We have 3 4400 series WLC's(wireless LAN controllers). Two 4404 WLC's are on the "inside" of our network and all AP's (access points) on our network use these two WLC's as the primary or secondary controller. The 4402 WLC Anchor controller resides in our DMZ and is used for WLANs that are more oriented for guest usage. These guest WLANs are configured on the inside controllers also, but are "anchored" to the 4402. On the anchor controller we are using layer 3 Web Authentication for the WLAN "Guest". This WLAN uses the internal web-auth page within the anchor controller and a username/password combo that is locally defined on the anchor controller.
Functionally there is no issue. Users connecting to the WLAN are presented with the web-auth page upon connecting to the WLAN and opening a web browser. The issue is how the layer 3 authentication information is presented on the Monitor Clients page of the "inside" WLC's management screen as compared to the "anchor" WLC.
For example, if we log in to the anchor controller and then click Monitor, then Client, then Change Filter and choose any WLAN requiring layer 3 authentication on the Anchor controller, there will be a list of all clients currently associated. In the Column with the "Auth" heading it shows the Layer 3 Authentication status of the clients. For example, if there are 15 clients associated to WLAN SSID "Guest", but only 5 of them have opened their web browsers and correctly logged in, then this will be correctly displayed. The 5 who have logged in will show "Yes" and the other 10 will show "No" in the Auth column.
Now...the problem...on the inside controllers...if we do the same thing (monitor, clients, filter for WLAN SSID "Guest"), all 15 will show "Yes" under the Auth column. In most cases the 15 clients will be distributed accross both controllers (maybe 6 on one, and 9 on the other WLC), but both inside controllers will display all clients as having a layer 3 authentication status of "Yes". We have proven over and over that this is not accurate. This is very inconvenient because the "Client Count" reports we run on the WCS server reflect the same information as the "inside" controllers. The WSC reports will show all 15 as Authenticated and they are not. We have proven many times that the anchor WLC is the only controller accuratly conveying this info.
Also, the engineers who helped with our network install have reproduced the same behavior in a lab with an anchor and inside controller directly connected. They suggested it may be a code bug with the 4400 series WLC. We are running controller Software Version 188.8.131.52 on all 3 controllers.
Please let me know what you think may be causing this issue. Any help or advice is greatly appreciated!