This seems to have happened after upgrading to v7: I've a test guest SSID that my test client PC cannot connect to as it seems to immediately try to associate with the corporate secure SSID. The foreign controller debug showed a line that said something to the effect of "deleting client as SSID has changed" (I was not able to capture this unfortunately and I have not spotted it again), and it then goes on to produce debug outputs as it tries to connect to the corporte SSID. The anchor controller for the guest SSID does not seem to have the traffic passed to it.
The debug client output will allow you to see if the client is obtaining an IP address as expected, and whether or not the Guest traffic is being tunneled properly to the anchor. If you're finding that the test client continually connects to your corporate WLAN, I would recommend removing all profiles but the Guest WLAN to ensure you're not fighting a supplicant issue.
I've attached the debug output from the Foreign WLC, I cannot get any output from the Anchor as the traffic isn't getting passed on. Other SSIDs from the same Foreign using the same Anchor work ok, so I'm starting to suspect that something has gone awry with the config of the SSID on the Foreign WLC, but I cannot see anything wrong; would you recommend deleting it and starting again?
Thanks for attaching the debug. So, it looks like this client is connecting to your corporate network (since we see a lot of EAP exchanges). Can I have you test with another client that is not configured for the corporate WLAN? Please be sure to run the debugs on both the anchor and foreign WLCs simutaniously. It is also important to note that the configuration for the anchored WLAN must be identical on both. If there is a slight difference, anchoring will fail.
Another client worked with no issues. Turns out it was the first client that was at fault, it needed a patch to allow it to connect using WPA2. Apparently it's only required if SP3 (XP) has not been installed:
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...