Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC web authentication DHCP problem

We have WLC with web authentication guests SSID so that guests at recieption ( lobby ) get username and password and access the internet

The WLC is also the DHCP , and the subnet is /25 where it should avail 126 IP for 126 guest !

However , it seems that people who leave the wireless open on their handheld or laptops , connect , get an IP although they haven't been authinticated yet .

Now I see that the DHCP is almost ran out of IPs because these handheld devices reserve the IPs without using them .

Any clues to avoid assigning IP to the user before they are authinticated ?

Hall of Fame Super Silver

Re: WLC web authentication DHCP problem

You have to plan for that. The reason being is that webauth is a layer 3 authentication method, this requires the client to have a valid ip address prior to web authentication. Unlike wpa/wpa2/WEP/802.1x, these encryption is layer 2 and happens prior to the client obtaining a dhcp address.

You need to increase the subnet size and maybe reduce the dhcp lease time.

Sent from Cisco Technical Support iPhone App

*** Please rate helpful posts ***

Re: WLC web authentication DHCP problem

Welcome to the world of Guest Wireless where your DHCP pools will deplete faster than your wallet when your wife goes shopping!

Scott is on target. In order to get that pretty web screen, you need to have a ip address to deliver it to your client.

- Make bigger scopes

- Shorten Lease Times

- Or, dont broadcast your SSID

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

WLC web authentication DHCP problem

I agree with Scott and George about the suggestions. I am having same issue here and I am stuck because DHCP guys refusing to reduce the lease time (now it is 4 hours). But I never came to 100% utilization. always reports come 90+ % but never 100%.

I however disagree with George about the depletion point. I still believe that wives deplete wallets faster.

Rating useful replies is more useful than saying "Thank you"
Cisco Employee

WLC web authentication DHCP problem

The below command is one of the mitigation soln. in managing internal dhcp, however it is still not scalable.

Release the guest user IP address when the web authentication policy timer expires and prevent the guest user from acquiring an IP address for 3 minutes by entering this command:

config wlan webauth-exclude wlan_id {enable | disable}

The default value is disabled. This command is applicable when you configure the internal DHCP scope on the controller. By default, when the web authentication timer expires for a guest user, the user can immediately reassociate to the same IP address before another guest user can acquire it. If there are many guest users or limited IP addresses in the DHCP pool, some guest users might not be able to acquire an IP address.

When you enable this feature on the guest WLAN, the guest user's IP address is released when the web authentication policy timer expires and the guest user is excluded from acquiring an IP address for 3 minutes. The IP address is available for another guest user to use. After 3 minutes, the excluded guest user can reassociate and acquire an IP address, if available.

CreatePlease login to create content