Configuring Cisco FlexConnect Groups

Information About FlexConnect Groups

FlexConnect Groups allow for the organization and management of FlexConnect access points (APs). By creating groups, specific access points can be assigned to them, enabling them to share common configuration settings such as backup RADIUS server details, CCKM, and local authentication parameters. This feature is particularly beneficial for environments with multiple FlexConnect APs in a single location, such as a remote office, allowing for simultaneous configuration updates and simplifying management. For instance, a backup RADIUS server can be configured once for an entire group rather than individually for each AP.

This document covers the following topics:

Information About FlexConnect Groups
Configuring FlexConnect Groups
Configuring VLAN-ACL Mapping on FlexConnect Groups
Configuring WLAN-VLAN Mappings on FlexConnect Groups

FlexConnect Groups and Backup RADIUS Servers

The following figure illustrates a typical FlexConnect deployment featuring a backup RADIUS server within a branch office.

Figure 1: FlexConnect Group Deployment

Figure 1: FlexConnect Group Deployment illustrates a typical FlexConnect setup in a branch office. It shows a WAN link connecting to a branch network. Within the branch, there's a local switch, a DHCP server, and a backup RADIUS server. Hybrid REAP Access Points are connected to the local switch via a trunk port, which carries a native VLAN 100 and VLAN 101 for local traffic. The diagram also indicates 802.1x connectivity.

For more detailed information on FlexConnect deployment considerations, refer to the FlexConnect chapter in the Enterprise Mobility Design Guide.

You can configure the controller to enable a FlexConnect access point in standalone mode to perform full 802.1X authentication using a backup RADIUS server. This configuration can include a primary backup RADIUS server, or both a primary and secondary backup RADIUS server. These servers are utilized when the FlexConnect access point operates in either standalone or connected mode.

FlexConnect Groups and CCKM

FlexConnect Groups are essential for enabling CCKM (Cisco Centralized Key Management) fast roaming with FlexConnect access points. CCKM fast roaming is achieved by caching a derivative of the master key from a full EAP authentication. This allows for a simple and secure key exchange when a wireless client roams to a different access point, eliminating the need for a full RADIUS EAP re-authentication. FlexConnect APs need to obtain CCKM cache information for all potentially associating clients to process roams quickly without constant communication back to the controller. For example, if a controller has 300 APs and 100 clients, sending CCKM cache for all clients is impractical. Creating a FlexConnect group with a limited number of APs (e.g., four in a remote office) ensures clients roam only among those APs, and CCKM cache is distributed efficiently when clients associate.

Note: CCKM fast roaming between FlexConnect and non-FlexConnect access points is not supported.

FlexConnect Groups and Opportunistic Key Caching (OKC)

Note: FlexConnect Groups are required for CCKM, 11r, and OKC functionality, enabling caching on APs. For 11r/CCKM fast roaming, the group name must be consistent across APs. For OKC, the group name can differ as the final check is performed at the Cisco WLC.

Starting with Cisco Wireless LAN Controller Release 7.0.116.0, FlexConnect groups enhance Opportunistic Key Caching (OKC) to facilitate fast client roaming. OKC uses PMK caching within APs belonging to the same FlexConnect group. This prevents the need for a full authentication process when a client roams between APs. FlexConnect groups store cached keys on the APs, speeding up the process. While not strictly required, OKC will still function between APs in different FlexConnect groups or without groups if the Cisco WLC is reachable and APs are in connected mode.

To view PMK cache entries on a FlexConnect access point, use the command show capwap reap pmk. This feature is exclusively supported on Cisco FlexConnect access points; PMK cache entries are not visible on Non-FlexConnect APs.

Note: The FlexConnect access point must be in connected mode when the PMK is derived during WPA2/802.1x authentication.

When using FlexConnect groups for OKC or CCKM, the PMK cache is shared only among APs within the same FlexConnect group and associated with the same controller. If APs are in the same FlexConnect group but connected to different controllers within the same mobility group, the PMK cache is not updated, leading to CCKM roaming failure, although OKC roaming will still function.

Note: Fast roaming (802.11r) operates correctly only if APs are in the same FlexConnect group and in FlexConnect mode.

FlexConnect Groups and Local Authentication

The controller can be configured to allow a FlexConnect access point in standalone mode to perform LEAP, EAP-FAST, PEAP, or EAP-TLS authentication for up to 100 statically configured users. The controller distributes the static list of usernames and passwords to each FlexConnect AP upon joining. Each AP in the group then authenticates its own associated clients. This feature is advantageous for organizations transitioning from autonomous AP networks to lightweight FlexConnect AP networks, as it eliminates the need for a large, separate user database or an additional hardware device to replace RADIUS server functionality.

Note: LEAP, EAP-FAST, PEAP, or EAP-TLS authentication can only be configured if AP local authentication is enabled.

Certificate provisioning is required for the AP to send a certificate to the client. This involves downloading the Vendor Device Certificate and the Vendor Certification Authority Certificate to the controller, which then pushes them to the AP. If these certificates are not configured, APs in the FlexConnect group will download the controller's self-signed certificate, which may not be recognized by many wireless clients.

For EAP-TLS, the AP will not recognize or accept a client certificate if its root CA differs from the AP's root CA. When using Enterprise public key infrastructures (PKI), it is necessary to download Vendor Device and CA Certificates to the controller for distribution to APs in the FlexConnect group. Without a common client and AP root CA, EAP-TLS authentication will fail on the local AP. The AP cannot validate external CAs and relies solely on its own CA chain for client certificate validation.

The AP has limited space for local and CA certificates (approximately 7 KB), supporting only short or single certificate chains.

Note: This feature is compatible with the FlexConnect backup RADIUS server feature. If a FlexConnect is configured with both a backup RADIUS server and local authentication, the AP will first attempt authentication with the primary backup RADIUS server, then the secondary (if the primary is unavailable), and finally resort to the FlexConnect AP's local authentication if both servers are unreachable.

For information regarding the number of FlexConnect groups and AP support for specific Cisco WLC models, consult the data sheet for the respective Cisco WLC model.

FlexConnect Groups and VLAN Support

VLAN Support and VLAN ID can be configured on a per-FlexConnect group basis. This allows all APs within a FlexConnect group to inherit the VLAN configuration, including VLAN support, Native VLAN, and WLAN-VLAN mappings, from the group settings.

Deployment Considerations

If the override flag is set at the FlexConnect Group level, modifications to VLAN Support, Native VLAN ID, WLAN-VLAN mappings, and Inheritance Level at the AP are not permitted.
An Inheritance Level configuration is available at the FlexConnect AP. Setting this to "Make VLAN AP Specific" allows for AP-specific configuration of VLAN Support, Native VLAN ID, and WLAN-VLAN mappings. This modification is only possible when the group's override flag is disabled. To configure this via the WLC GUI, navigate to Wireless > All APs, select the AP name, and choose "Make VLAN AP Specific" from the FlexConnect tab's drop-down list.

Configuring FlexConnect Groups

Upgrade and Downgrade Considerations

Upon upgrading to Release 8.1, if a FlexConnect group has WLAN-VLAN mappings, VLAN support will be enabled, and the native VLAN will be set to 1. Otherwise, VLAN support remains disabled for the FlexConnect group, and the override flag is also disabled.
When downgrading from Release 8.1, VLAN Support and Native VLAN ID are managed on a per-AP basis, and WLAN-VLAN mappings follow the previous inheritance model.

Configuring FlexConnect Groups (GUI)

Navigate to Wireless > FlexConnect Groups to access the FlexConnect Groups page, which lists existing FlexConnect groups.
Note: To delete an existing group, hover over the blue drop-down arrow for that group and select Remove.
Click New to create a new FlexConnect Group.
On the FlexConnect Groups > New page, enter the desired group name in the Group Name text box. Names can be up to 32 alphanumeric characters.
Click Apply. The new group will appear on the FlexConnect Groups page.
To edit a group's properties, click the group's name. The FlexConnect Groups > Edit page will display.
To configure a primary RADIUS server for the group (e.g., for 802.1X authentication), select the desired server from the Primary RADIUS Server drop-down list. If no primary server is needed, leave it set to None.
Note: IPv6 RADIUS Server configuration is not supported; only IPv4 is configurable.
To configure a secondary RADIUS server, select it from the Secondary RADIUS Server drop-down list. Leave it as None if not required.
Configure the RADIUS server details for the FlexConnect group:
1. Enter the RADIUS server IP address.
2. Select the server type as either Primary or Secondary.
3. Enter a shared secret for logging into the RADIUS server and confirm it.
4. Enter the port number.
5. Click Add.
To add an access point to the group, click Add AP. Additional fields will appear under the Add AP section.
Perform one of the following tasks to select access points:
- To select an access point connected to the current controller, check the Select APs from Current Controller box and choose the access point name from the drop-down list.
  Note: When selecting an AP from the current controller, its MAC address is automatically populated in the Ethernet MAC text box to prevent mismatches.
- To select an access point connected to a different controller, leave the Select APs from Current Controller box unchecked and enter its MAC address in the Ethernet MAC text box.
  Note: If FlexConnect access points within a group are connected to different controllers, all these controllers must belong to the same mobility group.
Click Add to associate the access point with the FlexConnect group. The access point's MAC address, name, and status will be displayed at the bottom of the page.
Note: To remove an access point, hover over its blue drop-down arrow and select Remove.
Click Apply.
Enable local authentication for a FlexConnect Group as follows:
1. Ensure that the Primary RADIUS Server and Secondary RADIUS Server parameters are set to None.
2. Select the Enable AP Local Authentication check box. The default is unselected.
3. Click Apply.
4. Navigate to the Local Authentication tab (FlexConnect > Edit > Local Authentication > Local Users).
5. To add clients for authentication using LEAP, EAP-FAST, PEAP, or EAP-TLS, perform one of the following:
  - Upload a comma-separated values (CSV) file: Check the Upload CSV File box, click Browse to select a CSV file containing usernames and passwords (format: username,password per line), and click Add. Client names will appear under the "User Name" heading.
  - Add clients individually: Enter the client's username in the User Name text box and the password in the Password and Confirm Password text boxes, then click Add. Client names appear under the "User Name" heading.
    Note: Up to 100 clients can be added.
6. Click Apply.
7. Navigate to the Protocols tab (FlexConnect > Edit > Local Authentication > Protocols).
8. To allow LEAP authentication, select the Enable LEAP Authentication check box.
9. To allow EAP-FAST authentication, select the Enable EAP-FAST Authentication check box (default is unselected).
10. To allow PEAP Authentication, select the Enable PEAP Authentication check box. PEAP authentication requires AP local authentication to be configured.
11. To allow EAP-TLS authentication, select the Enable EAP TLS Authentication check box. EAP-TLS authentication requires AP local authentication to be configured. Enabling EAP-TLS also enables the download of EAP root and device certificates to the AP. You can uncheck the EAP TLS Certificate download box if certificates should not be downloaded.
12. Configure PAC provisioning:
  - For manual PAC provisioning, enter the server key for encrypting/decrypting PACs in the Server Key and Confirm Server Key text boxes (must be 32 hexadecimal characters).
  - To automatically send PACs to clients lacking them during provisioning, select the Enable Auto Key Generation check box.
13. In the Authority ID text box, enter the EAP-FAST server's authority identifier (32 hexadecimal characters).
14. In the Authority Info text box, enter the EAP-FAST server's authority identifier in text format (up to 32 hexadecimal characters).
15. To set a PAC timeout value, select the PAC Timeout check box and enter the duration in seconds (range: 2-4095, or 0 to disable). The default is unselected (disabled).
16. Click Apply.

Configuring FlexConnect Groups (GUI - Continued)

In the WLAN-ACL mapping tab, configure mappings:
- Under Web Auth ACL Mapping, enter the WLAN ID, select the WebAuth ACL, and click Add.
- Under Local Split ACL Mapping, enter the WLAN ID, select the Local Split ACL, and click Add.
  Note: Up to 16 WLAN-ACL combinations can be configured for local split tunneling. Local split tunneling is not compatible with clients using static IP addresses.
In the Central DHCP tab, configure DHCP settings:
- Enter the WLAN ID for Central DHCP mapping in the WLAN Id box.
- Select or unselect the Central DHCP check box to enable or disable it.
- Select or unselect the Override DNS check box to enable or disable DNS overriding.
- Select or unselect the NAT-PAT check box to enable or disable network address translation and port address translation.
- Click Add to create the Central DHCP - WLAN mapping.
  Note: When the overridden interface is enabled for FlexConnect Group DHCP, DHCP broadcast to unicast is optional for locally switched clients.
Click Save Configuration.
Repeat this procedure to add more FlexConnect groups.
Note: To verify if an individual access point belongs to a FlexConnect Group, navigate to Wireless > Access Points > All APs, click the desired AP name, and check the FlexConnect tab. The group name will appear in the FlexConnect Name text box.

Configuring FlexConnect Groups (CLI)

The following commands are used for configuring FlexConnect Groups via the Command Line Interface (CLI):

Add or delete a FlexConnect Group:
config flexconnect group group_name {add | delete}
Configure a primary or secondary RADIUS server for the FlexConnect group:
config flexconnect group group_name radius server auth {add | delete} {primary | secondary} server_index
(Note: The OCR text for step 2 seems slightly malformed, the command below is the more standard format.)
config flexconnect group group_name radius server auth {{add {primary | secondary} ip-addr auth-port secret} | {delete {primary | secondary}}}
Add an access point to the FlexConnect Group:
config flexconnect group_name ap {add | delete} ap_mac
Configure local authentication for a FlexConnect group:
1. Ensure primary and secondary RADIUS servers are not configured for the group.
2. Enable or disable local authentication:
  config flexconnect group group_name radius ap {enable | disable}
3. Add a client for authentication (LEAP, EAP-FAST, PEAP, EAP-TLS):
  config flexconnect group group_name radius ap user add username password password
  Note: Up to 100 clients can be added.
4. Enable or disable LEAP authentication:
  config flexconnect group group_name radius ap leap {enable | disable}
5. Enable or disable EAP-FAST authentication:
  config flexconnect group group_name radius ap eap-fast {enable | disable}
6. Download EAP Root and Device certificates to AP:
  config flexconnect group group_name radius ap eap-cert download
7. Enable or disable EAP-TLS authentication:
  config flexconnect group group_name radius ap eap-tls {enable | disable}
8. Enable or disable PEAP authentication:
  config flexconnect group group_name radius ap peap {enable | disable}
9. Download EAP root and device certificate:
  config flexconnect group group_name radius ap eap-cert download
10. Configure PAC provisioning:
  - Specify server key for PACs:
    config flexconnect group group_name radius ap server-key key (Key must be 32 hexadecimal characters)
  - Allow automatic PAC sending:
    config flexconnect group group_name radius ap server-key auto
11. Specify EAP-FAST server authority ID:
  config flexconnect group group_name radius ap authority id id (where id is 32 hexadecimal characters)
12. Specify EAP-FAST server authority info:
  config flexconnect group group_name radius ap authority info info (where info is up to 32 hexadecimal characters)
13. Specify PAC timeout:
  config flexconnect group group_name radius ap pac-timeout timeout (timeout between 2-4095 seconds, or 0 to disable)
Configure a Policy ACL on a FlexConnect group:
config flexconnect group group-name policy acl {add | delete} acl-name
Configure local split tunneling on a per-FlexConnect group basis:
config flexconnect group group_name local-split wlan wlan-id acl acl-name flexconnect-group-name {enable | disable}
Set multicast/broadcast across L2 broadcast domain on overridden interface for locally switched clients:
config flexconnect group group_name multicast overridden-interface {enable | disable}
Configure central DHCP per WLAN:
config flexconnect group group-name central-dhcp wlan-id {enable override dns | disable | delete}
Configure the DHCP overridden interface for FlexConnect group:
config flexconnect group group_name dhcp overridden-interface enable
Configure policy ACL on FlexConnect group:
config flexconnect group group_name policy acl {add | delete} acl-name
Configure web-auth ACL on FlexConnect group:
config flexconnect group group_name web-auth wlan wlan-id acl acl-name {enable | disable}
Configure WLAN-VLAN mapping on FlexConnect group:
config flexconnect group group_name wlan-vlan wlan wlan-id {add | delete} vlan vlan-id
Set efficient upgrade for group:
config flexconnect group group_name predownload {enable | disable | master | slave} ap-name retry-count maximum retry count ap-name ap-name
Save configuration changes:
save config
View the current list of FlexConnect groups:
show flexconnect group summary
View details for a specific FlexConnect Group:
show flexconnect group detail group_name

Configuring VLAN-ACL Mapping on FlexConnect Groups

Configuring VLAN-ACL Mapping on FlexConnect Groups (GUI)

Navigate to Wireless > FlexConnect Groups. The FlexConnect Groups page lists APs associated with the controller.
Click the Group Name link for the FlexConnect Group you wish to configure.
Click the VLAN-ACL Mapping tab. The VLAN-ACL Mapping page for that group will appear.
Enter the Native VLAN ID in the VLAN ID text box.
From the Ingress ACL drop-down list, select the Ingress ACL.
From the Egress ACL drop-down list, select the Egress ACL.
Click Add to apply this mapping to the FlexConnect Group. The VLAN ID will be mapped with the specified ACLs. To remove a mapping, hover over the blue drop-down arrow and select Remove.
Note: Access Points inherit VLAN-ACL mappings from FlexConnect groups if WLAN VLAN mapping is also configured on the groups.

Configuring VLAN-ACL Mapping on FlexConnect Groups (CLI)

Add a VLAN to a FlexConnect group and map ingress and egress ACLs using the following command:

config flexconnect group group-name vlan add vlan-id acl ingress-acl egress acl

Viewing VLAN-ACL Mappings (CLI)

View FlexConnect group details:
show flexconnect group detail group-name
View VLAN-ACL mappings on the AP:
show ap config general ap-name

Configuring WLAN-VLAN Mappings on FlexConnect Groups

Configuring WLAN-VLAN Mapping on FlexConnect Groups (GUI)

Follow these guidelines:

Individual AP settings take precedence over FlexConnect group and global WLAN settings. FlexConnect group settings take precedence over global WLAN settings.
AP-level configurations are stored in flash memory, while WLAN and FlexConnect group configurations are stored in RAM.
When an AP moves between controllers, it retains its individual VLAN mappings. However, FlexConnect group and global mappings will be sourced from the new controller. If the WLAN SSID differs between controllers, the WLAN-VLAN mapping will not be applied.
In downstream traffic, the VLAN ACL is applied first, followed by the client ACL. In upstream traffic, the client ACL is applied first, followed by the VLAN ACL.
The ACL must be present on the AP at the time of 802.1X authentication. If the ACL is absent, a client might be denied authentication even if it successfully passes 802.1X.

Result of 802.1X Authentication
ACL Present on AP	ACL Name sent from AAA	Result of 802.1X Authentication
No	No	Authenticated, no ACL applied
No	Yes	Authentication Denied
Yes	No	Authenticated, no ACL applied
Yes	Yes	Authenticated, client ACL applied

After client authentication, if the ACL name changes in the RADIUS server, the client must undergo a full re-authentication to receive the correct client ACL. WLAN-VLAN mapping on FlexConnect groups is not supported on Cisco APs 1131 and 1242.

Before You Begin

Ensure that the WLAN is locally switched. The configuration is applied to the AP only if the WLAN is broadcast on the AP.

Navigate to Wireless > FlexConnect Groups. The FlexConnect Groups > Edit page is displayed.
Click the group name.
Click the WLAN VLAN Mapping tab.
Enter the WLAN ID and the VLAN ID, then click Add.
The mapping is displayed in the same tab.
Select the VLAN Support check box and specify the Native VLAN ID.
Select the Override Native VLAN on AP check box. This action:
- Overrides the VLAN Support and Native VLAN ID previously configured on the access points.
- Changes the inheritance level at the AP to "Group Specific".
- Removes AP-specific WLAN-VLAN VLAN-ACL mappings.
- Pushes the group-specific configuration, including WLAN-VLAN mapping, to all APs in the group.
To verify that the inheritance level is "Group Specific":
1. Navigate to Wireless > Access Points > All APs and click the AP name.
2. In the FlexConnect tab, view the Inheritance Level field.
3. Click VLAN Mappings to view the details of WLAN-VLAN mappings.
Click Apply.
Click Save Configuration.

Configuring WLAN-VLAN Mapping on FlexConnect Groups (CLI)

Before You Begin: Ensure that the WLAN is locally switched. The configuration is applied to the AP only if the WLAN is broadcast on the AP.

Configure WLAN-VLAN mapping on a FlexConnect group using the following command:

config flexconnect group group-name wlan-vlan wlan wlan-id {add | delete} vlan vlan-id

	Cisco WLAN Configuration and Management Guide This guide provides detailed instructions for configuring, managing, and verifying Wireless Local Area Networks (WLANs) on Cisco access points. It covers essential features, prerequisites, restrictions, and step-by-step procedures for both GUI and CLI management.
	Cisco 802.11r BSS Fast Transition: Configuration Guide for Catalyst 9800 Wireless Controllers Learn about IEEE 802.11r BSS Fast Transition for faster Wi-Fi roaming. This guide details configuration steps for Cisco Catalyst 9800 Series Wireless Controllers using CLI and GUI, covering Cisco IOS XE Amsterdam.
	Troubleshooting Common Wireless Client Connectivity Issues on Cisco Catalyst 9800 Wireless Controllers This document provides solutions for common wireless client connectivity problems encountered with Cisco Catalyst 9800 Wireless Controllers. It covers scenarios such as authentication failures, VLAN assignment issues, incorrect credentials, and client disconnections, offering detailed troubleshooting steps and configuration guidance.
	Cisco FlexConnect Wireless Branch Controller Deployment Guide A comprehensive guide detailing the deployment of Cisco FlexConnect wireless branch controllers, covering architecture, configuration, and best practices for scalable and secure branch office wireless networks.
	Cisco WLAN Security Configuration and Best Practices A detailed guide to Cisco Wireless LAN security, covering protocols like 802.11w, 802.11r, WPA2, MAC filtering, AAA, LDAP, and ISE integration for enterprise networks.
	Configuring Layer 2 Security for Cisco Wireless Controllers This document provides detailed configuration steps and information on Layer 2 security features for Cisco Wireless Controllers, including WEP, WPA/WPA2, 802.1X, 802.11r Fast Transition, 802.11w Management Frame Protection, and 802.11v features like Network Assisted Power Savings and BSS Transition Management. It covers both GUI and CLI configurations.
	Configuring 802.1X on Cisco NX-OS Devices This guide provides comprehensive instructions on configuring IEEE 802.1X port-based authentication on Cisco NX-OS devices, covering setup, authentication methods, MAC authentication bypass, dynamic VLAN assignment, and troubleshooting.
	Cisco Wireless TrustSec Deployment Guide: Secure Network Implementation A comprehensive guide detailing the deployment of Cisco Wireless TrustSec, covering its architecture, implementation phases, configuration steps using Cisco Identity Services Engine (ISE) and Wireless LAN Controllers (WLC), use cases, and essential CLI commands for secure wireless network access.