13-4
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 13 Configuring Hybrid REAPWireless Device Access
Overview of Hybrid REAP
WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these
authentication types require that an external RADIUS server be configured. Other WLANs enter either
the “authentication down, switching down” state (if the WLAN was configured for central switching) or
the “authentication down, local switching” state (if the WLAN was configured for local switching).
When hybrid-REAP access points are connected to the controller (rather than in standalone mode), the
controller uses its primary RADIUS servers and accesses them in the order specified on the RADIUS
Authentication Servers page or in the
config radius auth add
CLI command (unless the server order is
overridden for a particular WLAN). However, in order to support 802.1X EAP authentication,
hybrid-REAP access points in standalone mode need to have their own backup RADIUS server to
authenticate clients. This backup RADIUS server may or may not be the one used by the controller. You
can configure a backup RADIUS server for individual hybrid-REAP access points in standalone mode
by using the controller CLI or for groups of hybrid-REAP access points in standalone mode by using
either the GUI or CLI. A backup server configured for an individual access point overrides the backup
RADIUS server configuration for a hybrid-REAP group.
When a hybrid-REAP access point enters standalone mode, it disassociates all clients that are on
centrally switched WLANs. For web-authentication WLANs, existing clients are not disassociated, but
the hybrid-REAP access point stops sending beacons when the number of associated clients reaches zero
(0). It also sends disassociation messages to new clients associating to web-authentication WLANs.
Controller-dependent activities such as network access control (NAC) and web authentication (guest
access) are disabled, and the access point does not send any intrusion detection system (IDS) reports to
the controller. Furthermore, most radio resource management (RRM) features (such as neighbor
discovery; noise, interference, load, and coverage measurements; use of the neighbor list; and rogue
containment and detection) are disabled. However, a hybrid-REAP access point supports dynamic
frequency selection in standalone mode.
Note
If your controller is configured for NAC, clients can associate only when the access point is in connected
mode. When NAC is enabled, you need to create an unhealthy (or quarantined) VLAN so that the data
traffic of any client that is assigned to this VLAN passes through the controller, even if the WLAN is
configured for local switching. After a client is assigned to a quarantined VLAN, all of its data packets
are centrally switched. See the
“Configuring Dynamic Interfaces” section on page 3-16
for information
on creating quarantined VLANs and the
“Configuring NAC Out-of-Band Integration” section on
for information on configuring NAC out-of-band support.
The hybrid-REAP access point maintains client connectivity even after entering standalone mode.
However, once the access point re-establishes a connection with the controller, it disassociates all clients,
applies new configuration information from the controller, and reallows client connectivity.
Hybrid REAP Guidelines
Keep these guidelines in mind when using hybrid REAP:
•
A hybrid-REAP access point can be deployed with either a static IP address or a DHCP address. In
the case of DHCP, a DHCP server must be available locally and must be able to provide the IP
address for the access point at bootup.
•
Hybrid REAP supports up to four fragmented packets or a minimum 500-byte maximum
transmission unit (MTU) WAN link.
•
Roundtrip latency must not exceed 300 milliseconds (ms) between the access point and the
controller, and CAPWAP control packets must be prioritized over all other traffic.