Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

4400 WLC Layer 3 Authentication Status for WLAN Clients

We have 3 4400 series WLC's(wireless LAN controllers). Two 4404 WLC's are on the "inside" of our network and all AP's (access points) on our network use these two WLC's as the primary or secondary controller.  The 4402 WLC Anchor controller resides in our DMZ and is used for WLANs that are more oriented for guest usage.  These guest WLANs are configured on the inside controllers also, but are "anchored" to the 4402.  On the anchor controller we are using layer 3 Web Authentication for the WLAN "Guest".  This WLAN uses the internal web-auth page within the anchor controller and a username/password combo that is locally defined on the anchor controller.

Functionally there is no issue.  Users connecting to the WLAN are presented with the web-auth page upon connecting to the WLAN and opening a web browser.  The issue is how the layer 3 authentication information is presented on the Monitor Clients page of the "inside" WLC's management screen as compared to the "anchor" WLC.

For example, if we log in to the anchor controller and then click Monitor, then Client, then Change Filter and choose any WLAN requiring layer 3 authentication on the Anchor controller, there will be a list of all clients currently associated.  In the Column with the "Auth" heading it shows the Layer 3 Authentication status of the clients.  For example, if there are 15 clients associated to WLAN SSID "Guest", but only 5 of them have opened their web browsers and correctly logged in, then this will be correctly displayed.  The 5 who have logged in will show "Yes" and the other 10 will show "No" in the Auth column.

Now...the problem...on the inside controllers...if we do the same thing (monitor, clients, filter for WLAN SSID "Guest"), all 15 will show "Yes" under the Auth column. In most cases the 15 clients will be distributed accross both controllers (maybe 6 on one, and 9 on the other WLC), but both inside controllers will display all clients as having a layer 3 authentication status of "Yes".  We have proven over and over that this is not accurate.  This is very inconvenient because the "Client Count" reports we run on the WCS server reflect the same information as the "inside" controllers.  The WSC reports will show all 15 as Authenticated and they are not.  We have proven many times that the anchor WLC is the only controller accuratly conveying this info.

Also, the engineers who helped with our network install have reproduced the same behavior in a lab with an anchor and inside controller directly connected.  They suggested it may be a code bug with the 4400 series WLC.  We are running controller Software Version on all 3 controllers.

Please let me know what you think may be causing this issue.  Any help or advice is greatly appreciated!

New Member

Re: 4400 WLC Layer 3 Authentication Status for WLAN Clients


We run version 7.0 on the WCS and WLCs but I thought I'd try the report and see what I got. The result is a line graph with the number of associated and authenticated clients superimposed. I'm not sure how useful a report of this nature is.

It doesn't inspire confidence: when I specifiy the guest wireless SSID I get zero clients! I know there have been guest clients authenticated during the report period I spec'd.