TAC case logged for this problem a few days ago, TAC engineers still unable to find solution
A number of Guest users are unable to login to the ISE guest Portal page, some days a particular Guest can login other days the same Guest cannot. This varies day to day. When the Guest is unable to login, I simply remove their mac address on the Foreign and Anchor WLC's. Then straight after, they can login successfully.
Guest connects to the Guest SSID, obtain a DHCP, enter a website in the browser like google.com, Guest is redirected to ISE guest portal login page, Guest tries to login with their credentials. Rather than showing an error in the browser, the username/password icons return blank after clicking login. After I remove the Guest mac address from Foreign & Anchor WLC, user enters credentials again in their browser and success! user logs in fine.
Attached is an example where a4:17:31:4f:4a:82 is an affected Guest.
Attached output includes debug client a4:17:31:4f:4a:82 and debug aaa all enable.
I should say also ISE troubleshoot logs normally show either 8009 or 86010 user authentication failed for the particular Guest, after deleting the mac address on WLC's, guets login in ok, live authenctiation log turns green for user. ISE logs look clean though I did see a ISE latency Radius message a few days ago but hasn't repeated.
TAC have been working on my case since mid November. Finally I solved on a temporary basis a week ago.
I increased the Radius Authentication from 2 seconds to 10 seconds on all my WLC's for ISE Radius, after this there were no more user complaints. If anyone is interested, please note the below.....from the TAC engineer.
Thank you a lot for the update! Really, great finding.
Yes, sure: the latency bug is CSCuj47338 - Radius response delays seen on ISE with large Internal User store.
I have news on the fix: it potentially will go to the patch 7 for the
1.2.0 (at the end of February or March) and it should be fixed in 1.2.1 as well. Just to reiterate - for 1.3 there is no need to worry - the fix should be there.
There is nothing more we can do on this one, but just to wait.
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...