Wireless Controller Redundancy with No Client Reauthentication Needed

July 12, 2013 - 7 Comments

Last fall, I blogged about No SSID Outage or Access Point Stateful Switchover introduced with the AireOS 7.3 release whereby if your wireless LAN Controller fails due to some hardware failure, thousands of Access Points fail over sub-second to the standby controller! This is possible due to continuous synchronization of CAPWAP states, Configuration Changes, Radio Channel and Power, Roaming Keys and Access Point licenses between the two Controllers. This means even if the administrator changes the configuration, channel plans or the clients roam and the primary controller fails; the Access Points will simply fail over in a stateful fashion to the secondary. In this blog, I will share details on the upcoming enhancements to High Availabilty with the 7.5 release.

In the upcoming AireOS 7.5 release, we take High Availability to the next level with two critical enhancements.

1. Today, after Access Points fail over from the primary to the standby controller, each client tries to re-authenticate and the standby controller then checks against its CCKM database whether the client has already authenticated. At the rate of several tens of authentications per second, it can take anywhere from zero to a few hundred seconds for the tens of thousands of clients that are connected to a controller to re-authenticate. The client stateful essentially eliminates this downtime with sub-second failover. Thus the total downtime that any user running a voice-call or Citrix session experiences is 2-3 seconds that the application requires to reconnect.


2. In the AireOS 7.3 release, the two controller appliances need to be co-located and connected with an Ethernet cable. While adequate for the majority of deployments, others prefer to keep the standby controller in another datacenter or another building within the same campus environment. The AireOS 7.5 release allows you to deploy the standby controller in the L2-adjacent separated environment from the primary controller so they share the management IP address.


For more information about High Availability, here’s a short animated video:

You can also reference the deployment guide and the FAQ:





In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thanks for the info Jeevan.

  2. Is L3-adjacent likely to be possible in a future release?

    • Hi Scott,

      One of the design principles is that AP does not even know that the primary controller has gone down and automatically fails over to the standby controller. Thus we do not have a plan to support L3 adjacent in the near-future. A lot more explanation in the deployment guide that we will post shortly.

      Best Regards,

  3. Will this option be available in all wlc models that can support 7.5?

    • Client SSO will be supported on 5508, WiSM2, 8500 and Flex-7500 – the same set of controllers that support AP SSO today.

  4. Sounds great! Hope many of the caveeats from 7.4 has been solved.

    • Yes any caveats from 7.3 and 7.4 associated to High Availability have been addressed in this release. In addition, a patch release based on 7.4 will be released in the next few weeks.