The Allow Authentication,
Authorization, Accouting (AAA) Override option of a WLAN enables you to
configure the WLAN for authentication. It enables you to apply VLAN tagging,
QoS, and ACLs to individual clients based on the returned RADIUS attributes
from the AAA server.
AAA overrides for FlexConnect
access points introduce a dynamic VLAN assignment for locally switched clients.
AAA overrides for FlexConnect also support fast roaming (Opportunistic Key
Caching [OKC]/ Cisco Centralized Key management [CCKM]) of overridden clients.
VLAN overrides for
FlexConnect are applicable for both centrally and locally authenticated
clients. VLANs can be configured on FlexConnect groups.
If a VLAN on the AP is
configured using the WLAN-VLAN, the AP configuration of the corresponding ACL
is applied. If the VLAN is configured using the FlexConnect group, the
corresponding ACL configured on the FlexConnect group is applied. If the same
VLAN is configured on the FlexConnect group and also on the AP, the AP
configuration, with its ACL takes precedence. If there is no slot for a new
VLAN from the WLAN-VLAN mapping, the latest configured FlexConnect group VLAN
If the VLAN that was
returned from the AAA is not present on the AP, the client falls back to the
default VLAN configured for the WLAN.
Before configuring a AAA
override, the VLAN must be created on the access points. These VLANs can be
created by using the existing WLAN-VLAN mappings on the access points, or by
using the FlexConnect group
AAA Override for IPv6 ACLs
In order to support
centralized access control through a centralized AAA server such as the Cisco
Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a
per-client basis using AAA Override attributes. In order to use this feature,
the IPv6 ACL must be configured on the controller and the WLAN must be
configured with the AAA Override feature enabled. The AAA attribute for an IPv6
Airespace-IPv6-ACL-Name similar to the
attribute used for provisioning an IPv4-based ACL. The AAA attribute-returned
contents should be a string that is equal to the name of the IPv6 ACL as
configured on the controller.
AAA Overrides of Bidirectional Rate Limiting on an AP and
You can have AAA overrides for
FlexConnect APs to dynamically assign QoS levels and/or bandwidth contracts for
both locally switched traffic on web-authenticated WLANs and
802.1X-authenticated WLANs. Both upstream and downstream parameters are sent to
the corresponding AP.
This table shows the bidirectional rate limiting implementation:
Table 1 Bidirectional Rate-Limiting Implementation
||FlexConnect Central Switching
||FlexConnect Local Switching
This table shows the order of preference for local and FlexConnect central switching:
Table 2 Rate-Limiting Parameters
||QoS Profile of AAA
||QoS Profile of WLAN
||Applied to Client