• Configuring FlexConnect Users, page 11-43
Configuring FlexConnect AP Groups Templates
FlexConnect enables you to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office.
There is no deployment restriction on the number of FlexConnect access points per location, but you can organize and group the access points per floor and limit them to 25 or so per building, because it is likely the branch offices share the same configuration.
To set up an FlexConnect AP group, follow these steps:
Step 1 Choose Configure > Controller Template Launch Pad.
Step 2 Click FlexConnect AP Groups or choose FlexConnect > FlexConnect AP Groups from the left sidebar menu. The FlexConnect > FlexConnect AP Groups page appears. It displays the primary and secondary RADIUS, as well as the number of controllers and virtual domains that the template is applied to, which automatically populates. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down list, and click Go. To modify an existing template, click the template name. The General tab of the FlexConnect AP Groups page appears (see Figure 11-17).
Figure 11-17 AP Groups FlexConnect Template
Step 4 The Template Name field shows the group name assigned to the FlexConnect access point group.
Step 5 Choose the primary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, the NCS configured RADIUS server does not apply. A value of 10 indicates that the primary RADIUS server is not configured for this group.
Step 6 Choose the secondary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, the NCS configured RADIUS server does not apply. A value of 0 indicates that the primary RADIUS server is not configured for this group.
Step 7 If you want to add an access point to the group, click the FlexConnect AP tab.
Step 8 An access point Ethernet MAC address cannot exist in more than one FlexConnect group on the same controller. If more than one group is applied to the same controller, select the Ethernet MAC check box to unselect an access point from one of the groups. You should save this change or apply it to controllers.
Step 9 Click Add AP. The FlexConnect AP Group page appears.
Step 10 Click the FlexConnect Configuration tab to enable local authentication for a FlexConnect group.
Note Make sure that the Primary RADIUS Server and Secondary RADIUS Server fields are set to None on the General tab.
Step 11 Select the FlexConnect Local Authentication check box to enable local authentication for this FlexConnect group. The default value is unselected.
Note When you attempt to use this feature, a warning message indicates that it is a licensed feature.
Note You can click the Users configured in the group link that appears at the bottom of the page to view the list of FlexConnect users. You can create FlexConnect users only after you save the FlexConnect AP Group.
Step 12 To allow a FlexConnect access point to authenticate clients using LEAP, select the LEAP check box.
Otherwise, to allow a FlexConnect access point to authenticate clients using EAP-FAST, select the EAP-FAST check box.
Step 13 Perform one of the following, depending on how you want Protected Access Credentials (PACs) to be provisioned:
• To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP-FAST Key and Confirm EAP-FAST Key text boxes. The key must be 32 hexadecimal characters.
• To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the Auto key generation check box.
Step 14 In the EAP-FAST Key text box, enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.
Step 15 In the EAP-FAST Authority ID text box, enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.
Step 16 In the EAP-FAST Authority Info text box, enter the authority information of the EAP-FAST server.
Step 17 In the EAP-FAST Pac Timeout text box, specify a PAC timeout value by entering the number of seconds for the PAC to remain viable in the edit box. The valid range is 2 to 4095 seconds.
Note The EAP-FAST options are available only if you select the EAP-FAST check box in Step 12.
Step 18 Click the Image Upgrade tab and configure the following:
• FlexConnect AP Upgrade—Select the check box if you want to upgrade the FlexConnect access points.
• Slave Maximum Retry Count—Enter the maximum retries for the slave to undertake to start the download from the master in the FlexConnect group. This option is available only if you select the FlexConnect AP Upgrade check box.
Note You are allowed to add an access point as a master access point only if the FlexConnect AP Upgrade check box is enabled on the General tab.
Step 19 Click the VLAN-ACL Mapping tab to view, add, edit, or remove a VLAN ACL mapping.
a. Click Add.
b. Enter a VLAN ID. The valid VLAN ID range is 1—4094.
c. From the Ingress ACL drop-down list, choose an Ingress ACL.
d. From the Egress AC drop-down list, choose an Egress ACL.
e. Click Save.
Step 20 Click the WLAN-ACL Mapping tab to view, add, edit, or remove a WLAN ACL mapping.
a. Click Add.
b. From the WLAN Profile Name drop-down list, choose a WLAN profile.
c. From the WebAuth ACL drop-down list, choose a WebAuth ACL.
d. Click Save.
Note You can add up to a maximum of 16 WebAuth ACLs.
Step 21 Click the WebPolicy ACL tab to view, add, edit, or remove a WebPolicy ACL mapping.
a. Click Add.
b. From the Web-Policy ACL drop-down list, choose a WebPolicy ACL.
c. Click Save.
Note You can add up to a maximum of 16 Web-Policy ACLs.
Step 22 Click Save.