Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module Manual Técnica
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
These are the restrictions to remember while you use H−REAP.
Hybrid REAP is supported only on the 1130AG, 1140, 1240, 1250, 1260, AP801, AP 802, 1040, and
AP3550 APs and on the Cisco WiSM, Cisco 5500, 4400, 2100, 2500, Flex 7500 Series Controllers,
the Catalyst 3750G Integrated Wireless LAN Controller Switch, and the Controller Network Module
for Integrated Services Routers.
AP3550 APs and on the Cisco WiSM, Cisco 5500, 4400, 2100, 2500, Flex 7500 Series Controllers,
the Catalyst 3750G Integrated Wireless LAN Controller Switch, and the Controller Network Module
for Integrated Services Routers.
•
Any security type that requires control over the data path, such as VPN, does not work with traffic on
locally switched WLANs because the controller cannot exercise control over data that is not tunneled
back to it. Any other security type works on either centrally or locally switched WLANs, provided
that the path between the H−REAP and the controller is up. When this conduit is down, only a subset
of these security options allows new clients to connect to locally switched WLANs.
locally switched WLANs because the controller cannot exercise control over data that is not tunneled
back to it. Any other security type works on either centrally or locally switched WLANs, provided
that the path between the H−REAP and the controller is up. When this conduit is down, only a subset
of these security options allows new clients to connect to locally switched WLANs.
•
When a H−REAP access point enters standalone mode, WLANs that are configured for open, shared,
WPA−PSK, or WPA2−PSK authentication enter the "local authentication, local switching" state and
continue new client authentications.
WPA−PSK, or WPA2−PSK authentication enter the "local authentication, local switching" state and
continue new client authentications.
In controller software release 4.2 or later, this is also true for WLANs that are configured for 802.1X,
WPA−802.1X, WPA2−802.1X, or Cisco Centralized Key Management (CCKM). However, these
authentication types require that an external RADIUS server be configured. Other WLANs enter
either the "authentication down, switching down" state (if the WLAN was configured for central
switching) or the "authentication down, local switching" state (if the WLAN was configured for local
switching).
WPA−802.1X, WPA2−802.1X, or Cisco Centralized Key Management (CCKM). However, these
authentication types require that an external RADIUS server be configured. Other WLANs enter
either the "authentication down, switching down" state (if the WLAN was configured for central
switching) or the "authentication down, local switching" state (if the WLAN was configured for local
switching).
•
With H−REAP in Connected mode, the controller is free to impose client exclusion/blacklisting to
prevent some clients from associating with its APs. This function can occur either in automated or
manual fashion. In regard to global and per−WLAN configurations, clients can be excluded for a host
of reasons, which range from repeated failed authentication attempts to IP theft, as well as for any
given amount of time. Clients can also be entered into this exclusion list manually. The use of this
feature is only possible while the AP is in Connected mode. Clients that have been placed on this
exclusion list remain unable to connect to the AP, even while it is in Standalone mode
prevent some clients from associating with its APs. This function can occur either in automated or
manual fashion. In regard to global and per−WLAN configurations, clients can be excluded for a host
of reasons, which range from repeated failed authentication attempts to IP theft, as well as for any
given amount of time. Clients can also be entered into this exclusion list manually. The use of this
feature is only possible while the AP is in Connected mode. Clients that have been placed on this
exclusion list remain unable to connect to the AP, even while it is in Standalone mode
•
WLANs that use MAC Authentication (local or upstream) no longer allow additional client
authentications when the AP is in Standalone mode, which is identical to the way a similarly
configured WLAN with 802.1X or WebAuth operates in the same mode.
authentications when the AP is in Standalone mode, which is identical to the way a similarly
configured WLAN with 802.1X or WebAuth operates in the same mode.
•
WLC Versions 4.2.61.0 and later support fast secure roaming using CCKM. H−REAP mode supports
Layer 2 fast secure roaming using CCKM. This feature prevents the need for full RADIUS EAP
authentication as the client roams from one AP to another. In order to use CCKM fast roaming with
H−REAP access points, you need to configure H−REAP groups.
Layer 2 fast secure roaming using CCKM. This feature prevents the need for full RADIUS EAP
authentication as the client roams from one AP to another. In order to use CCKM fast roaming with
H−REAP access points, you need to configure H−REAP groups.
•
H−REAP Troubleshooting
There are a few common scenarios and situations that arise and prevent smooth H−REAP configuration and
client connectivity. These are just a few such situations with their suggested troubleshooting steps.
client connectivity. These are just a few such situations with their suggested troubleshooting steps.
H−REAP Does Not Join the WLC
These are the basic reasons for a H−REAP not to join the WLC:
H−REAP is unable to obtain an IP address to itself, or it has been assigned with an incorrect IP
•