Exam 300-430 topic 1 question 245 discussion

In a Cisco FlexConnect deployment, when a local authenticated AP is configured with a guest LAN, the WLAN authentication method must be set to central authentication to ensure that guest users can authenticate properly. FlexConnect APs can operate in two modes: Central Switching: All traffic is tunneled back to the Wireless LAN Controller (WLC) for processing. Local Switching: Traffic is forwarded locally at the AP, but authentication is still handled centrally by the WLC. For guest access, central authentication is typically required because: Guest authentication often relies on the WLC to handle AAA (Authentication, Authorization, and Accounting) services. Local authentication on the AP may not support the required guest authentication mechanisms (e.g., web authentication, RADIUS, etc.).

When FlexConnect access points are connected to the controller (rather than in standalone mode), the controller uses its primary RADIUS servers and accesses them in the order specified on the RADIUS Authentication Servers page or in the config radius auth add CLI command (unless the server order is overridden for a particular WLAN). However, to support 802.1X EAP authentication, FlexConnect access points in standalone mode need to have their own backup RADIUS server to authenticate clients.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_0110000.pdf --> B