I'm having some issues with Web-Passthrough, I'm using two 4404-50 controllers. Clients get IP addresses well. I'm using the controllers internal DHCP Servers. Controllers can reach DNS public IP Addresses (from management and guest vlan), the issue is that only very few clients are able to get displayed the Web-Passthrough page, the rest of the clients never get the page.
The controllers also work as anchor controllers for two more foreign controllers.
So are these two guest anchors? The best way if you have two anchor wlc is to test one at a time. Only use one anchor and verify that with open authentication that your internal wlc forwards the traffic to the guest dmz. If that works then test with only the other anchor wlc. The issue you might be having is a configuration mismatch on either the foreign or anchor wlc. The key is to make sure mobility is up and that the guest SSID matches exactly the same except for the interface. The other important thing is to make sure the guest SSID on the foreign is anchored to the guest wlc and the guest anchor guest SSID is anchored to itself. Verify the switchport config on the dmz switch also.
Sent from Cisco Technical Support iPhone App
Thank you Scott, the thing is that AP are associated to the anchor controllers. The anchor controller are not installed precisly in a DMZ, they just see another vlan that foreign controllers do not reach.
So even local APs associated to anchor controllers do not display the web auth page, it is rare because the controller can reach the DNS.
SSIDs are the same in foreign and anchors. Mobility is up.
Very few user can get the page displayed, most of them cannot.
on the clients that can't get the webauth page, can you do a nslookup www.google.com ?
you should be able to resolve it. Is there any proxy in the path?
Well make sure that you see the client on both the foreign and the anchor wlc. IF you only see the client on the foreign, that means that your anchoring to the other wlc isn't working. That is usually a config issue.
nslookup works well, no proxy, just an ASA but it is letting the traffic passing through.
I tested without the foreign controller, just AP attached to the controllers, and did not work.
however, if I created an open security ssid mapped to the public_vlan interface, users can reach internet with no problem.
in the ASA, are you allowing the WLC managment interface to be able to reach the internet?
Yes, in fact if I assign a wired port to the management vlan I can reach internet, as well If I assigned to the guest vlan.
First of all clients must be able to reach the DNS servers set in your DHCP scopes, else no DNS redirect will take place.
Furthermore you are running a poor controller s/w version - upgrade at least to 7.0.116, especially if using HREAP and guest access.Use netmon (microsoft) or Wireshark to debug on a guest client and verify what is happening.
If guest users are having a open browser window(IE) when associating to the guest wlan will prevent the web redirect.
Thank you for your answer, it was a very rare issue, DNS was reachable even some users did get web auth successfully, most of them not. All the configuration is correct. The problemas was solved just by upgrading to version 18.104.22.168, apparently now it's working well. It could have been an issue with the internal DHCP server also.
Nice to hear that you managed to solve it by yourself.
I had one customer with strange problems concering guest access with the same s/w revision.
Good luck in the future.