WLC 2106 Only One user Authentication issue

Unanswered Question
Mar 5th, 2010

hi all,

I have a WLC 2106 and 1242AG.it's a hotspot configuration.

So in WLC, under controller tab, i have set my ap-manager ip, my management ip, my virtual ip ( and my hotspot network range ip.

I set also a DHCP range for the hotspot network.

In Wlans tab, i set my hotspot wlan, with no layer 2 securirty and for layer 3, i set none for layer 3 security and i use web policy authentication.

I use local authentication and i created under security menu, under AAA tab, 3 local net users.

From pc number 1, i get ip from dhcp, and i have authentication web page, authetication is ok and i can surf on web.

From pc number2, when user 1 from pc 1 is connected, i get ip from dhcp but i have not the authentication web page, i have not DNS resolution.

when i try https:, i have no answer.

And when user 1 is deauthenticated, the user 2 can surf on web.

So only one user can surf at the same time. not good for a Hotspot ...

Do you have a idea about this issue ...

thanks a lot.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dennischolmes Fri, 03/05/2010 - 04:41

Is the AP plugged into the 2106 or a switch?

If plugged into the AP you are seeing a routing issue as this is not really best practice. I would run the management and ap manager on port 1 and connect that port to a switch. This is called appliance mode. To do otherwise will give you cpu and memory problems.

Scott Fella Fri, 03/05/2010 - 06:11

Can you post your show run-config so we can see if you have an issue with the configuration?  I have the same setup at home with no issues at all.

netadmin2008 Fri, 03/05/2010 - 06:40

In fact,

i have 3 AP 1242AG , 1 WLC 2106, oand One Catalyst express 520.

I have configure on Catalyst 520 2 vlans ( administration and wifi hopspot)

Port 1/2/3 of catalyst are for AP with poe in vlan Administration, port 5 for WLC administration vlan.

Port 6/7/8 of catalyst are for WLC wifi hotspot network. 8 for WLC, 7 for DMZ interface of my internet firewall.

Port 1 of WLC is administration vlan for AP.

Port 3 of WLC is on Wifi hopspot vlan.

It's clear that I have miss something but i don't know what.

I try with radius server for authentication but it's the same thing.

I had configure the same configuration with AP1130 and the same WLC with radius server and OTP for another client and it's working fine...

I send you the running-config in few minutes ...

Scott Fella Fri, 03/05/2010 - 06:46

If it is an issue with your FW, what you can do is create another SSID and map that to you inside network. Setup the SSID for web-auth and see if both devices work fine.  You sure you have NAT configured for the Internet side?

netadmin2008 Mon, 03/08/2010 - 00:43


Yes i have nat on my external interface.
I have try with other wired clients network and all is ok for internet access.
I saw the address translation on firewall log.

I will try with an other SSID.

I made debug on WLC, and i didn't see aaa trafic from the second user. I saw only DHCP request.

I send the config.

Scott Fella Mon, 03/08/2010 - 06:05

Can you post your show run-config.... I think you posted the show running-config:)

Are you using one username password for each device or are you using different username and passwords.  Try to use one that works and verify under the WLC Security tab | User Login Policy, that you have that set to '0' for now.... '0' allows unlimited number of logins per username.

netadmin2008 Tue, 03/09/2010 - 03:35

hi all,

This morning i changed my catalyst 520 express by a catalyts 2960G. And "OH my god", it's working very well, with many user in same time ...

So I took my catalyst 520 express and I  put it in the trash ..  the right place for this kind of switch ...

Thanks a lot for all.

best regards

netadmin2008 Wed, 03/10/2010 - 02:35

hi all,

just for a more  precise answer.

In fact it's working with the catalyst express 520. Yes i know i am not friendly with this kind of switch ...

On my catalyst express 520, i have 2 vlans. One for the management of the AP, the other for the hotspot.

On the switch 520, the port on hotspot vlan where WLC 2106 is pluged, must be in role "OTHER", "ROUTER" or "ACCESS POINT" for smartport configuration.

If not only one user can connect to hotspot !!!!!! ??????

thanks for all...

vinodjad1234 Wed, 09/08/2010 - 23:23


How many local net users are created in AAA option ?

If you have created more than 1 .. please user another credentilas which you have created in WLC.

Please make sure you have specified time duration for surfing ............

dennischolmes Thu, 09/09/2010 - 03:41

It is a security problem with Cat 520 guys. I use the same switch here and access is controlled by use of smart port configurations. Unless you have the port configured to one of the multiuser roles you can not pass traffic back on the switch to more than one source address. Cat 520s are crap but they will work if you allow yourself the time to read the documentation on them.  Mine were part of a test and evaluation program we did for a school system years ago. They blow. I did find a way however to get to the cli on mine (yes they do have a cli) but I will have to look up the command for it from the web page to open up the web based dialogue box. Stay away from these things like the plague guys. They are a WLAN killer.

Vinay Sharma Sun, 09/25/2011 - 11:02


Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.


Vinay Sharma

Community Manager – Wireless


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode