A lightweight AP can be in any of several operating modes. By default, the AP is in local mode; this is not to be confused with Local MAC, as discussed earlier. When in local mode, should the AP not be connected to a controller, the AP cannot service wireless clients. When the AP is in H-REAP mode, however, depending on the WLAN and AP configuration (explained in detail next), clients can still use the wireless network.
H-REAP APs have two operating modes:
■ Connected mode: While in connected mode, the AP is registered to the controller across the WAN. The controller handles LWAPP/CAPWAP control traffic, authentication, and associations, and the AP bridges the client traffic to the local network depending on the VLAN mappings and WLAN settings.
■ Standalone mode: In standalone mode, the connection to the controller is down for one reason or another and the AP is operating on its own. While in standalone mode, the AP continues to service any existing clients and can even allow new client authentications and associations depending on the security parameters of the WLAN.
An H-REAP AP in standalone mode supports Open, Shared, static Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA)-PSK, WPA2-PSK, 802.1x, Cisco Centralized Key Management (CCKM), and local EAP authentication methods. Local EAP, CCKM, and 802.1x authentication methods are discussed later in the topic in the "H-REAP Enhancements" section.
After the AP in standalone mode re-establishes a connection with the controller, it disconnects all clients, applies any new configuration information from the controller, and then allows client connectivity once again.
Central Versus Local Switching
When client traffic is centrally switched, the client traffic is passed between the AP and the controller in the LWAPP/CAPWAP tunnel, and the controller bridges the traffic to and from the network. Figure 13-1 illustrates central switching. This is the same process that an AP uses in local mode.
Figure 13-1 Central Switching
Local switching means that the client traffic is bridged to the local network directly by the AP on the locally connected switch and does not pass through the controller. Figure 13-2 shows local switching traffic flow.
It is important to remember that if your clients will be using Dynamic Host Configuration Protocol (DHCP), the DHCP service needs to be provided locally for each VLAN.
Figure 13-3 illustrates a mixed deployment of central and locally switched WLANs on the same H-REAP AP at a remote office.
On WLAN 1, which is centrally switched, Client 1 traffic is tunneled to and from the controller and the controller bridges that traffic. With WLAN 2 configured with local switching, after Client 2 has passed authentication, traffic to and from the client is bridged by the AP to the local network.
Figure 13-2 Local Switching
Figure 13-3 Central and Local Switching Mixed Deployment
H-REAP States of Operation
Along with configuring either central or local switching for a WLAN, H-REAP allows you to configure central or local authentication. Local authentications are handled "locally" by the AP. (Details follow in the "Local Authentication Local Switching" section.) The combination of the AP operating mode, central or local switching, and central or local authentication determines the operating state of the AP. The different combinations result in five operating states for H-REAP APs. Each state is explained in detail in the following sections.
Central Authentication Central Switching
With central authentication and central switching, the controller is responsible for client authentications, associations, and bridging the client traffic to the network. Central authentication with central switching is valid only when the AP is in connected mode.
When the AP changes to standalone mode, all clients are disconnected from the WLAN and no new clients are allowed on that WLAN until LWAPP/CAPWAP communications with the controller are restored and the AP returns to connected mode.
Central Authentication Local Switching
With central authentication local switching, the controller is responsible for the client authentication and associations, but the AP directly bridges client traffic to the local network. Web authentication is a good example of this. The guest users are redirected to the web auth page on the controller, pass authentication, and then the AP bridges the traffic to the local VLAN.
Central authentication local switching is valid only when the AP is in connected mode. Should the AP switch to standalone mode, any existing clients will continue to function until the WLAN session times out or the key session expires.
Local Authentication Local Switching
Local authentication local switching means that the AP can handle authentication configured on the WLAN. An example would be open (no authentication) or preshared key, such as WPA1-PSK and WPA2-PSK. The AP directly bridges client traffic to the local network.
When the AP is in connected mode, the controller still handles the authentications and associations. When the AP switches to standalone mode, the responsibility of authentication and association is transferred to the AP. Local authentication local switching is valid only when the AP is in standalone mode.
Authentication Down Local Switching
In this state, the H-REAP refuses any new client connections but continues to send beacons and probes so existing clients continue to function. You have an authentication down situation when 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM is used on the WLAN, but no backup RADIUS servers are configured. This mode differs from central authentication local switching in that no new clients are allowed. After an existing client reaches the WLAN session timeout value, the AP will not allow that client to reauthenticate. When all existing clients have reached the WLAN session timeout and are disconnected, the AP transitions to the authentication down switching down state (discussed in the section that follows). Authentication down local switching is valid only in standalone mode.
Authentication Down Switching Down
With an authentication down switching down situation, the AP disconnects existing clients and stops sending beacons and probes. As mentioned earlier, the AP enters this state from authentication down local switching and when all clients have disconnected. This state is valid only in standalone mode.
H-REAP Wireless Security Support
Security support on the H-REAP locally switched WLANs depends on whether the AP is in connected or standalone mode. Security types, such as AirFortress, that require control over the data path do not work with traffic on locally switched WLANs because the client traffic is not tunneled back to the controller. The controller cannot control traffic that is not tunneled back to it. Any other security type works on either centrally or locally switched WLANs, provided the path between the H-REAP AP and the controller is up.
Table 13-3 outlines WLAN security configurations supported depending on the mode of the AP. Keep in mind that this table lists the configurations supported but not whether the authentication feature actually works in these modes. Table 13-4 under "H-REAP Guidelines and Limitations" outlines which authentication features work in each H-REAP operating mode.
