FlexConnect

FlexConnect Authentication

A FlexConnect authentication mode is a WLAN operating state that

  • defines how a FlexConnect AP handles client authentication and data switching

  • changes its behavior based on connection status to the controller, and

  • enables resilient client connectivity during both connected and standalone operation.

Connected mode: When a FlexConnect AP can reach the controller, the controller assists in client authentication.

Standalone mode: When a FlexConnect AP cannot access the controller, the AP authenticates the clients instead.

Locally switched: : The AP forwards a client’s data traffic directly onto the local LAN or VLAN at the site, instead of tunneling that traffic through the controller.

Centrally switched: The AP forwards the client’s data traffic to the controller, depending on the WLAN configuration.

FlexConnect is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points (AP) in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. The FlexConnect access points can also switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller. FlexConnect access points support multiple SSIDs. In the connected mode, the FlexConnect access point can also perform local authentication.

Figure 1. FlexConnect Deployment

The controller software has a more robust fault tolerance methodology to FlexConnect access points. Whenever a FlexConnect AP disassociates from controller , it moves to the standalone mode. The clients that are centrally switched are disassociated. However, the FlexConnect access point continues to serve locally switched clients. When a FlexConnect access point loses and rejoins its primary controller, or a secondary controller with the same identical configuration as the primary, existing locally switched client sessions are still maintained and clients experience seamless connectivity.

After the client connection is established, the controller does not restore the original attributes of the client. The client username, current rate and supported rates, and listen interval values are reset to the default or new configured values only after the session timer expires.

The controller can send multicast packets in the form of unicast or multicast packets to an access point. In FlexConnect mode, an access point can receive only multicast packets.

In Cisco Catalyst 9800 Series Wireless Controller, you can define a flex connect site. A flex connect site can have a flex connect profile associate with it. You can have a maximum of 100 access points for each flex connect site.

FlexConnect access points support a 1-1 network address translation (NAT) configuration. They also support port address translation (PAT) for all features except true multicast. Multicast is supported across NAT boundaries when configured using the Unicast option. FlexConnect access points also support a many-to-one NAT or PAT boundary, except when you want true multicast to operate for all centrally switched WLANs.

Workgroup bridges and Universal Workgroup bridges are supported on FlexConnect access points for locally switched clients.

FlexConnect supports IPv6 clients by bridging the traffic to local VLAN, similar to an IPv4 operation. FlexConnect supports Client Mobility for a group of up to 100 access points.

An access point does not have to reboot when moving from local mode to FlexConnect mode and vice-versa.

  • An office with intermittent WAN connectivity keeps wireless clients connected using local authentication, with data switched locally until the central controller is available again.

  • A FlexConnect AP at a remote branch uses backup RADIUS for 802.1X authentication during WAN outages.

Analogy: retail chain

Imagine a retail chain with a central headquarters (controller) and a branch store (the FlexConnect AP).

Normal day: Every time a customer wants to make a purchase, the cashier phones headquarters for approval and processing. This is like central authentication and switching.

Local authentication (policy choice): Even on a normal day, the branch can be configured to keep a small credit-card terminal in the store. If management decides to use it, the cashier can approve transactions locally without phoning headquarters. The headquarters link is still up, but the store chooses to handle the verification itself. That terminal is “local authentication".

Stand-alone mode (connectivity condition): One day the phone lines to headquarters go down. The branch is forced to rely on its credit-card terminal, whether it originally planned to or not, if it wants to keep making sales. The store switches on its emergency lights, keeps serving customers, and records the day’s sales to upload later. That forced independence is “standalone mode”.

Key Takeaway

Standalone mode is the situation (phone lines down).

Local authentication is the tool (the in-store terminal) that lets the store keep serving customers—even when the phone lines are fine and especially when they are not.

How FlexConnect authentication works

Summary

FlexConnect authentication enables wireless APs to maintain client connectivity and authentication in various network scenarios, either by connecting to a central controller or operating autonomously. This process is essential for branch offices or remote sites with unreliable WAN links.

The key components involved in the process are:

  • FlexConnect AP: Discovers controllers, downloads configuration, and performs client authentication and data switching either locally or through the controller.

  • The controller: Centralizes configuration management and client authentication when available.

  • Client devices: Attempt to authenticate and connect to the network through FlexConnect APs.

  • RADIUS server: Provides authentication services, either centrally through the controller or locally through a backup server in standalone modes.

Workflow

The process involves the following stages:

  1. Controller Discovery and Join
    • When a FlexConnect AP boots up, it searches for and joins a wireless LAN controller, downloading the latest configuration and software image.
    When... Then... And...

    The controller is reachable, the AP enters connected mode.

    The controller performs central authentication.

    		 Based on WLAN configuration
    • client data is switched either through the controller (central switching), or
    • locally at the AP (local switching).

    The controller is not reachable, the AP enters standalone mode.

    The AP performs local authentication using stored configuration and, if needed, a backup RADIUS server.
    • Client data is switched locally.
    • Special states (such as “authentication down, local switching”) manage client behavior when authentication cannot occur.
    When operating locally, guest authentication and local RADIUS on the controller are not supported.
  2. Failover and Recovery
    • If controller connectivity is lost, the AP attempts to reach the gateway via ARP and retries controller discovery.
    • If discovery fails, it attempts DHCP renewal and, if still unsuccessful after multiple attempts, falls back to static IP and reboots to recover.
  3. Return to Connected Mode Upon reconnecting to the controller, the AP disassociates clients, applies new configuration, and resumes normal connectivity, with central authentication and state management.

Result

FlexConnect authentication ensures clients can maintain connectivity and authentication even during network disruptions, supports flexible deployment models, and reduces branch office WAN dependency.

Controller discovery methods

When a FlexConnect AP boots up, it searches for a controller. If it finds one, it joins the controller, downloads the latest software and configuration, and initializes the radio. The configuration is saved in nonvolatile memory to support standalone mode if the controller becomes unreachable.

A FlexConnect AP can discover the controller’s IP address through multiple methods:

  • DHCP-based discovery: If the access point gets its IP from a DHCP server, it uses CAPWAP or LWAPP discovery. OTAP is not supported.

  • Static IP discovery: If configured with a static IP, the access point can use all discovery methods except DHCP option 43. DNS resolution is recommended if Layer 3 broadcast fails. With DNS, any AP with a static IP address that knows of a DNS server can find at least one controller.

  • Priming: For remote networks without CAPWAP or LWAPP, priming allows manual configuration through the CLI to specify the controller.

FlexConnect authentication and switching modes


Note
The LEDs on the AP change as the device enters different FlexConnect modes. See the hardware installation guide for your AP for information on LED patterns.

When a client associates with a FlexConnect AP, the AP sends all authentication messages to the controller and, based on the WLAN configuration, either switches the client’s data packets locally (locally switched) or sends them to the controller (centrally switched).

For client authentication (open, shared, EAP, web authentication, and NAC) and data packets, the WLAN operates in one of the following states, determined by its configuration and the controller connectivity status:

  • Central authentication, central switching: The controller handles both client authentication and data switching. All client data is tunneled to the controller. This state is valid only in the connected mode.

  • Central authentication, local switching—In this state, the controller handles client authentication, and the FlexConnect AP switches data packets locally. After the client authenticates successfully, the controller sends a configuration command with a new payload to instruct the FlexConnect AP to start switching data packets locally. This message is sent per client. This state is applicable only in connected mode.

  • Local authentication, local switching: The AP both authenticates clients and switches data locally. This state works in both connected and standalone mode.

  • Authentication down, switch down: The WLAN disassociates clients and stops sending beacons and probes. Valid for both connected and standalone modes.

  • Authentication down, local switching: New client authentication is rejected, but existing client sessions are kept alive. Valid in standalone mode.

In the connected mode, the controller receives only minimal information about locally authenticated clients. Some information not available to the controller are:

  • Policy type

  • Access VLAN

  • VLAN name

  • Supported rates

  • Encryption cipher

When a FlexConnect AP is unable to reach the controller, WLANs configured with open, shared, WPA-PSK, or WPA2-PSK authentication continue to authenticate clients locally if an external RADIUS server is available. If the controller becomes reachable again, all clients are disassociated and a new configuration is applied before connectivity resumes.

In web-authentication mode, client DNS replies must pass through the controller during authentication. After successful web authentication, all traffic switches locally.

Standalone Mode

When a FlexConnect AP cannot reach the controller, it automatically enters standalone mode and begins authenticating clients on its own

Behavior in standalone mode

  • WLANs configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the local authentication, local switching state and continue new client authentications.

  • WLANs configured for 802.1X, WPA-802.1X, WPA2-802.1X, or Cisco Centralized Key Management require an external or local RADIUS server to remain operational.

  • WLANs configured for central switching move to authentication down, switching down; WLANs configured for local switching move to authentication down, local switching

  • The AP forwards data frames locally while it authenticates clients.

When a FlexConnect AP enters into a standalone mode, the AP checks whether it is able to reach the default gateway through ARP. If so, it will continue to try and reach the controller .

If the AP fails to establish the ARP:

  • The AP attempts to discover for five times and if it still cannot find the controller , it tries to renew the DHCP on the ethernet interface to get a new DHCP IP.

  • The AP will retry for five times, and if that fails, the AP will renew the IP address of the interface again, this will happen for three attempts.

  • If the three attempts fail, the AP will fall back to the static IP and will reboot (only if the AP is configured with a static IP).

  • Reboot is done to remove the possibility of any unknown error the AP configuration.

Local authentication in a FlexConnect AP

Local authentication in a FlexConnect AP is an authentication method in which

  • the FlexConnect AP independently authenticates clients without forwarding authentication requests to a central controller

  • client data packets are switched locally by the AP, reducing round-trip latency and dependence on WAN bandwidth,

  • authentication capabilities are built into the AP for handling protocols like 802.1X, WPA-PSK, WPA2-PSK, and others reduces the latency requirements of the branch office,

  • is useful where you cannot maintain a remote office setup of a minimum bandwidth of 128 kbps with the round-trip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 576 bytes.

Additional information

  • Do not enable guest authentication on WLANs with FlexConnect local authentication; guest authentication is unsupported in this configuration.

  • Do not use local RADIUS authentication on the controller for FlexConnect local authentication-enabled WLANs; it is not supported.

  • Once the client has been authenticated, roaming is only supported after the controller and the other FlexConnect access points in the group are updated with the client information.

Local and backup RADIUS server configuration

  • You can also configure a local RADIUS server on a FlexConnect AP to support 802.1X in a standalone mode or with local authentication.

  • When connected to a central controller, FlexConnect APs use the controller’s primary RADIUS servers in the specified order unless overridden for a particular WLAN. The order is specified on the RADIUS Authentication Servers window or using the the config radius auth add command

  • In standalone mode, each FlexConnect AP must have its own backup RADIUS server to perform 802.1X EAP authentication for clients. The controller itself does not use a backup RADIUS server in this mode.

  • You can configure a backup RADIUS server for individual FlexConnect APs in standalone mode by using the controller CLI or for groups of FlexConnect APs in standalone mode by using either the GUI or CLI. An AP-specific backup RADIUS configuration overrides any group configuration.


Note
A controller does not use a backup RADIUS server. The controller uses the backup RADIUS server in local authentication mode.

WLAN authentication and switching states

When a primary RADIUS server becomes unavailable, WLANs will enter either:

  • Authentication down, switching down

    state if the WLAN was configured for central switching

  • Authentication down, local switching state if the WLAN was configured for local switching

Web authentication and DNS handling

When web-authentication is used on FlexConnect APs at a remote site, the clients get the IP address from the remote local subnet.

To resolve the initial URL request, the DNS is accessible through the subnet's default gateway. In order for the controller to intercept and redirect the DNS query return packets, these packets must reach the controller at the data center through a CAPWAP connection. During the web-authentication process, the FlexConnect APs allows only DNS and DHCP messages; the APs forward the DNS reply messages to the controller before web-authentication for the client is complete. After web-authentication for the client is complete, all the traffic is switched locally.

Restrictions

  • OTAP is not supported.

  • Once the AP is rebooted after downloading the latest controller software, it must be converted to the FlexConnect mode.

  • 802.1X authentication on the AUX port is unsupported for Cisco Aironet 2700 series FlexConnect APs.

  • FlexConnect passive client mode disables IP Learn timeout by default in local switching, central authentication deployments.

  • When a FlexConnect AP enters standalone mode, only WLANs configured for open, shared, WPA-PSK, or WPA2-PSK authentication support local authentication for new clients; 802.1X types require an external or local RADIUS server.

  • When FlexConnect APs are connected to the controller (rather than in standalone mode), the controller uses its primary RADIUS servers and accesses them in the order specified on the RADIUS Authentication Servers page or in the config radius auth add CLI command (unless the server order is overridden for a particular WLAN). However, to support 802.1X EAP authentication, FlexConnect APs in standalone mode need to have their own backup RADIUS server to authenticate clients.


    Note
    A controller does not use a backup RADIUS server. The controller uses the backup RADIUS server in local authentication mode.

If the AP fails to establish the ARP, the following occurs:

When the FlexConnect AP cannot reach its default gateway through ARP and cannot discover the controller, it attempts multiple DHCP renewals and reboots if configured with a static IP to recover connectivity; controller discovery failures trigger fallback behavior.

If the AP fails to establish the ARP, the following occurs:

  • The AP attempts to discover for five times and if it still cannot find the controller, it tries to renew the DHCP on the ethernet interface to get a new DHCP IP.

  • The AP will retry for five times, and if that fails, the AP will renew the IP address of the interface again, this will happen for three attempts.

  • If the three attempts fail, the AP will fall back to the static IP and will reboot (only if the AP is configured with a static IP).

  • Reboot is done to remove the possibility of any unknown error the AP configuration.

Guidelines and restrictions for FlexConnect

Configuration Changes

  • When you apply a configuration change to a locally switched WLAN, the access point resets the radio, causing associated client devices to disassociate, including those not associated with the modified WLAN. Modify the configuration only during a maintenance window. This is applicable when a centrally switched WLAN is changed to a locally switched WLAN.

  • This guideline is specific to Wave 1 APs, and not for Wave 2 APs or 11AX APs.

VLAN and Switched WLANs

  • FlexConnect mode can support only 16 VLANs per AP.

  • NAC out-of-band integration is supported only on WLANs configured for FlexConnect central switching, not for local switching.

  • FlexConnect access points with locally switched WLANs cannot perform IP source guard and prevent ARP spoofing.

Network and Client Requirements

  • You can deploy a FlexConnect access point with either a static IP address or a DHCP address. Ensure a DHCP server is available locally and able to provide the IP address for the access point at bootup.

  • FlexConnect supports up to 4 fragmented packets or a 576-byte MTU WAN link.

  • Round-trip latency must not exceed 300 milliseconds (ms) between the access point and the controller, and CAPWAP control packets must be prioritized over all other traffic.

Roaming and Associations

When a client roams from one AP to another and the roaming is successful, this happens:

  • The client does not send any traffic to the new AP.

  • The client’s state is IP LEARN pending.

  • The client is deauthenticated after 180 seconds, if there is no traffic for the entire duration. In case the DHCP Required flag is set, the deauthentication occurs after 60 seconds.

Authentication and Support

  • FlexConnect APs do not forward the DHCP packets after Change of Authorization (CoA) and change of VLANs using 802.1X encryption. You must disconnect the client from the WLAN and reconnect the client to enable the client to get an IP address in the second VLAN.

  • The configuration on the controller must be the same between the time the access point went into standalone mode and the time the access point came back to connected mode.

  • Local authentication fallback is not supported when a user is not available in the external RADIUS server.

Configuration Practices

  • In the FlexConnect mode, use a named site tag instead of default-site-tag. If you use default-site-tag, the client Pairwise Master Key (PMK) is not sent to APs. This results in client roam and reassociation issues.

Configure a site tag (CLI)

Configure a site tag using CLI to centrally manage configurations for APs within a network. By completing this task, you streamline the management of configuration profiles and associated devices on the network.

Use these steps to configure a site tag using CLI:

Procedure

Step 1

Enters global configuration mode.

Example:

Device# configure terminal

Step 2

Configure site tag and enter site tag configuration mode.

Example:

Device(config)# wireless tag site default-site-tag

Step 3

Move the AP to FlexConnect mode.

Example:

Device(config-site-tag)# no local-site

Note

 

"no local-site" must be configured before configuring flex-profile. Otherwise, flex-profile will not be applied to the site tag.

Step 4

Map a flex profile to a site tag.

Example:

Device(config-site-tag)# flex-profile rr-xyz-flex-profile

Step 5

Assign an AP profile to the wireless site.

Example:

Device(config-site-tag)# ap-profile xyz-ap-profile

Step 6

Add a description for the site tag.

Example:

Device(config-site-tag)# description "default site tag"

Step 7

Save the configuration, exit the configuration mode, and return to privileged EXEC mode.

Example:

Device(config-site-tag)# end

Step 8

Display the summary of site tags.

Example:

Device# show wireless tag site summary

You configured the new site tag for the network. Now visible in the system, the site tag allows you to efficiently manage AP profiles and flex profiles associated with specific network sites.

Configure a policy tag (CLI)

Create and apply a policy tag to group wireless local area network (WLAN) and policy profiles for your network configuration.

Use this task when you need to define or update policy tags for your wireless network devices using the CLI.

Before you begin

  • Prepare unique names for policy tags using ASCII characters (32 to 126, no leading or trailing spaces).

  • Identify the WLAN and policy profiles you plan to map.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure policy tag and enter policy tag configuration mode.

Example:

Device(config-policy-tag)# wireless tag policy default-policy-tag

Note

 

When performing local web authentication, the clients connected to a controller get disconnected intermittently before session timeout.

Step 3

Add a description to a policy tag.

Example:

Device(config-policy-tag)# description "default-policy-tag"

Step 4

Map a remote-LAN profile to a policy profile.

Example:

Device(config-policy-tag)# remote-lan rr-xyz-rlan-aa policy rr-xyz-rlan-policy1 port-id 2

Step 5

Map a policy profile to a WLAN profile.

Example:

Device(config-policy-tag)# wlan rr-xyz-wlan-aa policy rr-xyz-policy-1

Step 6

Exit policy tag configuration mode, and return to privileged EXEC mode.

Example:

Device(config-policy-tag)# end

Step 7

(Optional) Display the configured policy tags.

Example:

Device# show wireless tag policy summary

Note

 

To view detailed information about a policy tag, use the show wireless tag policy detailed policy-tag-name command.

Your device has the new policy tag applied. The mapped WLAN and policy profiles are now active based on your configuration.

What to do next

Verify that connected devices use the updated policy tag and the expected network policies are applied.

Attach policy and site tags to an access point (GUI)

This task allows you to efficiently organize and manage access points by assigning specific policy and site tags through GUI.

Use these steps to assign policy and site tags to an AP using GUI:

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

Click the Access Point name.

Step 3

Go to the Tags section.

Step 4

Choose the Policy Tag from the Policy drop-down list.

Step 5

Choose the Site Tag from the Site drop-down list.

Step 6

Click Update and Apply to Device.

The AP has the designated policy and site tags, ensuring it operates under defined network conditions and policy settings.

Attach policy tag and site tag to an AP (CLI)

Assign a policy tag and site tag to an AP using the CLI.

Use this procedure to associate specific network policies and locations with an AP in your Cisco wireless deployment.

Before you begin

Make sure you have the wired MAC address of the AP.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a Cisco AP and enters AP profile configuration mode.

Example:

Device(config)# ap F866.F267.7DFB

Note

 

The mac-address should be a wired mac address.

Step 3

Map a policy tag to the AP.

Example:

Device(config-ap-tag)# policy-tag rr-xyz-policy-tag

Step 4

Map a site tag to the AP.

Example:

Device(config-ap-tag)# site-tag rr-xyz-site

Step 5

Associate the RF tag.

Example:

Device(config-ap-tag)# rf-tag rf-tag1

Step 6

Save the configuration, exit configuration mode, and return to privileged EXEC mode.

Example:

Device(config-ap-tag)# end

Step 7

(Optional) Display AP details and the tags associated to it.

Example:

Device# show ap tag summary

Step 8

Display the AP name with tag information.

Example:

Device# show ap name "ap-name" tag info

Step 9

(Optional) Display the AP name with tag details.

Example:

Device# show ap name ap-name tag detail

The AP is now associated with the specified policy, site, and optionally, RF tags you selected

Apply access control lists on FlexConnect

Apply Access Control Lists (ACLs) on a FlexConnect wireless profile to filter packet movement through a network.

Use these steps to apply ACLs on FlexConnect.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a wireless flex profile and enter wireless flex profile configuration mode.

Example:

Device(config)# wireless profile flex Flex-profile-1

Step 3

Configure an ACL policy.

Example:

Device(config-wireless-flex-profile)# acl-policy ACL1

Access control lists (ACLs) perform packet filtering to control the movement of packets through a network.

Step 4

Return to wireless flex profile configuration mode.

Example:

Device(config-wireless-flex-profile-acl)# exit

Step 5

Configure native vlan-id information.

Example:

Device(config-wireless-flex-profile)# native-vlan-id 25

Step 6

Configure a VLAN.

Example:

Device(config-wireless-flex-profile)# vlan-name VLAN0169

Step 7

Configure an ACL for the interface.

Example:

Device(config-wireless-flex-profile-vlan)# acl ACL1

Step 8

Configure VLAN information.

Example:

Device(config-wireless-flex-profile-vlan)# vlan-id 169

The ACLs are applied to the FlexConnect wireless profile, ensuring controlled packet filtering through configured VLAN settings.

Configure FlexConnect

Configure the switch at a remote site

Configure a switch to support a FlexConnect access point at a remote site by ensuring proper VLAN and IP address settings.

Use the steps to configure the switch at a remote site

Procedure

Step 1

Attach the AP by connecting the FlexConnect access point to either a trunk or an access port on the switch.

Note

 

The sample configuration in this procedure shows the FlexConnect access point connected to a trunk port on the switch.

Step 2

This example configuration guides you on configuring a switch to support a FlexConnect AP.

In this sample configuration, the FlexConnect access point is connected to the trunk interface FastEthernet 1/0/2 with native VLAN 100. The access point needs IP connectivity on the native VLAN. The remote site has local servers or resources on VLAN 101. A DHCP pool is created in the local switch for both the VLANs in the switch. The first DHCP pool (NATIVE) is used by the FlexConnect access point, and the second DHCP pool (LOCAL-SWITCH) is used by the clients when they associate to a WLAN that is locally switched. 


.
.
.
ip dhcp pool NATIVE
   network 209.165.200.224 255.255.255.224
   default-router 209.165.200.225
   dns-server 192.168.100.167
!
ip dhcp pool LOCAL-SWITCH
   network 209.165.201.224 255.255.255.224
   default-router 209.165.201.225 
   dns-server 192.168.100.167
!
interface Gig1/0/1
 description Uplink port
 no switchport
 ip address 209.165.202.225 255.255.255.224
!
interface Gig1/0/2
 description the Access Point port
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport trunk allowed vlan 101
 switchport mode trunk
!
interface Vlan100
 ip address 209.165.200.225 255.255.255.224
!
interface Vlan101
 ip address 209.165.201.225 255.255.255.224
end
!
.
.
.

The switch is configured to support the FlexConnect access point, enabling network connectivity for the access point and local servers or resources in the VLANs specified.

Configure the controller for FlexConnect

You can configure the controller for FlexConnect in either centrally switched WLAN or locally switched WLAN environments.

The controller configuration for FlexConnect consists of creating centrally switched and locally switched WLANs. This table shows three WLAN scenarios.

Table 1. WLAN scenarios

WLAN

Security

Authentication

Switching

Interface mapping (GUEST VLAN)

Employee

WPA1+WPA2

Central

Central

Management (centrally switched GUEST VLAN)

Employee-local

WPA1+WPA2 (PSK)

Local

Local

101 (locally switched GUEST VLAN)

Guest-central

Web authentication

Central

Central

Management (centrally switched GUEST VLAN)

Employee-local-auth

WPA1+WPA2

Local

Local

101 (locally switched VLAN)

Configure local switching in FlexConnect mode (GUI)

Enable local switching for a device operating in FlexConnect mode using the GUI.

Use these steps to configure local switching.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

On the Policy Profile page, click the name of a policy profile to edit it or click Add to create a new one.

Step 3

In the Add/Edit Policy Profile window that is displayed, uncheck the Central Switching and the Central Association check boxes.

Step 4

Click Update & Apply to Device.

The device is now configured to use local switching in FlexConnect mode.

Configure local switching in FlexConnect mode (CLI)

Configure a WLAN for local switching when operating in FlexConnect mode, enabling WLANs to be locally switched at the AP.

Procedure

Step 1

Enter global configuration mode.

Example:
Device# configure terminal

Step 2

Configure WLAN policy profile and enter the wireless policy configuration mode.

Example:
Device(config)# wireless profile 
policy rr-xyz-policy-1

Step 3

Configure the WLAN for local switching.

Example:
Device(config-wireless-policy)# no central switching

Step 4

Return to privileged EXEC mode.

Example:
Device(config)# end

The WLAN operates with local switching at the AP, allowing the WLAN data traffic to be processed locally rather than routed through a central controller.

Configure central switching in FlexConnect mode (GUI)

Enable or disable central switch mode in FlexConnect to manage traffic more effectively based on your network setup.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

On the Policy Profile page, select a policy.

Step 3

In the Edit Policy Profile window, in General Tab, use the slider to enable or disable Central Switching.

Step 4

Click Update & Apply to Device.

Central switch mode has been configured as specified, and the network policy is updated according to your current setup needs.

Configure central switching in FlexConnect mode (CLI)

Establish central switching in FlexConnect mode on your device using the CLI.

Use these steps to configure central switching in FlexConnect mode.

Procedure

Step 1

Enter global configuration mode.

Example:
Device# configure terminal

Step 2

Configure WLAN policy profile and enter the wireless policy configuration mode.

Example:

Device
config)# wireless profile policy rr-xyz-policy-1

Step 3

Configure the WLAN for central switching.

Example:
Device config-wireless-policy)# central switching

Step 4

Return to privileged EXEC mode.

Example:
Device(config)# end

Central switching configuration is applied, and data from devices is centrally processed in FlexConnect mode.

Configure an access point for FlexConnect

For more information, see Configuring a Site Tag (CLI) topic in New Configuration Model chapter.

Configure an access point for local authentication on a WLAN (GUI)

Configure an AP so that it uses local authentication for wireless LANs, enhancing the security and autonomy of network access control processes.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

In the Policy Profile page, select a policy profile name. The Edit Policy Profile window is displayed.

Step 3

In the General tab, deselect Central Authentication check box.

Step 4

Click Update & Apply to Device.

The AP is set up to authenticate users locally without relying on central authentication systems, providing secure and efficient network access verification.

Configure an access point for local authentication on a WLAN (CLI)

Configure an AP to use local authentication on a WLAN to enhance security control at the network edge.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure WLAN policy profile and enter the wireless policy configuration mode.

Example:

Device(config)# wireless profile 
policy rr-xyz-policy-1

Step 3

Configure the WLAN for local authentication.

Example:

Device(config-wireless-policy)# no central authentication

Step 4

Return to privileged EXEC mode.

Example:

Device(config)# end

The AP is configured to authenticate WLAN users locally, bypassing central authentication mechanisms.

Connect client devices to WLANs

A client device connection to a WLAN is a profile creation process that

  • allows client devices to connect to wireless networks

  • requires specific authentication methods, and

  • assigns IP addresses upon successful authentication.

Additional Reference Information

Refer to the instructions for your client device to create profiles to connect to the WLANs you created. These instructions are specified in the Configuring the vEWLC for FlexConnect document.

Example Scenarios:

  1. Employee WLAN: Create a client profile that uses WPA or WPA2 with PEAP-MSCHAPV2 authentication. After the client is authenticated, the management VLAN of the embedded controller assigns an IP address to the client.

  2. Local-Employee WLAN: Create a client profile that uses WPA or WPA2 authentication. After the client is authenticated, the client is allotted an IP address by VLAN 101 on the local switch.

  3. Guest-Central WLAN: Create a client profile that uses open authentication. After the client is authenticated, the client is allocated an IP address by VLAN 101 on the network local to the access point. After the client connects, a local user can enter any HTTP address in the web browser. The user is automatically directed to the controller to complete the web authentication process. When the web login window appears, the user should enter the username and password.


Note

Ensure that the authentication settings are configured correctly for each client profile.

Configuring FlexConnect Ethernet Fallback

FlexConnect ethernet fallback

A FlexConnect Ethernet Fallback is a configuration feature that

  • allows the AP to shut down its radio when the Ethernet link is non-operational

  • enables the AP to set its radio back to operational state when the Ethernet link is restored, and

  • operates independently of the AP being in connected or standalone mode.

To prevent radios from flapping when there is Ethernet interface instability, a configurable delay timer is provided.

Configure FlexConnect ethernet fallback (CLI)

Use CLI to configure the FlexConnect Ethernet fallback on specific APs to ensure network reliability in case of port failover.

Before you begin

This feature is not applicable to APs with multiple ports.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a wireless flex profile and enter wireless flex profile configuration mode.

Example:

Device(config)# wireless profile flex test

Step 3

Enable radio interface shutdown.

Example:

Device(config-wireless-flex-profile)# fallback-radio-shut

Step 4

Exit configuration mode and return to privileged EXEC mode.

Example:

Device(config-wireless-flex-profile)# end

Step 5

(Optional) Display detailed information about the selected profile.

Example:

Device# show wireless profile flex detailed test

The FlexConnect Ethernet fallback is configured, ensuring that the radio interface shuts down during Ethernet failure, maintaining network continuity.

Configure FlexConnect AP local authentication (GUI)

Configure the local authentication settings on a FlexConnect AP using the GUI to enable authentication and client handling directly on the AP.

Use these steps to configure FlexConnect AP local authentication:

Procedure

Step 1

Choose Configuration > Tags & Profiles > Flex.

Step 2

In the Flex page, click the name of the Flex Profile or click Add to create a new one.

Step 3

In the Add/Edit Flex Profile window, click the Local Authentication tab.

When you enable local authentication and association on the Access Point with Flex mode, these outcomes occur:

  • AP handles the authentication.

  • AP handles the rejection of client joins (in Mobility).

    Note

     

    You will not receive updated statistics from the controller when the AP rejects client associations.

Step 4

Choose the server group from the RADIUS Server Group drop-down list.

Step 5

Use the Local Accounting Radius Server Group drop-down to select the RADIUS server group.

Step 6

Check the Local Client Roaming check box to enable client roaming.

Step 7

Choose the profile from the EAP Fast Profile drop-down list.

Step 8

Choose to enable or disable the following:

  • LEAP: Lightweight Extensible Authentication Protocol (LEAP) is an 802.1X authentication type for wireless LANs and supports strong mutual authentication between the client and a RADIUS server using a logon password as the shared secret. It provides dynamic per-user, per-session encryption keys.

  • PEAP: Protected Extensible Authentication Protocol (PEAP) is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.

  • TLS: Transport Layer Security (TLS) is a cryptographic protocol that provides communications security over a computer network.

  • RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service.

Step 9

In the Users section, click Add.

Step 10

Enter username and password details and click Save.

Step 11

Click Save & Apply to Device.

The AP is configured to handle local authentication requests, enabling improved client management.

Configure FlexConnect access point local authentication

You enable FlexConnect APs local authentication, allowing user authentication directly at the AP level using RADIUS profiles and methods.


Note

The Cisco Catalyst 9800 Series Wireless Controller + FlexConnect local authentication + AP acting as RADIUS are not supported on Cisco COS and IOS APs.

Procedure

Step 1

Create a AAA authentication model.

Example:

Device(config)# aaa new-model

Step 2

Send session ID information from the RADIUS group for a given call.

Example:

Device(config)# aaa session-id common

Step 3

Enable system authorization control for the RADIUS group.

Example:

Device(config)# dot1x system-auth-control

Step 4

Create an EAP profile.

Example:

Device(config)# eap profile aplocal-test

Step 5

Configure the FAST method on the profile.

Example:

Device(config-eap-profile)# method fast

Step 6

Return to configuration mode.

Example:

Device(config-radius-server)# exit

Step 7

Configure the flex policy.

Example:

Device(config)# wireless profile flex default-flex-profile

Step 8

Configure EAP-FAST profile details.

Example:

Device(config-wireless-flex-profile)# local-auth ap eap-fast aplocal-test

Step 9

Configure LEAP method.

Example:

Device(config-wireless-flex-profile)# local-auth ap leap

Step 10

Configure the PEAP method.

Example:

Device(config-wireless-flex-profile)# local-auth ap peap

Step 11

Configure username and password.

Example:

Device(config-wireless-flex-profile)# local-auth ap username test1 test1

Step 12

Configure another username and password.

Example:

Device(config-wireless-flex-profile)# local-auth ap username test2 test2

Step 13

Return to configuration mode.

Example:

Device(config-wireless-flex-profile)# exit

Step 14

Configure profile policy.

Example:

Device(config)# wireless profile policy default-policy-profile

Step 15

Disable the policy profile.

Example:

Device(config-wireless-policy)# shutdown

Step 16

Disable central authentication.

Example:

Device(config)# no central authentication

Step 17

Configure VLAN name or VLAN ID.

Example:

Device(config)# vlan-id 54

Step 18

Enable the configuration.

Example:

Device(config)# no shutdown

You can now authenticate users locally with FlexConnect APs by using specified EAP methods and profiles, operating under defined policy configurations.

Configure FlexConnect access point local authentication with external RADIUS server

Set up local authentication on a FlexConnect access point using an external RADIUS server.

In this mode, an AP handles client authentication and switches client data packets locally. This state is valid in standalone mode and connected mode.

Use these steps to create and configure FlexConnect AP local authentication with a RADIUS server:

Procedure

Step 1

Create a AAA authentication model.

Example:

Device(config)# aaa new-model

Step 2

Send session ID information from the RADIUS group for a given call.

Example:

Device(config)# aaa session-id common

Step 3

Enable the system authorization control for the RADIUS group.

Example:

Device(config)# dot1x system-auth-control

Step 4

Specify the RADIUS server name.

Example:

Device(config)# radius server Test-SERVER1

Note

 

To authenticate clients with freeradius over RADSEC, you should generate an RSA key longer than 1024 bit. Use the crypto key generate rsa general-keys exportable label name command to achieve this.

Do not configure key-wrap option under the radius server and radius server group, as it may lead to clients getting stuck in authentication state.

Step 5

Specify the primary RADIUS server parameters.

Example:

Device(config-radius-server)# address ipv4 124.3.50.62 auth-port 1112 acct-port 1113
Device(config-radius-server)# address ipv6 2001:DB8:0:20::15 auth-port 1812 acct-port 1813

Step 6

Specify the authentication and encryption key used between the device and the RADIUS daemon running on the RADIUS server.

Example:

Device(config-radius-server)# key test123

Note

 

The maximum number of characters allowed for the shared secret is 63.

Step 7

Specify the RADIUS server name.

Example:

Device(config)# radius server Test-SERVER2

Step 8

Specify the secondary RADIUS server parameters.

Example:

Device(config-radius-server)# address ipv4 124.3.52.62 auth-port 1112 acct-port 1113
Device(config-radius-server)# address ipv6 2001:DB8:0:21::15 auth-port 1812 acct-port 1813

Step 9

Specify the authentication and encryption key used between the device and the RADIUS daemon running on the RADIUS server.

Example:

Device(config-radius-server)# key test113

Step 10

Return to configuration mode.

Example:

Device(config-radius-server)# exit

Step 11

Create a RADIUS server group identification.

Example:

Device(config)# aaa group server radius aaa_group_name

Note

 

server-group refers to the server group name. The valid range is from 1 to 32 alphanumeric characters.

Step 12

Specify the RADIUS server name.

Example:

Device(config)# radius server Test-SERVER1

Step 13

Specify the RADIUS server name.

Example:

Device(config-radius-server)# radius server Test-SERVER2

Step 14

Exit from RADIUS server configuration mode.

Example:

Device(config-radius-server)# exit

Step 15

Create a new flex policy.

Example:

Device(config)# wireless profile flex default-flex-profile

Step 16

Configure the authentication server group name.

Example:

Device(config-wireless-flex-profile)# local-auth radius-server-group aaa_group_name

Step 17

Return to configuration mode.

Example:

Device(config-wireless-flex-profile)# exit

Step 18

Configure a WLAN policy profile.

Example:

Device(config)# wireless profile policy default-policy-profile

Step 19

Disable a policy profile.

Example:

Device(config-wireless-policy)# shutdown

Step 20

Disable central authentication.

Example:

Device(config-wireless-policy)# no central authentication

Step 21

Configure a VLAN name or VLAN Id.

Example:

Device(config-wireless-policy)# vlan-id 54

Step 22

Enable the configuration.

Example:

Device(config-wireless-policy)# no shutdown

The FlexConnect AP is now set up for local authentication using the specified RADIUS server parameters.

NAT-PAT functionalities in FlexConnect

NAT-PAT for FlexConnect is a networking function that:

  • enables the use of a central DHCP server for assigning IP addresses to clients across remote sites

  • involves an AP translating client traffic by replacing the private IP address with its own public IP address, and

  • supports efficient management of IP address allocation.

If implementing NAT and PAT for flexibly managed networks, enable local switching and configure central DHCP. When ensuring DHCP service, use the ipv4 dhcp required command.

Configuring NAT-PAT for a WLAN or a Remote LAN

Create a WLAN

Configure and enable a WLAN using command line inputs, ensuring it is active and ready for use.

Use these steps to create a WLAN.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Enter the WLAN configuration sub-mode.

Example:

Device(config)# wlan wlan-demo 1 ssid-demo

  • wlan-name—Enter the profile name. The range is from 1 to 32 alphanumeric characters.

  • wlan-id—Enter the WLAN ID. The range is from 1 to 512.

  • SSID-name—Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.

Note

 

If you have already configured a WLAN, use the wlan wlan-name command.

Step 3

Shut down the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 4

Return to privileged EXEC mode.

Example:

Device(config-wlan)# end

The WLAN is successfully configured and activated, allowing devices to connect using the specified SSID.

Configure a wireless profile policy and NAT-PAT (GUI)

Define and apply a wireless profile policy and NAT-PAT settings using GUI.

Procedure

Step 1

Navigate to Configuration > Tags & Profiles > Policy.

Step 2

Click Add to create a new policy.

Step 3

In the General tab, enter the Name of the policy.

Step 4

Disable the Central Switching toggle button.

Step 5

Enable the Central DHCP toggle button.

Step 6

Enable the Flex NAT/PAT toggle button.

Step 7

In the Advanced tab, under the DHCP Settings, check the IPv4 DHCP Required check box.

Step 8

Apply the configuration by selecting Apply to Device.

The configuration of the wireless profile policy and NAT-PAT settings is complete.

Configure a wireless profile policy and NAT-PAT (CLI)

Configure a wireless profile policy and enable NAT-PAT settings for a device using CLI.

Use the steps here to configure a wireless profile policy and NAT-PAT.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the policy profile for NAT.

Example:

Device(config)# wireless profile policy nat-enabled-policy

Step 3

Configure the WLAN for local switching.

Example:

Device(config-wireless-policy)# no central switching

Step 4

Configure the DHCP parameters for WLAN.

Example:

Device(config-wireless-policy)# ipv4 dhcp required

Step 5

Configure the central DHCP for locally switched clients.

Example:

Device(config-wireless-policy)# central dhcp

Step 6

Enable NAT-PAT.

Example:

Device(config-wireless-policy)# flex nat-pat

Step 7

Enable policy profile.

Example:

Device(config-wireless-policy)# no shutdown

Step 8

Return to privileged EXEC mode.

Example:

Device(config-wireless-policy)# end

Wireless profile policy is configured and NAT-PAT is activated, which facilitates network traffic management and enables efficient packet handling on your device.

Map a WLAN to a policy profile (CLI)

Enable seamless network management by mapping a WLAN to a designated policy profile through CLI.

Use these steps to map a WLAN to a policy profile.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a policy tag and enter policy tag configuration mode.

Example:

Device(config)# wireless tag policy demo-tag

Step 3

Map a policy profile to a WLAN profile.

Example:

Device(config-policy-tag)# wlan wlan-demo policy nat-enabled-policy

Step 4

Return to privileged EXEC mode.

Example:

Device(config-policy-tag)# end

WLAN is mapped to the specified policy profile, ensuring the application of the required network policies.

Configure a site tag

Configure a site tag to enhance management and control of your wireless network.

Use these steps to configure a site tag:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a site tag and enter site tag configuration mode.

Example:

Device(config)# wireless tag site flex-site

Step 3

Move the AP to FlexConnect mode.

Example:

Device(config-site-tag)# no local-site

Step 4

Return to privileged EXEC mode.

Example:

Device(config-site-tag)# end

The FlexConnect mode is configured onto the assigned AP, enhancing network flexibility and management.

Attach policy and site tags to an access point (GUI)

This task allows you to efficiently organize and manage access points by assigning specific policy and site tags through GUI.

Use these steps to assign policy and site tags to an AP using GUI:

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

Step 2

Click the Access Point name.

Step 3

Go to the Tags section.

Step 4

Choose the Policy Tag from the Policy drop-down list.

Step 5

Choose the Site Tag from the Site drop-down list.

Step 6

Click Update and Apply to Device.

The AP has the designated policy and site tags, ensuring it operates under defined network conditions and policy settings.

Attach a policy tag and a site tag to an access point (CLI)

Apply network policy and site tags to an AP using commands.

Use these steps to attach a policy tag and a site tag to an AP:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure APs and enter ap-tag configuration mode.

Example:

Device(config)# ap F866.F267.7DFB

Step 3

Map the policy tag to the AP.

Example:

Device(config-ap-tag)# policy-tag demo-tag

Step 4

Map the site tag to the AP.

Example:

Device(config-ap-tag)# site-tag flex-site

Step 5

Return to privileged EXEC mode.

Example:

Device(config-ap-tag)# end

The AP has the specified policy and site tags applied, ready for network reconfiguration.

Split tunneling for FlexConnect

Split tunneling is a network feature that:

  • minimizes unnecessary bandwidth consumption on WAN links

  • allows traffic classification based on packet contents for local switching, and

  • ensures efficient routing of data by distinguishing between local and central switching requirements.

If a client connects over a WAN link associated with a centrally switched WLAN, traffic intended for a device present in the local site is typically sent over CAPWAP to the controller, then back to the local site over CAPWAP or via some off-band connectivity. This consumes WAN link bandwidth unnecessarily. The split tunneling feature mitigates this by classifying client traffic based on packet contents. Matching packets are locally switched, while the rest are centrally switched.

Configuration details

To configure local split tunneling on an AP, ensure that you have enabled DHCP Required on the policy profile using the ipv4 dhcp required command. This ensures the client associating with the split WLAN performs DHCP.

Restriction: split tunneling for FlexConnect

  • Ensure Apple iOS clients receive option 6 (DNS) in the DHCP offer for split tunneling to function correctly.

  • You cannot use split tunneling with RLAN clients. When the split-tunnel option is enabled on RLAN, traffic denied by the split tunnel ACL is not translated based on the IP address, instead the traffic is sent back to the controller through CAPWAP.

  • Do not configure URL filters with wildcard URLs such as * and ".".

Configuring Split Tunneling for a WLAN or Remote LAN

Define an access control list for split tunneling (GUI)

Define an ACL for split tunneling.

Use these steps to define an ACL for split tunneling in the GUI.

Procedure

Step 1

Choose Configuration > Security > ACL.

Step 2

Click Add.

Step 3

In the Add ACL Setup dialog box, enter the ACL Name.

Step 4

Choose the ACL type from the ACL Type drop-down list.

Step 5

Under the Rules settings, enter the Sequence number and choose the Action as either permit or deny.

Step 6

Choose the required source type from the Source Type drop-down list.

If...

Then...

Source type is Host

Enter the Host Name/IP

Source type is Network

Specify the Source IP address and Source Wildcard mask

Step 7

Check the Log check box if you want the logs.

Step 8

Click Add.

Step 9

Add the rest of the rules and click Apply to Device.

The ACL is defined and applied to the specified device for the purpose of split tunneling. You can view the rules in the device's ACL configuration.

Define an access control list for split tunneling (CLI)

Define an ACL for split tunneling to manage traffic effectively between local and remote networks, improving network performance and security.

Use these steps to create an ACL for split tunneling.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Define an extended IPv4 access list using a name, and enter access-list configuration mode.

Example:

Device(config)# ip access-list extended split_mac_acl

Step 3

Allow the traffic to switch centrally.

Example:

Device(config-ext-nacl)# deny ip any host 9.9.2.21

Step 4

Allow the traffic to switch locally.

Example:

Device(config-ext-nacl)# permit ip any any

Step 5

Exit configuration mode and return to privileged EXEC mode.

Example:

Device(config-ext-nacl)# end

The ACL selectively allows local or central switching of network traffic, enhancing performance and security management.

Create a WLAN

Configure and enable a WLAN using command line inputs, ensuring it is active and ready for use.

Use these steps to create a WLAN.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Specify the WLAN name and ID

Example:

Device(config)# wlan wlan-demo 1 ssid-demo

  • wlan-name—Enter the profile name. The range is from 1 to 32 alphanumeric characters.

  • wlan-id—Enter the WLAN ID. The range is from 1 to 512.

  • SSID-name—Enter the Service Set Identifier (SSID) for this WLAN. If the SSID is not specified, the WLAN profile name is set as the SSID.

Step 3

Shut down the WLAN.

Example:

Device(config-wlan)# no shutdown

Step 4

Return to privileged EXEC mode.

Example:

Device(config-wlan)# end

The WLAN is successfully configured and activated, allowing devices to connect using the specified SSID.

Configure a wireless profile policy and a split MAC ACL name (GUI)

Configure a wireless profile policy and apply a split MAC ACL name to optimize resource allocation and traffic management.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

Click Add.

Step 3

In the General tab, enter the Name of the policy.

Step 4

Enable the Central Switching toggle button.

Step 5

Enable the Central DHCP toggle button.

Step 6

In the Advanced tab, under the DHCP settings, check the IPv4 DHCP Required check box and enter the DHCP Server IP Address.

Step 7

Under the WLAN Flex Policy settings, choose the split MAC ACL from the Split MAC ACL drop-down list.

Step 8

Click Apply to Device.

The wireless profile policy and split MAC ACL name are configured and applied to the device, ensuring coordinated network resource management.

Configure a wireless profile policy and a split MAC ACL name

You will establish a secure wireless network environment by configuring a wireless profile policy and a split MAC ACL name.

Use these steps to configure a wireless profile policy and a split MAC ACL name:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a WLAN policy profile and enter wireless policy configuration mode.

Example:

Device(config)# wireless profile policy split-tunnel-enabled-policy

Step 3

Configure a split MAC ACL name.

Example:

Device(config-wireless-policy)# flex split-mac-acl split_mac_acl

Note

 

You must use the same ACL name for linking the flex and the policy profile.

Step 4

Configure WLAN for central switching.

Example:

Device(config-wireless-policy)# central switching

Step 5

Enable central DHCP for centrally switched clients.

Example:

Device(config-wireless-policy)# central dhcp

Step 6

Configure the DHCP parameters for a WLAN.

Example:

Device(config-wireless-policy)# ipv4 dhcp required

Step 7

(Optional) Configure the override IP address of the DHCP server.

Example:

Device(config-wireless-policy)# ipv4 dhcp server 9.1.0.100

Step 8

Enable a policy profile.

Example:

Device(config-wireless-policy)# no shutdown

The wireless profile policy is active with a configured split MAC ACL name, ensuring traffic is managed according to the defined policy guidelines.

Map a WLAN to a policy profile (GUI)

Map a WLAN to its associated policy profile to ensure network policy configurations are enforced.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Tags.

Step 2

Click Add.

Step 3

Enter the Name of the Tag Policy.

Step 4

Under WLAN-POLICY Maps tab, click Add.

Step 5

Choose the WLAN Profile from the WLAN Profile drop-down list.

Step 6

Choose the Policy Profile from the Policy Profile drop-down list.

Step 7

Click the Tick Icon.

Step 8

Click Apply to Device.

The WLAN is mapped to the desired policy profile by the system, and configuration is enforced on the device.

Map WLAN to a policy profile

Map a WLAN to a policy profile to enhance network management by applying specific policies to WLAN configurations.

Use these steps to map WLAN to a policy profile.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a policy tag and enter policy tag configuration mode.

Example:

Device(config)# wireless tag policy split-tunnel-enabled-tag

Step 3

Map a policy profile to a WLAN profile.

Example:

Device(config-policy-tag)# wlan wlan-demo policy split-tunnel-enabled-policy

Step 4

Return to privileged EXEC mode.

Example:

Device(config-policy-tag)# end

The WLAN is associated with the policy profile, ensuring compliance with network policies for connected devices.

Configure a site tag

Configure a site tag for split tunneling, optimizing network performance through selective traffic routing.

Use the steps to configure a site tag:

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a site tag and enter site tag configuration mode.

Example:

Device(config)# wireless tag site flex-site

Step 3

Ensure the local site is not configured on the site tag.

Example:

Device(config-site-tag)# no local-site

Step 4

Configure a flex profile.

Example:

Device(config-site-tag)# flex-profile flex-profile

Step 5

Return to privileged EXEC mode.

Example:

Device(config-site-tag)# end

The site tag for split tunneling is successfully configured, providing optimized network traffic routing.

Attach policy and site tags to an access point

Use this task to configure policy and site tags on your AP using CLI.

Use these steps to attach a policy tag and site tag to your AP.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a Cisco AP and enter AP profile configuration mode.

Example:

Device(config)# ap 188b.9dbe.6eac

Step 3

Map a policy tag to the AP.

Example:

Device(config-ap-tag)# policy-tag split-tunnel-enabled-tag

Step 4

Map a site tag to the AP.

Example:

Device(config-ap-tag)# site-tag flex-site

Step 5

Return to privileged EXEC mode.

Example:

Device(config-ap-tag)# end

The policy and site tags configure the AP with designated network management settings. Verify the mapping by checking the APs configuration status in the system.

VLAN-based central switching for FlexConnect

VLAN-based central switching for FlexConnect is a network configuration method that

  • enables traffic redirection to the controller when a VLAN is not defined locally

  • supports local switching if the VLAN is present in the AP's database, and

  • requires VLANs to be defined on the controller for proper functionality.

Expanded explanation

  • In FlexConnect local switching, if the VLAN definition is not available in an AP, the corresponding client does not pass traffic. This scenario is applicable when the AAA server returns the VLAN as part of client authentication.

  • When a WLAN is locally switched in FlexConnect and a VLAN is configured on the AP side, the traffic is switched locally. When a VLAN is not defined in an AP, the VLAN drops the packet.

Special considerations

  • The controller forwards the traffic to its corresponding VLAN.

  • Ensure that VLAN is defined on the controller for VLAN-based central switching.

  • VLAN-based central switching is not supported by mac filter.

  • For local switching, ensure that VLAN is defined on both the policy profile and FlexConnect profile.

  • VLAN-based central switching with central web authentication enabled in Flex profile is not supported.

Configure VLAN-based central switching (GUI)

Enable VLAN-based central switching on a policy profile using the GUI to manage network traffic effectively.

Use these steps to configure VLAN-based central switching.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

Click the name of the policy profile.

Step 3

In the Edit Policy Profile window, perform these tasks:

  • Set Central Switching to Disabled state.

  • Set Central DHCP to Disabled state.

  • Set Central Authentication to Enabled state.

Step 4

Click the Advanced tab.

Step 5

Under AAA Policy, check the Allow AAA Override check box to enable AAA override.

Step 6

Under WLAN Flex Policy, check the VLAN Central Switching check box to enable VLAN-based central switching on the policy profile.

Step 7

Click Update & Apply to Device.

VLAN-based central switching is configured in the policy profile, enabling centralized network traffic management.

Configure VLAN-based central switching (CLI)

Configure VLAN-based central switching in a wireless network environment using CLI to enable efficient data forwarding and management.

Use these steps to configure VLAN-based central switching.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a wireless policy profile.

Example:

Device(config)# wireless profile policy default-policy-profile

Step 3

Configure a WLAN for local switching.

Example:

Device(config-wireless-policy)# no central switching

Step 4

Configure local DHCP mode, with DHCP being performed in an AP.

Example:

Device(config-wireless-policy)# no central dhcp

Step 5

Configure a WLAN for central authentication.

Example:

Device(config-wireless-policy)# central authentication

Step 6

Configure AAA policy override.

Example:

Device(config-wireless-policy)# aaa-override

Step 7

Configure VLAN-based central switching.

Example:

Device(config-wireless-policy)# flex vlan-central-switching

Step 8

Return to privileged EXEC mode.

Example:

Device(config-wireless-policy)# end

Step 9

(Optional) Display detailed information of the policy profile.

Example:

Device# show wireless profile policy detailed default-policy-profile

VLAN-based central-switching is established, optimizing network traffic flow and centralizing control.

OfficeExtend Access Points for FlexConnect

A Cisco OfficeExtend Access Point (OEAP) is a type of wireless access point that

  • extends the corporate WLAN over the Internet to remote locations

  • ensures secure communication between the controller and access point through DTLS encryption, and

  • provides users with a seamless experience comparable to being at a corporate office.

Datagram Transport Layer Security (DTLS) encryption is utilized between the access point and the controller to maintain the highest level of communication security.

Configure OfficeExtend access points

Enable and configure OEAP mode on FlexConnect APs.

Use these steps to configure OEAP.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a wireless flex profile and enter wireless flex profile configuration mode.

Example:

Device(config)# wireless profile flex test

Step 3

Enable the OEAP mode for a FlexConnect AP.

Example:

Device(config-wireless-flex-profile)# office-extend

Step 4

Exit configuration mode and return to privileged EXEC mode.

Example:

Device(config-wireless-flex-profile)# end

Note

 

After creating a flex profile, ensure that OEAP is in flex connect mode and mapped to its corresponding site tag.

OfficeExtend is disabled by default. To clear the access point’s configuration and return it to the factory-defaults, use the clear ap config cisco-ap command.

The OEAP is configured and enabled in FlexConnect mode, ready for deployment in a remote office setup.

Disable the OfficeExtend Access Point

Disabling the OEAP mode on a specific FlexConnect AP to optimize wireless network management and security.

Use these steps to disable an OEAP.

Procedure

  Command or Action Purpose

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a wireless flex profile and enter wireless flex profile configuration mode.

Example:

Device(config)# wireless profile flex test

Step 3

Disable OfficeExtend AP mode for a FlexConnect AP.

Example:

Device(config-wireless-flex-profile)# no office-extend

Step 4

Exit configuration mode and return to privileged EXEC mode.

Example:

Device(config-wireless-flex-profile)# end

The configured FlexConnect AP is no longer operating in OEAP mode.

Best practices: OfficeExtend access points for FlexConnect

  • Preconfigure your controller IP for a zero-touch deployment with OEAP. Configure the local SSID from the AP so other home users can connect using the same AP.

  • In releases prior to Cisco IOS XE 17.3.2, when an AP is converted to OEAP, the local DHCP server on the AP is enabled by default. If the DHCP server on the home router has a similar configuration, a network conflict occurs, preventing the AP from rejoining the controller. Change the default DHCP server to resolve this.

  • In OEAP, if the OEAP local DHCP server is enabled and the user configures DNS IP from OEAP GUI, the wireless and wired clients connected to Cisco OEAP will receive that IP as DNS server IP in DHCP ACK.

Clearing personal SSID from an OfficeExtend access point

To clear the personal SSID from an access point, run this command:

ap name Cisco_APclear-personal-ssid

Example: viewing OfficeExtend configuration

This example displays an OfficeExtend configuration:

Device# show ap config general

Cisco AP Name   : ap_name
=================================================

Cisco AP Identifier                             : 70db.986d.a860
Country Code                                    : Multiple Countries : US,IN
Regulatory Domain Allowed by Country            : 802.11bg:-A   802.11a:-ABDN
AP Country Code                                 : US  - United States
AP Regulatory Domain
  Slot 0                                        : -A
  Slot 1                                        : -D
MAC Address                                     : 002c.c899.7b84
IP Address Configuration                        : DHCP
IP Address                                      : 192.0.2.0
IP Netmask                                      : 255.255.255.0
Gateway IP Address                              : 198.51.100.0
CAPWAP Path MTU                                 : 1485
Telnet State                                    : Disabled
SSH State                                       : Disabled
Jumbo MTU Status                                : Disabled
Cisco AP Location                               : default location
Site Tag Name                                   : flex-site
RF Tag Name                                     : default-rf-tag
Policy Tag Name                                 : split-tunnel-enabled-tag
AP join Profile                                 : default-ap-profile
Primary Cisco Controller Name                   : uname-controller
Primary Cisco Controller IP Address             : 203.0.113.1
Secondary Cisco Controller Name                 : uname-controller1
Secondary Cisco Controller IP Address           : 0.0.0.0
Tertiary Cisco Controller Name                  : uname-ewlc2
Tertiary Cisco Controller IP Address            : 0.0.0.0
Administrative State                            : Enabled
Operation State                                 : Registered
AP Mode                                         : FlexConnect
AP Submode                                      : Not Configured
Office Extend Mode                              : Enabled
Remote AP Debug                                 : Disabled
Logging Trap Severity Level                     : information
Software Version                                : 16.8.1.1
Boot Version                                    : 1.1.2.4
Mini IOS Version                                : 0.0.0.0
Stats Reporting Period                          : 0
LED State                                       : Enabled
PoE Pre-Standard Switch                         : Disabled
PoE Power Injector MAC Address                  : Disabled
Power Type/Mode                                 : PoE/Full Power (normal mode)

Proxy address resolution protocol

A proxy address resolution protocol (Proxy ARP) is a method that

  • enables learning about MAC addresses through a proxy device

  • allows APs to act on behalf of clients by responding to ARP requests, and

  • reduces airtime usage by handling ARP requests via controllers rather than clients.

Additional information

The AP functions as an ARP proxy to respond to ARP requests on behalf of clients, minimizing unnecessary air traffic by preventing requests from reaching clients directly when Proxy ARP is enabled. APs that don't own the destination client drop ARP requests unless ARP caching is disabled, in which case APs bridge requests, potentially increasing wireless broadcasts.

Enable proxy ARP for FlexConnect access points (GUI)

Enable Proxy ARP for FlexConnect APs through the GUI.

Use these steps to enable proxy ARP for FlexConnect APs.

Procedure

Step 1

Choose Configuration > Tags & Profiles > Flex.

Step 2

Click Add.

Step 3

In the General tab, enter the Name of the Flex Profile and check the ARP Caching check box. The name can be ASCII characters from 32 to 126, without leading and trailing spaces.

Step 4

Click Apply to Device.

The AP handles ARP requests efficiently, improving network performance through enabled proxy ARP.

Enable proxy ARP for FlexConnect access points (CLI)

Configure proxy ARP for FlexConnect APs using the CLI.

Use these steps to configure proxy ARP for FlexConnect APs.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure WLAN policy profile and enter wireless flex profile configuration mode.

Example:

Device(config)# wireless profile flex flex-test

Step 3

Enable ARP caching.

Example:

Device(config-wireless-flex-profile)# arp-caching

Note

 

Use the no arp-caching command to disable ARP caching.

Step 4

Return to privileged EXEC mode.

Example:

Device(config-wireless-flex-profile)# end

Step 5

Display ARP configuration information.

Example:

Device# show running-config | section wireless profile flex

Step 6

(Optional) Display detailed information of the flex profile.

Example:

Device# show wireless profile flex detailed flex-test

Step 7

(Optional) Display ARP summary.

Example:

Device# show arp summary

Proxy ARP is enabled for FlexConnect APs, allowing for more effective handling of ARP requests in a network setup.