We are a Cisco shop using WiSM2 controllers (7.6.130.0) and a variety of AP
models from 1131s up to 2702s. We are very interested in using FlexConnect to
drop our users into an appropriate VLAN in the building that they are in. This
solves several problems for us including huge IP subnets for wireless users and
allowing wireless users easy access assets on their local building subnet
(e.g., AppleTV, ChromeCast, printers) - basically making a building look like
home to them.
All of our users use a WPA2 Enterprise SSID. And, we can easily make Radius
(FreeRadius right now) return an appropriate VLAN upon authentication based on
their status (faculty/staff, student, or special case) and their location (the
AP name contains a building abbreviation as its first part that is easily
parsed). We are not worried about roaming. Our students are used to
re-associating and re-authenticating when they roam around town or through
various apartment complexes. We have had roaming disabled for about 6 months
now without a single complaint. We do not have any WiFi phones now nor does our
campus design really consider this right now (a shortcoming for our next big
project, I'm sure). We would like for normal faculty/staff and student traffic
to be dropped in the appropriate VLAN (i.e., locally switched) while special
cases which return a VLAN from radius that is not local to their building need
to be centrally switched. Initial testing has had mixed results. Switching a
machine from one UserID to another (and thus getting differing VLANs) seems to
confuse the controllers. They seem to think the MAC, and thus the user, has
already been authenticated and the controller wants to keep the same IP
address/net mask/gateway/VLAN as was originally assigned. This makes things
easy & quicker for the controller but leaves the user in a state where his
device is inoperable. This doesn't bother me too much. But, the same thing
happens when a user moves to an adjacent building (if the APs are on the same
controller) where the originally assigned address info is not appropriate any
longer and the controller really needs to re-authenticate the user to get new
address info.
we have looked extensively for documentation on FlexConnect in a campus
environment rather than the intended remote office environment but without any
luck so far. Our local Cisco tech has been very helpful, but we still haven't
gotten past all the hurdles.
Current environment size is slightly over 200 buildings with just under 5,000
APs and just over 33,000 concurrent users at peak times.
Is anyone out there using FlexConnect in a similar manner? Do you have any
decent documentation that you can point me to? Or, do you have any advice to
offer ("don't even try to do this" is an acceptable response)?
Thanks.
-jcw
[UA Logo]
John Watters The University of Alabama
Office of Information Technology
205-348-3992
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
