Which two statements about AP Local Authentication by FlexConnect AP in standalone mode are true? (Choose two)

Which two statements about AP Local Authentication by FlexConnect AP in standalone mode are true? (Choose two)

A. From AireOS release 8.0, Cisco Extended Keying Groups (CEKG) is a supported Local Authentication Protocol when deploying FlexConnect.

B. Only LEAP, EAP-FAST, PEAP, and EAP-TLS authentications are supported.

C. Cisco Wireless LAN Controller must generate a certificate signing request by itself for submitting to a certificate authority for signing.

D. Only the vendor Certificate Authority (CA) certificate has to be downloaded to the Cisco Wireless LAN Controller for EAP-TLS authentication.

E. When using EAP-TLS, a FlexConnect Group must be created so that the Cisco Wireless LAN Controller can push the certificates to the FlexConnect AP in the FlexConnect Group.

View Answer

Answer: BE

Explanation:

From:

When a FlexConnect access pointenters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the “local authentication, local switching” state and continue new client authentications. In controller software release 4.2 or later releases, this configuration is also correct for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these authentication types require that an external RADIUS server be configured. You can also configure a local RADIUS server on a FlexConnectaccesspointto support 802.1X in a standalone mode or with local authentication.

To organize and manage your FlexConnect access points, you can create FlexConnect Groups and assign specific access points to them.

All of the FlexConnect access points in a group share the same backup RADIUS server, CCKM, and local authentication configuration information. This feature is helpful if you have multiple FlexConnect access points in a remote office or on the floor of a building and you want to configure them all at once. For example, you can configure a backup RADIUS server for a FlexConnect rather than having to configure the same server on each access point.

With EAP-TLS, AP does not recognize and accept client certificate if the client root CA is different from the AP root CA. When you use Enterprise public key infrastructures (PKI), you must download a Vendor Device Certificate and Vendor CA Certificate to the controller so that the controller can push the certificates to the AP in the FlexConnect group. Without a common client and AP root CA, EAP-TLS fails on the local AP. The AP cannot check an external CA and relies on its own CA chain for client certificate validation.

The space on the AP for the local certificate and the CA certificate is around 7 Kb, which means that only short chains are adapted. Longer chains or multiple chains are not supported.

You can configure LEAP, EAP-FAST, PEAP, or EAP-TLS authentication only if AP local authentication is enabled.