The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To organize and manage your FlexConnect access points, you can create FlexConnect Groups and assign specific access points to them.
All of the FlexConnect access points in a group share the same backup RADIUS server, CCKM, and local authentication configuration information. This feature is helpful if you have multiple FlexConnect access points in a remote office or on the floor of a building and you want to configure them all at once. For example, you can configure a backup RADIUS server for a FlexConnect rather than having to configure the same server on each access point.
You can configure the controller to allow a FlexConnect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or both a primary and secondary backup RADIUS server. These servers can be used when the FlexConnect access point is in of these two modes: standalone or connected.
FlexConnect Groups are required for CCKM fast roaming to work with FlexConnect access points. CCKM fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different access point. This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to another. The FlexConnect access points need to obtain the CCKM cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller. If, for example, you have a controller with 300 access points and 100 clients that might associate, sending the CCKM cache for all 100 clients is not practical. If you create a FlexConnect that includes a limited number of access points (for example, you create a group for four access points in a remote office), the clients roam only among those four access points, and the CCKM cache is distributed among those four access points only when the clients associate to one of them.
Note | CCKM fast roaming among FlexConnect and non-FlexConnect access points is not supported. |
Note | FlexConnect Groups is needed for CCKM to work. Flex group needs to be created for CCKM, 11r , and OKC , only then the caching can happen on an AP. The group name must be same between APS for a fast roaming to happen for 11r/CCKM. The group can be different for OKC as final check is done at Cisco WLC. |
Starting with the Cisco Wireless LAN Controller Release 7.0.116.0, FlexConnect groups accelerate Opportunistic Key Caching (OKC) to enable fast roaming of clients. OKC facilitates fast roaming by using PMK caching in access points that are in the same FlexConnect group.
OKC prevents the need to perform a full authentication as the client roams from one access point to another. FlexConnect groups store the cached key on the APs of the same group, accelerating the process. However, they are not required, as OKC will still happen between access points belonging to different FlexConnect groups and will use the cached key present on the Cisco WLC, provided that Cisco WLC is reachable and APs are in connected mode.
To see the PMK cache entries at the FlexConnect access point, use the show capwap reap pmk command. This feature is supported on Cisco FlexConnect access points only. The PMK cache entries cannot be viewed on Non-FlexConnect access points.
Note | The FlexConnect access point must be in connected mode when the PMK is derived during WPA2/802.1x authentication. |
When using FlexConnect groups for OKC or CCKM, the PMK-cache is shared only across the access points that are part of the same FlexConnect group and are associated to the same controller. If the access points are in the same FlexConnect group but are associated to different controllers that are part of the same mobility group, the PMK cache is not updated and CCKM roaming will fail but OKC roaming will still work.
Note | Fast roaming works only if the APs are in the same FlexConnect group for APs in FlexConnect mode, 802.11r . |
You can configure the controller to allow a FlexConnect access point in standalone mode to perform LEAP, EAP-FAST, PEAP, or EAP-TLS authentication for up to 100 statically configured users. The controller sends the static list of usernames and passwords to each FlexConnect access point when it joins the controller. Each access point in the group authenticates only its own associated clients.
This feature is ideal for customers who are migrating from an autonomous access point network to a lightweight FlexConnect access point network and are not interested in maintaining a large user database or adding another hardware device to replace the RADIUS server functionality available in the autonomous access point.
Note |
You have to provision a certificate to the AP because the AP has to send the certificate to the client. You must download the Vendor Device Certificate and the Vendor Certification Authority Certificate to the controller. The controller then pushes these certificates to the AP. If you do not configure a Vendor Device Certificate and the Vendor CA Certificate on the controller, the APs associating with the FlexConnect group download the self-signed certificate of the controller, which may not be recognized by many wireless clients.
With EAP-TLS, AP does not recognize and accept client certificate if the client root CA is different from the AP root CA. When you use Enterprise public key infrastructures (PKI), you must download a Vendor Device Certificate and Vendor CA Certificate to the controller so that the controller can push the certificates to the AP in the FlexConnect group. Without a common client and AP root CA, EAP-TLS fails on the local AP. The AP cannot check an external CA and relies on its own CA chain for client certificate validation.
The space on the AP for the local certificate and the CA certificate is around 7 Kb, which means that only short chains are adapted. Longer chains or multiple chains are not supported.
For information about the number of FlexConnect groups and access point support for a Cisco WLC model, see the data sheet of the respective Cisco WLC model.
You can configure VLAN Support and VLAN ID on a per FlexConnect group basis. This allows all APs in a FlexConnect group to inherit the VLAN configuration from the FlexConnect group including VLAN support, Native VLAN, and WLAN-VLAN mappings.
When Local Mode APs are added to a FlexConnect Group with VLAN Support enabled, APs are converted to FlexConnect APs and inherit the WLAN-VLAN mapping in the FlexConnect Group.
This feature is supported on all WLC model that support FlexConnect and all APs that support FlexConnect mode.
When the override flag is set at the FlexConnect Group, modification of VLAN Support, Native VLAN ID, WLAN-VLAN mappings, and Inheritance-Level at the AP is not allowed.
An Inheritance-Level configuration is available at the FlexConnect AP. You have to set this to “Make VLAN AP Specific” to configure any AP-Specific VLAN Support, Native VLAN ID and VLAN-WLAN mappings on the AP. Note that you can modify this only when the override flag at the group is disabled.
To achieve this on the WLC GUI, choose Make VLAN AP Specific from the drop-down list.
, click on the AP name. In the FlexConnect tab, selectWhen you upgrade to Release 8.1, if the FlexConnect group has WLAN-VLAN mappings, then after an upgrade, VLAN support is enabled and native VLAN is set to 1. Otherwise, the VLAN support remains disabled on the FlexConnect group. The override flag on the FlexConnect Group is disabled.
When you downgrade from Release 8.1, the VLAN Support and Native VLAN ID is on a per AP basis, and the WLAN-VLAN mappings follow the previous inheritance model.
Configuring FlexConnect Groups
Step 1 | Add add or delete a FlexConnect Group by entering this command: |
Step 2 | Configure a
primary or secondary RADIUS server for the FlexConnect group by entering this
command:
config flexconnect group group_name radius server auth{add | delete} {primary | secondary} server_index |
Step 3 | Configure a
primary or secondary RADIUS server for the FlexConnect group by entering this
command:
config flexconect group group-name radius server auth {{add {primary | secondary} ip-addr auth-port secret} | {delete {primary | secondary}}} |
Step 4 | Add an access point to the FlexConnect Group by entering this command: |
Step 5 | Configure local
authentication for a FlexConnect as follows:
|
Step 6 | Configure a
Policy ACL on a
FlexConnect group by entering this command:
config flexconnect group group-name policy acl {add | delete} acl-name |
Step 7 | Configure local
split tunneling on a per-FlexConnect group basis by entering this command:
config flexconnect group group_name local-split wlan wlan-id acl acl-name flexconnect-group-name {enable | disable} |
Step 8 | To set
multicast/broadcast across L2 broadcast domain on overridden interface for
locally switched clients, enter this command:
config flexconnect group group_name multicast overridden-interface {enable | disable} |
Step 9 | Configure
central DHCP per WLAN by entering this command:
config flexconnect group group-name central-dhcp wlan-id {enable override dns | disable | delete} |
Step 10 | Configure the DHCP overridden interface for FlexConnect group, use the configflexconnectgroupflexgroupdhcpoverridden-interfaceenablecommand. |
Step 11 | Configure policy
acl on FlexConnect group by entering this command:
config flexconnect group group_name policy acl {add | delete} acl-name |
Step 12 | Configure
web-auth acl on flexconnect group by entering this command:
config flexconnect group group_name web-auth wlan wlan-id acl acl-name {enable | disable} |
Step 13 | Configure
wlan-vlan mapping on flexconnect group by entering this command:
config flexconnect group group_name wlan-vlan wlan wlan-id{add | delete}vlan vlan-id |
Step 14 | To set efficient
upgrade for group, enter this command:
config flexconnect group group_name predownload {enable | disable | master | slave} ap-name retry-count maximum retry count ap-name ap-name |
Step 15 | Save your changes by entering this command: save config |
Step 16 | See the current list of flexconnect groups by entering this command: |
Step 17 | See the details for a specific FlexConnect Groups by entering this command: |
Configuring VLAN-ACL Mapping on FlexConnect Groups
Step 1 | Choose
.
The FlexConnect Groups page appears. This page lists the access points associated with the controller. | ||
Step 2 | Click the Group Name link of the FlexConnect Group for which you want to configure VLAN-ACL mapping. | ||
Step 3 | Click the
VLAN-ACL
Mapping tab.
The VLAN-ACL Mapping page for that FlexConnect group appears. | ||
Step 4 | Enter the Native VLAN ID in the VLAN ID text box. | ||
Step 5 | From the Ingress ACL drop-down list, choose the Ingress ACL. | ||
Step 6 | From the Egress ACL drop-down list, choose the Egress ACL. | ||
Step 7 | Click
Add to add this mapping to the
FlexConnect Group.
The VLAN ID is mapped with the required ACLs. To remove the mapping, hover your mouse over the blue drop-down arrow and choose Remove.
|
config
flexconnect group
group-name
vlan add
vlan-id
acl
ingress-acl egress acl
Add a VLAN to a FlexConnect
group and map the ingress and egress ACLs by entering this command:
Configuring WLAN-VLAN Mappings on FlexConnect Groups
The individual AP settings have precedence over FlexConnect group and global WLAN settings. The FlexConnect group settings have precedence over global WLAN settings.
The AP level configuration is stored in flash; WLAN and FlexConnect group configuration is stored in RAM.
When an AP moves from one controller to another, the AP can keep its individual VLAN mappings. However, the FlexConnect group and global mappings will be from the new controller. If the WLAN SSID differs between the two controllers, then the WLAN-VLAN mapping is not applied.
In a downstream traffic, VLAN ACL is applied first and then the client ACL is applied. In an upstream traffic, the client ACL is applied first and then the VLAN ACL is applied.
The ACL must be present on the AP at the time of 802.1X authentication. If the ACL is not present on the AP, a client might be denied authentication by the AP even if the client successfully passes 802.1X authentication.
ACL Present on AP | ACL Name sent from AAA | Result of 802.1X Authentication |
---|---|---|
No | No | Authenticated, no ACL applied |
No | Yes | Authentication Denied |
Yes | No | Authenticated, no ACL applied |
Yes | Yes | Authenticated, client ACL applied |
After client authentication, if the ACL name is changed in the RADIUS server, the client must go through a full authentication again to get the correct client ACL.
The WLAN-VLAN mapping on FlexConnect groups is not supported on Cisco APs 1131 and 1242.
Ensure that the WLAN is locally switched. The configuration is applied to the AP only if the WLAN is broadcast on the AP.
Step 1 | Choose . |
Step 2 | Click the group
name.
The FlexConnect Groups > Edit page is displayed. |
Step 3 | Click the WLAN VLAN Mapping tab. |
Step 4 | Enter the WLAN
ID and the VLAN ID and click
Add.
The mapping is displayed in the same tab. |
Step 5 | Select the VLAN Support check box and specify the Native VLAN ID. |
Step 6 | Select the
Override Native VLAN on AP check box.
|
Step 7 | To verify that the inheritance level is Group Specific: |
Step 8 | Click Apply. |
Step 9 | Click Save Configuration. |
Ensure that the WLAN is locally switched. The configuration is applied to the AP only if the WLAN is broadcast on the AP.
config flexconnect group
group-name
wlan-vlan wlan
wlan-id {add |
delete}
vlan
vlan-id
Configure WLAN-VLAN mapping on a FlexConnect group by entering this command.