The main purpose of this Document is to discuss posture and integration of ISE NAC and WLC.On the WLC, we have a couple of EAP timers that we can manipulate to help with client authentication, they are listed below: EAP-Identity-Request Timeout EAP-Identity-Request Max Retries EAP-Request Timeout (seconds)EAP-Request Max Retries EAPOL-Key Timeout EAPOL-Key Max Retries Before we can manipulate these values, we need to understand what they do, and how changing them will affect the network EAP-Identity-Request Timeout: This timer affects how long we wait between EAP Identity Requests.
Flex Connect is a wireless solution for branch office and remote office deployments.
Prior to WLC Release 7.2, Flex Connect was referred as Hybrid REAP (HREAP). Flex Connect feature enables customers to configure and control Access Points through a wide area network (WAN) link without deploying a controller in each branch office.
If the client is roaming, and the Response is not received by the WLC, we have created, at minimum, a two minute outage for this client. There is no current reason, to place this timer at it's maximum value.
EAP-Identity-Request Max Retries So, for max retries, what does this value do?
Devices like laptops, usually do not require a manipulation of these values. So, what happens with this attribute set to a value of 30?
When the client first connects, it sends and EAPOL Start to the network, the WLC sends down an EAP packet, requesting the user or machines Identity.
In the connected mode, the Flex Connect access point can also perform local authentication.
Flex Connect is supported on the Cisco Aironet 1130AG, 1140, 1240, 1250, 1260, AP801, AP802, AP3550, and Cisco Aironet 600 Series Office Extend Access Points on the Cisco Wi SM, Cisco 5500, 4400, 2100, 2500, and Flex 7500 Series Controllers, the Catalyst 3750G Integrated Wireless LAN Controller Switch; the Controller Network Module for Integrated Services Routers.
If a self-signed certificate (or any certificate from an untrusted CA) is in use, most clients will reject the connection since they cannot validate the server's identity.