We are a Cisco shop using WiSM2 controllers (7.6.130.0) and a variety of AP models from 1131s up to 2702s. We are very interested in using FlexConnect to drop our users into an appropriate VLAN in the building that they are in. This solves several problems for us including huge IP subnets for wireless users and allowing wireless users easy access assets on their local building subnet (e.g., AppleTV, ChromeCast, printers) - basically making a building look like home to them.
All of our users use a WPA2 Enterprise SSID. And, we can easily make Radius (FreeRadius right now) return an appropriate VLAN upon authentication based on their status (faculty/staff, student, or special case) and their location (the AP name contains a building abbreviation as its first part that is easily parsed). We are not worried about roaming. Our students are used to re-associating and re-authenticating when they roam around town or through various apartment complexes. We have had roaming disabled for about 6 months now without a single complaint. We do not have any WiFi phones now nor does our campus design really consider this right now (a shortcoming for our next big project, I'm sure). We would like for normal faculty/staff and student traffic to be dropped in the appropriate VLAN (i.e., locally switched) while special cases which return a VLAN from radius that is not local to their building need to be centrally switched. Initial testing has had mixed results. Switching a machine from one UserID to another (and thus getting differing VLANs) seems to confuse the controllers. They seem to think the MAC, and thus the user, has already been authenticated and the controller wants to keep the same IP address/net mask/gateway/VLAN as was originally assigned. This makes things easy & quicker for the controller but leaves the user in a state where his device is inoperable. This doesn't bother me too much. But, the same thing happens when a user moves to an adjacent building (if the APs are on the same controller) where the originally assigned address info is not appropriate any longer and the controller really needs to re-authenticate the user to get new address info. we have looked extensively for documentation on FlexConnect in a campus environment rather than the intended remote office environment but without any luck so far. Our local Cisco tech has been very helpful, but we still haven't gotten past all the hurdles. Current environment size is slightly over 200 buildings with just under 5,000 APs and just over 33,000 concurrent users at peak times. Is anyone out there using FlexConnect in a similar manner? Do you have any decent documentation that you can point me to? Or, do you have any advice to offer ("don't even try to do this" is an acceptable response)? Thanks. -jcw [UA Logo] John Watters The University of Alabama Office of Information Technology 205-348-3992 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.