ................................... Disabled ATF Mode ........................................ Disable AP SubMode ...................................... Not Configured Rogue Detection ................................. Enabled AP Vlan Trunking ................................ Disabled Remote AP Debug ................................. Disabled Logging trap severity level ..................... informational Logging syslog facility ......................... kern S/W Version .................................... 8.3.15.64 Boot Version ................................... 15.2.4.0 Mini IOS Version ................................ 8.0.115.0 Stats Reporting Period .......................... 180 Stats Collection Mode ........................... normal LED State........................................ Enabled PoE Pre-Standard Switch.......................... Disabled PoE Power Injector MAC Addr...................... Disabled Power Type/Mode.................................. PoE/Full Power Number Of Slots.................................. 2 AP Model......................................... AIR-AP3702E-UXK9 AP Image......................................... C3700-K9W8-M IOS Version...................................... 15.3(20160217:163330)$ Reset Button..................................... Enabled AP Serial Number................................. FCW1905N1CX AP Certificate Type.............................. Manufacture Installed AP LAG Configuration Status ..................... Disabled LAG Support for AP .............................. No Native Vlan Inheritance: ........................ AP FlexConnect Vlan mode :.......................... Disabled FlexConnect Group................................ default-flex-group Group VLAN ACL Mappings Group VLAN Name to Id Mappings AP-Specific FlexConnect Policy ACLs : L2Acl Configuration ............................. Not Available FlexConnect Local-Split ACLs : WLAN ID PROFILE NAME ACL TYPE ------- -------------------------------- --------------------------------- ------- Flexconnect Central-Dhcp Values : WLAN ID PROFILE NAME Central-Dhcp DNS Override Nat-Pat Type ------- --------------------------------- -------------- -------------- --------- ------ FlexConnect Backup Auth Radius Servers : Primary Radius Server........................... Disabled Secondary Radius Server......................... Disabled AP User Mode..................................... AUTOMATIC AP User Name..................................... Cisco AP Dot1x User Mode............................... Not Configured AP Dot1x User Name............................... Not Configured Cisco AP system logging host..................... 255.255.255.255 AP Up Time....................................... 0 days, 19 h 26 m 09 s AP LWAPP Up Time................................. 0 days, 15 h 28 m 46 s Join Date and Time............................... Thu Feb 18 18:58:54 2016 Join Taken Time.................................. 0 days, 00 h 07 m 02 s GPS Present...................................... NO Ethernet Vlan Tag................................ Disabled Ethernet Port Duplex............................. Auto Ethernet Port Speed.............................. Auto AP Link Latency.................................. Disabled Rogue Detection.................................. Enabled AP TCP MSS Adjust................................ Disabled Hotspot Venue Group.............................. Unspecified Hotspot Venue Type............................... Unspecified DNS server IP ............................. 255.255.255.255 |
Step 3 | show flexconnect group detail
groupname
aps
Displays the APs that are part of a specific group. Example: (Cisco Controller) >show flexconnect group detail default-flex-group aps Number of APs in Group: 1 AP Ethernet MAC Name Status Mode -------------------- -------------------- --------------- ---------------- a8:9d:21:b2:26:88 APa89d.21b2.2688 Joined Flexconnect |
Configuring VLAN-ACL Mapping on FlexConnect Groups
Step 1 | Choose
.
The FlexConnect Groups page appears. This page lists the access points associated with the controller. | ||
Step 2 | Click the Group Name link of the FlexConnect Group for which you want to configure VLAN-ACL mapping. | ||
Step 3 | Click the
VLAN-ACL
Mapping tab.
The VLAN-ACL Mapping page for that FlexConnect group appears. | ||
Step 4 | Enter the Native VLAN ID in the VLAN ID text box. | ||
Step 5 | From the Ingress ACL drop-down list, choose the Ingress ACL. | ||
Step 6 | From the Egress ACL drop-down list, choose the Egress ACL. | ||
Step 7 | Click
Add to add this mapping to the
FlexConnect Group.
The VLAN ID is mapped with the required ACLs. To remove the mapping, hover your mouse over the blue drop-down arrow and choose Remove.
|
config
flexconnect group
group-name
vlan add
vlan-id
acl
ingress-acl egress acl
Add a VLAN to a FlexConnect
group and map the ingress and egress ACLs by entering this command:
Configuring WLAN-VLAN Mappings on FlexConnect Groups
The individual AP settings have precedence over FlexConnect group and global WLAN settings. The FlexConnect group settings have precedence over global WLAN settings.
The AP level configuration is stored in flash; WLAN and FlexConnect group configuration is stored in RAM.
When an AP moves from one controller to another, the AP can keep its individual VLAN mappings. However, the FlexConnect group and global mappings will be from the new controller. If the WLAN SSID differs between the two controllers, then the WLAN-VLAN mapping is not applied.
In a downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In an upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
The ACL must be present on the AP at the time of 802.1X authentication. If the ACL is not present on the AP, a client might be denied authentication by the AP even if the client successfully passes 802.1X authentication.
ACL Present on AP | ACL Name sent from AAA | Result of 802.1X Authentication |
---|---|---|
No | No | Authenticated, no ACL applied |
No | Yes | Authentication Denied |
Yes | No | Authenticated, no ACL applied |
Yes | Yes | Authenticated, client ACL applied |
After client authentication, if the ACL name is changed in the RADIUS server, the client must go through a full authentication again to get the correct client ACL.
The WLAN-VLAN mapping on FlexConnect groups is not supported on Cisco APs 1131 and 1242.
Ensure that the WLAN is locally switched. The configuration is applied to the AP only if the WLAN is broadcast on the AP.
Step 1 | Choose . |
Step 2 | Click the group
name.
The FlexConnect Groups > Edit page is displayed. |
Step 3 | Click the WLAN VLAN Mapping tab. |
Step 4 | Enter the WLAN
ID and the VLAN ID and click
Add.
The mapping is displayed in the same tab. |
Step 5 | Select the VLAN Support check box and specify the Native VLAN ID. |
Step 6 | Select the
Override Native VLAN on AP check box.
|
Step 7 | To verify that the inheritance level is Group Specific: |
Step 8 | Click Apply. |
Step 9 | Click Save Configuration. |
Ensure that the WLAN is locally switched. The configuration is applied to the AP only if the WLAN is broadcast on the AP.
config flexconnect group
group-name
wlan-vlan wlan
wlan-id {add |
delete}
vlan
vlan-id
Configure WLAN-VLAN mapping on a FlexConnect group by entering this command.