Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anchored guest clients - web auth and roaming

Good morning!  We have an issue with a guest SSID that is anchored to a WLC in the DMZ.  We have this SSID configured for web-auth with passthrough - clients connect, click 'accept' on our splashpage which then permits internet access.  This process works great. 

Where we've run into an issue is with clients roaming.  It appears that the client roams to the next AP (controlled by the foreign WLC) and it's session is maintained as expected on the WLC, however the client session is immediately purged from the anchor WLC.   The only way we've found to restore connectivity for these clients is to either manually remove the entry from the foriegn WLC or configure the foreign WLAN idle timeout to the lowest possible value (15 seconds). 

The anchor WLC's WLAN idle timeout is set to 4 hours, which appears to have no bearing on maintaining the client session state once a roam event occurs on the foreign.

All WLC's are v.7.4.100

Any thoughts or suggestions are appreciated.  WLAN cfgs below - foreign first, then anchor.

Anthony

(MM-WiSM2-01) >show wlan 2

WLAN Identifier.................................. 2

Profile Name..................................... MissionHealthGuest-WLAN

Network Name (SSID).............................. MissionHealthGuest

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Disabled

   DHCP ......................................... Disabled

   HTTP ......................................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 277

Exclusionlist Timeout............................ 300 seconds

Session Timeout.................................. 86400 seconds

User Idle Timeout................................ 15 seconds

--More-- or (q)uit

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... MM-WiSM2-01

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ patient-ig

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Enabled

mDNS Profile Name................................ default-mdns-profile

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Bronze

Per-SSID Rate Limits............................. Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Per-Client Rate Limits........................... Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

--More-- or (q)uit

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Disabled

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... 802.11g only

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Global Servers

   Accounting.................................... Global Servers

      Interim Update............................. Disabled

   Dynamic Interface............................. Disabled

   Dynamic Interface Priority.................... wlan

--More-- or (q)uit

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   FT Support.................................... Disabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Disabled

   WAPI.......................................... Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Enabled

        IPv4 ACL........................................ Unconfigured

        IPv6 ACL........................................ Unconfigured

        Email Input..................................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Enabled

   FlexConnect Local Switching................... Disabled

   flexconnect Central Dhcp Flag................. Disabled

--More-- or (q)uit

   flexconnect nat-pat Flag...................... Disabled

   flexconnect Dns Override Flag................. Disabled

   FlexConnect Vlan based Central Switching ..... Disabled

   FlexConnect Local Authentication.............. Disabled

   FlexConnect Learn IP Address.................. Disabled

   Client MFP.................................... Optional but inactive (WPA2 not configured)

   PMF........................................... Disabled

   PMF Association Comeback Time................. 1

   PMF SA Query RetryTimeout..................... 200

   Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Disabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

--More-- or (q)uit

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

2           172...(omitted )          Up

802.11u........................................ Disabled

MSAP Services.................................. Disabled

(DC-5508-Anchor-01) >show wlan 2

WLAN Identifier.................................. 2

Profile Name..................................... MissionHealthGuest-WLAN

Network Name (SSID).............................. MissionHealthGuest

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Client Profiling Status ....................... Disabled

   DHCP ......................................... Disabled

   HTTP ......................................... Disabled

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 492

Exclusionlist Timeout............................ 300 seconds

Session Timeout.................................. 86400 seconds

User Idle Timeout................................ 14400 seconds

--More-- or (q)uit

User Idle Threshold.............................. 0 Bytes

NAS-identifier................................... DC-5508-Anchor-01

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ patient-ig

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

mDNS Status...................................... Enabled

mDNS Profile Name................................ default-mdns-profile

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

PMIPv6 Mobility Type............................. none

Quality of Service............................... Bronze

Per-SSID Rate Limits............................. Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Per-Client Rate Limits........................... Upstream      Downstream

Average Data Rate................................   0             0

Average Realtime Data Rate.......................   0             0

--More-- or (q)uit

Burst Data Rate..................................   0             0

Burst Realtime Data Rate.........................   0             0

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Disabled

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... 802.11g only

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

   Authentication................................ Global Servers

   Accounting.................................... Global Servers

      Interim Update............................. Disabled

   Dynamic Interface............................. Disabled

   Dynamic Interface Priority.................... wlan

--More-- or (q)uit

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   FT Support.................................... Disabled

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Disabled

   WAPI.......................................... Disabled

   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Enabled

        IPv4 ACL........................................ Unconfigured

        IPv6 ACL........................................ Unconfigured

        Email Input..................................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Enabled

   FlexConnect Local Switching................... Disabled

   flexconnect Central Dhcp Flag................. Disabled

--More-- or (q)uit

   flexconnect nat-pat Flag...................... Disabled

   flexconnect Dns Override Flag................. Disabled

   FlexConnect Vlan based Central Switching ..... Disabled

   FlexConnect Local Authentication.............. Disabled

   FlexConnect Learn IP Address.................. Disabled

   Client MFP.................................... Optional but inactive (WPA2 not configured)

   PMF........................................... Disabled

   PMF Association Comeback Time................. 1

   PMF SA Query RetryTimeout..................... 200

   Tkip MIC Countermeasure Hold-down Timer....... 60

AVC Visibilty.................................... Disabled

AVC Profile Name................................. None

Flow Monitor Name................................ None

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Disabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

Assisted Roaming Prediction Optimization......... Disabled

802.11k Neighbor List............................ Disabled

802.11k Neighbor List Dual Band.................. Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

--More-- or (q)uit

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

2           172.....(omitted )          Up

802.11u........................................ Disabled

MSAP Services.................................. Disabled

8 REPLIES

Re: Anchored guest clients - web auth and roaming

All the WLC in the network need to be in the mobility list for roaming across WLC to work properly.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Anchored guest clients - web auth and roaming

Yep, we've definitely got that part configured correctly.  It's only when clients roam from the originating AP they auth'd against to another AP that the session is lost on the anchor.   In case I didnt mention it previously, the client never goes mobile from one WLC to another, rather the session is anchored from on-set. 

thanks!

Cisco Employee

Anchored guest clients - web auth and roaming

I have a customer reporting the same issues.  It is difficult to troubleshoot as they have two foreign and two anchor controllers.  I don't know what combination I specifically is breaking it, but they also lose web-auth state when they roam.  Let me know if you get any more info.

New Member

Were you able to solve this

Were you able to solve this problem for your customer. We are having this same issue you explained here.

Cisco Employee

Unfortunately no.  The issue

Unfortunately no.  The issue "cooled off" and they are no longer working on it.  Not sure if it was resolved or just became less of a priority.

New Member

Anchored guest clients - web auth and roaming

Similar issue on my side. People with iPhones or iPads complain about having to re-auth (email input) multiple times during a day even if the session timount is set to 4 or 8 hours.

Was the problem addressed or fixed?

Setup is similar: 2 main controllers and 1 anchor. Layer 3 security set to Web Policy, email input, web auth internal.

Hall of Fame Super Silver

Anchored guest clients - web auth and roaming

Session time-out is a hard timer... you need to adjust your idle time-out to 2-4 hours.  This is an issue with Apple devices more than any others.  When the screen goes blank, the device stops responding and the idle timer starts counting down.  Adjust this to give time for the users to grab lunch, etc... which 2-4 hours is typically what I set.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Anchored guest clients - web auth and roaming

Thanks for teh prompt reply Scott.

Will the change take effect right away, or do I have to cycle off-on the SSID or reboot the controllers?

Claudio

800
Views
0
Helpful
8
Replies