WLC Failure scenario: Flexconnect in Standalone Mode

-

Flexconnect in Standalone Mode


I recently came with a situation where a site with two old 2504 AireOS WLCs in N+1 redundancy with APs in Local mode lost one of the controllers. They were using both SSIDs with WPA2 Personal, and WPA2 Enterpise. The site was concerned about having a disruption if the remaining controller went down too. 

During the conversation with the site I pointed out that on the Flexconnect mode, when using local authentication, the WPA2 Personal SSID would work, and although I personally never really tested it, I knew you can add the Radius servers to that configuration. 

The site after finding an old 2504 WLC with licenses, finally opted for getting that old WLC and keep the existing configuration. That is probably the best option, since it doesn´t need any change, and moving to Flexconnect required testing and validation. 


In any case, I wanted to test this solution for the WPA2 Enterprise (the WPA2 Personal I´ve tested in the past and I know it works).


Flexconnect in Standalone Mode AireOS

For this test, I deployed a vWLC with version 8.5.182. On that WLC, in addition to the normal Flexconnect configurations, like mapping WLAN IDs to VLAN IDs, you will need to add the Radius servers in the Flexconnect group:

Once done, you have to add the APs to your Radius server (it can be added a whole subnet, but in my case I´m adding device per device):
I also created a different policies for each of my scenarios, being, from top to bottom for my
    9800 WLC (IOS XE)
    AireOS WLC
    Flexconnect APs
    Autonomous APs


As we can see on the below "Live" Logs from Cisco ISE, I turned on and off my devices until no WLC was available, so my Cisco 1702 AP had to be my Authenticator while in Flexconnect Standalone Mode. 


Flexconnect in Standalone Mode IOS XE

The procedure is exactly the same, just "translated" to IOS XE WLC. In this case, is configuring the Radius server in "configuration-->aaa"

And assign the Radius Server Group to the corresponding Flexconnect Group
For testing, this time, instead of powering off my WLC, I created a rule in my Firewall preventing my AP to join the WLC:
And, as expected, it also worked fine:


It probably needs some validation on your environment, but it can be an option if you are concerned of losing your WLCs

I hope this helps








Comentarios

Publicar un comentario

Entradas populares de este blog

Cisco 9800 Roam Type 802.11i Slow vs 802.11i Fast vs 802.11r

-
Imagen
Hello, in this entry I initially though about explaining and comparing 802.11i roaming versus 802.1X with FT roaming, but then I though it may be more interesting to follow the process as seen from the Cisco 9800 WLC and DNAC, that is where I configured the packet captures, so I´ve been re-arranging the post several times. Also, we can check when the cisco 9800 WLC will show the roam type as 802.11i Slow, 802.11i Fast or 802.11r.  Capturing Packets with Cisco DNA Center (Catalyst Center) This are the steps followed to get the captures on this post: 1.- From any tab on DNA Center, click the search button and type the MAC address you want to capture 2, 3.- Click on it and go to Client 360 4.- Once in Client 360, click on "Intelligent Capture" 5.- In the Intelligent Capture page for the selected device, click on "Run Packet Capture"  6.- A new tab will open, and there you can choose to do a Full Packet Capture or an Onboarding Packet Capture, program the capture or run...
Leer más

Captura de paquetes desde el móvil con ANALITI

-
Imagen
  Hola, en el blog de hoy, tan solo una pequeña tontería que espero pueda servir de ayuda. Hace unos días, el compañero Luis Giménez del grupo de Tesos de Ferney Muñoz comentó las virtudes de una APP llamada ANALITI Tiene características muy interesantes, y entre ellas que puedes crear un flujo en "tiempo real" de capturas de paquetes a wireshark o cloudshark, la cual, además puede ser utilizada en programas como WiFiExplorer de Adrián Granados , o, si siguiera activo, en mi añorado WinFi . En cualquier caso, aquí tan solo nos centramos en la recepción remota de paquetes desde el dispositivo que tiene instalado Analiti, que en mi caso, es mi movil. Para ello, solo tienes que ir a la pantalla "Redes" y al seleccionar el simbolo de la aleta de tiburón nos lleva a ajustes y seleccionamos "Enable Real Time PCAPng Streaming" y ahí mismo nos indicará que debemos crear un pipe con el siguiente formato:  TCP@[IP del dispositivo donde tengas Analiti]:19000  Post...
Leer más

Configurar Cisco WLC y Aruba Clearpass para Guest con Mac Caching

-
Imagen
Hola,  Este es mi primer blog, y mi primera entrada. No creo que me hubiera lanzado nunca si no fuera por mis amigos Ferney Muñoz y Ulises Cázares que me animaron.  En cualquier caso, comenzamos:   En este escenario, Clearpass tendrá dos puertos, uno de management, y el Data Port que será por el que exista un direccionamiento accesible para los Guests: En cuanto a la WLC, tendrá su management en la misma VLAN que Clearpass, y tendrá una interface para los guest en el mismo direccionamiento que el Data Port de Clearpass, y por último la IP virtual.  Para que funcione correctamente el portal cautivo necesitamos 3 cosas: Configuración en Clearpass Configuración en la WLC Cisco Correcta resolución de FQDN de los equipos anteriores. Comenzamos precisamente por verificar el último punto   En mi servidor de DNS he configurado una entrada para el Data Port de Clearpass, y otra entrada para la IP Virtual de mi WLC. Tanto en la WLC como en el Clearpass he cargado un ce...
Leer más