In this state, for the given WLAN, the access point forwards all client authentication requests to the controller and tunnels all client data back to the controller, as well. This state is valid only when the access point’s CAPWAP control path is up. This means the H REAP is in Connected mode. Any WLAN that is tunneled back to the controller is lost during WAN outage, no matter the authentication method.
AP reboots and joins back to WLC.
If the clients tries to access local resources all traffic is tunneled back to HQ. (10.10.120.129 is a subnet in MO)
In this state, the WLAN on a given H REAP disassociates existing clients and stops sending beacons and probe responses. This state is valid only in Standalone Mode.
In order to simulate the WAN failure we shut down interface (CAT2 fa0/22). LWAP-4 looses connection to WLC2.
Client looses the connection and LWAP-4 switches to Standalone mode.
If we no shut the interface
Central Authentication – Local Switching (valid only in Connected Mode)
In this state, for the given WLAN, the controller handles all client authentication, and the H REAP access point switches data packets locally. We change the ssid to Local Switching.
The port which the LWAP-4 is connected is still on vlan 121. Now we see that the client receives address from vlan 121 and the traffic is locally switched.
Now lets create a new Vlan 21 on MO. The client must now receive ip address from vlan 21. In order to pass multiple vlans we need to change the fa0/4 connection to trunk.
Vlan Mappings
Authentication Down – Local Switching (valid only in Standalone Mode)
In this state, for the given WLAN, the H REAP rejects any new clients that try to authenticate, but it continues to send beacons and probe responses to keep existing clients properly connected. This is true only for clients that are configured for any EAP method. WPA/WPA2 PSK NEW clients can connect even though WAN link or controller is down. Local Authentication – Local Switching (valid in Connected & Standalone Mode)
In this state, the hybrid-REAP access point handles client authentication and switches client data packets locally. This state is valid in Standalone mode and Connected Mode. For 802.1x/WPA2 in Standalone Mode we need to configure H-REAP Groups.
ACS 5 located in HQ will handle the authentication requests. In case of WAN failure, Local Radius on H-REAP AP will take over. I have created 2 users, one in ACS (user: leap-acs) and one in AP Local Authentication (user: hreap).
Even though the AP is in Connected Mode, the authentication request sources from LWAP-4 and not from the WLC.
Let’s shut down the WAN link (CAT-2 fa0/22) Now the AP will use it’s local database for client authentication.
If we try to associate a client to LWAP-2 (HQ/local mode) we notice that authentication request sources from WLC-4. So H-Reap Local Authentication on WLAN effects only the H-Reap Aps.