alessandro.chiorra@nbservice.it wrote:
Thanks Charlie for your quickly reply and explanation.
When from UG I read "design for 802.1x" I was thinking (and hoping) that RAP in persistent configuration, in absence of controller, performed local authentication acting as radius client.
A behavior similar to Cisco in flexconnect configuration.
Please, do you confirm that the descripted scenario in my first post is the expected behavior?
If YES, the 802.1x client authenticated before the absence of controller will be authenticated until a timeout or until a roaming attempt, right?
Thanks and Best Regards!
Correct, RAP will not attempt local authentication in the absense of controller connectivity. For that time of environment, I would recommend APs running in Instant mode, with Instant-VPN back to the central controller for full local processing with the ability to terminate user traffic back to the controller when needed.
The behavior you're seeing (no new users authenticating when the controller is unreachable) is expected.
That said, yes, as long as the client does not roam, and a reauthentication timer is not hit for the active client, bridge mode clients with a persistent SSID should continue to function.