Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

wireless -web-auth problems

Hi,

We have a setup where by we have internal WLC (cisco 5508) and a Guest WLC (cisco 4402) in the DMZ. The Gues SSID in internal wlc is anchrorded back to Guest WLC in DMZ (the guest dmz also serves as dhcp). We seem to have problems with this recently with users complaining that they get limited access or not able to get the redirection page (web page certificates - redirection to 1.1.1.1)

Does any one know if the cisco 5508 controllers / cisco 4400 running dhcp have any problems with this ?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

wireless -web-auth problems

The config shows it is anchored to itself.... I'm assuming that 50.250 is the 4400 and 60.250 is the 5508?

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

4           192.168.50.250        Up

4           192.168.60.250        Up

How big is the dhcp scope?  since this is guest, you try to lower the lease to like 4 hours or 8 hours?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
19 REPLIES
Bronze

Re:wireless -web-auth problems

Hi,

When this problem occurs, you check the DNS server that serves the guest network to see if it's down. Also you need to clarify that it's not corporate users not reporting the problem as the home page would default to your corporate page, and it's only when u open an external website that the web authentication page will show up.

Are u using the internal web authentication page or an external web server?



Sent from Cisco Technical Support Android App

Hall of Fame Super Silver

Re: wireless -web-auth problems

Just to add... Also look to see if your mobility happens to go down. If it does, then the anchoring breaks and the guest will be placed in the interface that you have specified on the internal WLC for the guest SSID

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

wireless -web-auth problems

we are using internal web authentication. the DNS server is google's ip. the users are trying to use an external website and not internal one.

regarding the mobility breaking, its a good point but dont think it goes down that often as users seems to get error quite often and i cant see there are that many mobility breaks in the logs - it does happen but occationally

any other thoughts ? i read about this eap bcast-key-interval seconds - at the moment its set to 3600 sec - will this help if i  increase this ?

Thanks

Hall of Fame Super Silver

Re: wireless -web-auth problems

Can you post your show WLAN in both WLC's.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wireless -web-auth problems

attached. also does increasing user time out help ?

Hall of Fame Super Silver

Re: wireless -web-auth problems

I don't think it would... first off, the inside or foreign wlc should only anchor to the guest anchor wlc and the guest wlc should anchor to itself... Looks like the 5508 also is anchored to itself.  I would also disable dhcp required for now and see if that helps. 

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

wireless -web-auth problems

With webauth, the client has to get an ip address prior to even getting a splash page.  if the client device gets an ip address but doesn't get the splash page, then its a dns issue.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: wireless -web-auth problems

Thanks scott, i had a look at the can confirm that the insidewlc is anchroed to guest wlc and guest wlc is anchored to itself (local)

I have tried disabling dhcp required and no joy

Hall of Fame Super Silver

wireless -web-auth problems

The config shows it is anchored to itself.... I'm assuming that 50.250 is the 4400 and 60.250 is the 5508?

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

4           192.168.50.250        Up

4           192.168.60.250        Up

How big is the dhcp scope?  since this is guest, you try to lower the lease to like 4 hours or 8 hours?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: wireless -web-auth problems

thats a different controller Scott. The internal controller ip is different from 60.250. i have increased the dhcp scope to 4 hours already

Hall of Fame Super Silver

wireless -web-auth problems

Okay, so what is 60.250?  Why are you anchoring to that?  If this is a redundant guest anchor setup, then make sure the dhcp scopes on the two wlc are split and not overlapping.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: wireless -web-auth problems

That is for officeextend controller which is another wlc apart from the two in question.

We hve only 1 dhcp scope which is on 50.250

What i have noticed is that if conect to it and then disconnect and immideatly connect to it then i get limited access. but if i leave it for 60 sec or more then try connecting to it, it seems to connect sometimes (i have a client exclusion timer of 60 sec so not sure if this is causing this ?)

I also noticed that the time is bit different (internal controller is running an hour and few mins slower than dmz controller) - will this cause a problem ?

HAve you come across this unexpected behavior ?

Thanks

Hall of Fame Super Silver

wireless -web-auth problems

Well if your connecting to another ssid and then trying to connect to the guest ssid or vice versa, you need to enable fast ssid change or else you have to wait 60 seconds.  The time should be set properly no matter what..... ntp should be used if possible.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Re: wireless -web-auth problems

i have set it to ntp and the ntp server is running the correct time and serves to all our devies but just the internal wlc alone does not seem to pick up summer time (the time is correct but running an hour behind though it gets time from ntp server) - do i have to enable summer time from some where ?

Fast ssid was enabled on internal wlc and have enabled it now on dmz wlc

Thanks

Hall of Fame Super Silver

Re: wireless -web-auth problems

Fast SSID change is in the GUI under the controller tab.

Your time should be set the same especially if they are located in the same timeline. It's really for the APs but it good practice.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: wireless -web-auth problems

scott, i have done a debug and tried connecting to the ssid. What i found was whenever it connected, i could see debug mesgs on both controllers but when it didnt connect or limited connectivity then i could see only debug msgs on internal wlc which tells me that the dmz wlc is not receving any sort of infro from internal wlc. I ahve checked mobility tunnel and they seem to be UP. anything you can think of ?

New Member

Re: wireless -web-auth problems

Hi Scott,

i found what the problem is. i did a debug on internal and dmz controller. I found that when a client doesnt conenct to a ssid then on running the debug for some reason the client seems to connect officeextend controller and i can see debugs on that (did a debug client on 3 controllers). the officeextend controller does not have any dhcp running and hence the reason why its not getting an ip. do you think there could be a problem with the mobility anchor?

attached debug logs

Thanks

New Member

Re: wireless -web-auth problems

scott,

you are correct with the mobility anchor. it was an incorrect entry on the mobility anchor that was causing the issue and there was also another issue with the termination of the interface under AP groups. (incorrect interface set)

once i correct the above, its fine now. Thanks for your help

Hall of Fame Super Silver

wireless -web-auth problems

Glad you got it working!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
465
Views
0
Helpful
19
Replies