Webauth with Flexconnect APs and locally switching WLAN
I have a customer who is running version 7.4 on a Cisco 5508 wireless LAN controller together with 1602 APs deployed across a number of sites. They have all the APs set up in Flex mode and are currently locally switching all their wlan's onto a local VLAN, which all works fine. They have recently requested to enable a guest WLAN with internal web authentication and allow the traffic to break out locally at the AP end with a seperate ADSL internet connection.
With no authentication users are able to get access to the internet and when web authentication is enabled users do not get redirected for authentication. However when you manually enter the address of the virtually interface (188.8.131.52) you get presented with the webauth splash page. I have tried a couple of combination with no real luck:
centralised DHCP and locally DHCP server from the firewall
Enable and disabling NAT-PAT
Does anyone have this working and are there any particular config or software versions required?
This should work perfectly fine on any 7.4 release your customer is running. I have this configured in my lab right now and it is working fine, on both 184.108.40.206 and 220.127.116.11. I'm pretty sure this works since 7.0 or possibly earlier.
The fact that you can "manually" redirect to the splash page indicates that the client is not able to perform a DNS query successfully. Without DNS, the client will never attempt to form a TCP session to a remote web server, thus the WLC has nothing to intercept and redirect the client.
Try connecting the client, and while they're in the WebAuth_REQD state, have the client open the CMD prompt and perform an nslookup and try to resolve some public URLs. If this doesn't work, which it probably won't based upon your description, to make your life easier, place a test client on the same "VLAN" as your guests should be getting, via a "WIRED" connection. Work on resolving DNS resolution that way, to make it less convoluted.
Once the client is successfully resolving DNS on the same VLAN the guests will be using, then try your wireless client to see if they redirect.