In Wi-Fi Technology If any organisation have their branch offices in multiple cities, and if allows to connect Branch office Wi-fi to Centralised WLC. but they have centralised Data Centre at HQ and want to control all data traffic from DC only. In some cases Client have their WLC in HQ, but access points implemented at Branch office as well and want to registered all Access points with centralised WLC ag HQ DC. Then we can configure AP as Flex-Connect with Local switching. Flex-Connect also called H-REAP, but H-REAP has been replaced with Flex-connect.
We will discuss about how Flex-connect Wi-Fi network Design, Works and implemented.
Flex-connect, Flex-Connect Group, Local Switching, Central Switching in Wi-Fi
AP Grouping
It is a process where we can group AP for particular Services, Area or Department. Let’s take an example..
Suppose, In your organization there are multiple sites or dept. Like SIte-1, Site-2, Site-3, Site-4. There are multiple access points are installed. Each site have specific services. Also some of the resource are need to access all SSIDs over all location.
So, we have created
SSID : SIte-1, Site-2, Site-3, Site-4, Corporate, Guest, printer.
AP– AP-1 to AP-50
Now, Site-1 user not required Site-2 to Site-4 SSID, but need corporate, Guest, Printer SSID. Same for Site-2, 3 & 4 as well.
- First we need to create and configure all SSIDs
- Then we need to create AP groups
- Lets create AP Group Name as- Site-1, Site-2 Site-3 & Site-4.
- Now we need to add required SSID in AP Groups like in AP group Site-1 we need to add Site-1, Corporate, Guest and Printer SSIDs and same for other sites as well.
- Needs to add APs in respective AP Groups.
By this your will part of only your AP group and will not get access of other SSIDs.
Summary
- AP groups simplify network administration.
- Troubleshooting ease with per branch granularity
- Increased flexibility
Flex-connect Groups
Now Let’s understand the Flex-connect workflow:
Scenario-1
- Branch AP will connect and register with WLC at DC over WAN VPN Tunnel.
- Branch User will Authenticate with AAA/Radius Server centrally at DC.
Scenario-2:
But want happened if WLC goes disconnected ?
- Is User disconnected?
- Is user Authenticated with Radius Server or Not?
Scenario-3:
WLC is UP but WAN link is down
- Is user disconnected
- Is AP will also down
- How Can user Authenticated with Radius Server?
To mitigate all theses issues need to configure Flex-Connect and Flex-Connect group. As I already told that I am not going to tell you configuration, we are hare to understand the concept based on our experienced,
So, lets understand how Flex-Connect group can mitigate this.
Primary Objectives of Flex-connect Groups
1. Backup RADIUS Server Failover
- You can configure the WLC to allow a Flex-connect access point in standalone mode to perform full 802.1X authentication to a backup RADIUS server. So AP can also work as Local Radius Server.
- We can configure both Central radius server and AP server details as primary and Secondary.
- These servers are used only when the Flex-connect access point is not connected to the controller.
So In-case or Scenario-2, if WLC is not reachable then still AP can sent the Authentication request to Central Radius Server because Radius server is still reachable over WAN link.
2. Local Authentication
- You can configure the WLC to allow a Flex-connect AP in standalone or connected mode to perform LEAP or EAP-FAST authentication.
- The controller sends the static list of user names and passwords to each Flex-connect access point of that particular Flex-connect Group when it joins the controller. Each access point in the group authenticates only its own associated clients.
- As Scenario-3= if the RADIUS/ACS server inside the Data Center is not reachable as WAN link is down, then Flex-connect APs automatically acts as a Local-EAP Server to perform Dot1X authentication for wireless branch clients.
3. CCKM/OKC Fast Roaming
- Flex-Connect Groups are required for CCKM/OKC . It is feature for fast roaming to work with Flex-connect access points.
- It is achieved by caching the master key from a full EAP authentication so that a simple and secure key exchange can occur when a wireless client roams to a different access point.
- This feature prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to another.
- The Flex-connect access points need to obtain the CCKM/OKC cache information for all the clients that might associate so they can process it quickly instead of sending it back to the controller every time. AP will perform it from its own.
For example, you have a controller with 100 access points and 50 clients that might associate, sending the CCKM/OKC cache for all 50 clients is not practical. But If you create a Flex-connect Group with limited number of access points (for example, you create a group for 10 access points in a remote office), the clients roam only among those 10 access points, and the CCKM/OKC cache is distributed among those 10 access points only when the clients associate to one of them.
This feature along with Backup Radius and Local Authentication (Local-EAP) ensures that there should no operational downtime for your branch sites.
4. Flex-Connect ACL
- ACLs on Flex-connect is a mechanism to provide to the need of access control at the Flex-connect AP for protection and integrity of locally switched data traffic from the AP.
- Flex-connect ACLs are created on the WLC and should then be configured with the VLAN present on the Flex-connect AP or Flex-connect group using VLAN-ACL mapping which will be for AAA override VLANs.
- While applying ACL on VLAN, select the direction to be applied which will be “ingress”, “egress” or “ingress and egress”
Flex-Connect Configuration Steps and process
- Native Vlan should be configured on Switch Port with Trunk for all APs
- All APs should be reachable to WLC over Intranet, Internet or WAN link.
- Need to complete all basic configure WLAN according to Branch site requirement
- Need to create Flex Connect Group on WLC
5. Once Flex-Connect group created, then click to configure.
6. Need to add respective Access Points in their respective Group.
7. Then need to configure Local Authentication Server details as shown above (refer Section Local Authetication)
8.Now need to configure WLAN/SSID mode as flex connect
9.Configure all 802.1x Authentication Options
10. Need to enable AAA override and Flex-connect Local Switching option to Switch to traffic locally.
11. Mapped all Flex-Connect ACL
12. Allow Native Vlan and all allow WLAN Vlan IDs on Flex-connect Group
Visit to our site : https://www.kbrosistechnologies.com/
Watch more Video https://www.youtube.com/channel/UCpcd6IshE1caAbf9EdJd3gw
https://www.youtube.com/channel/UCTbOmLTSlHggEBkt5wFGNRA
FAQ
What is Flex Connect
It is Wireless solution to connect Branch/remote location access Point with Centralised WLC.
What is AP grouping
It is a process where we can group AP for particular Services, Area or Department and any configuration will be applied all AP associated with that group.
What is Flex-connect Grouping
It helps to user for roaming and any configuration will be applied all AP associated with that group.
What is CCKM/OKC Fast Roaming
IT helps to authenticate user locally during roaming.