https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5040756#M268310 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<FONT color="#FF6600"><EM> &nbsp;- FYI :&nbsp;</EM></FONT><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu72447" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu72447</A><BR />&nbsp; &nbsp; Regardless of the bug report , relevance w.r.t current ios-xe version used , from a support point of view ; it becomes more <STRONG>relevant</STRONG> if someone can <STRONG>repeat</STRONG> the problem on that version as you are observing and or testing it ,&nbsp;<BR /><BR /></P> <P>&nbsp;M.</P> Fri, 15 Mar 2024 12:04:06 GMT Mark Elsen 2024-03-15T12:04:06Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5040737#M268307 <P>Running a WLC-9800-80 running Cisco IOS-XE 17.9.5 in my lab, testing Web Auth Redirect for a simple consent page (Not collecting any email or data) on our open guest network.</P><P>Clients can successfully connect to the guest WLAN and are presented the proper consent page while being placed in a "Web Auth Pending" state. If I click the accept button, client move to Run. So that all works properly. The problem I have is that while still in the Web Auth Pending state, my clients can reach the Internet successfully by opening another browser tab, pinging Internet addresses, etc. Is this expected behavior for a device on an open network? I have tested this with Windows 10/11 clients, Apple devices, and Linux PCs. All exhibit the same behavior. Windows actually shows that the device is connected without Internet access, yet it does have Internet access!&nbsp;</P><P>Thanks in advance</P> Fri, 15 Mar 2024 11:31:27 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5040737#M268307 lawrence.allhands 2024-03-15T11:31:27Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5040756#M268310 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<FONT color="#FF6600"><EM> &nbsp;- FYI :&nbsp;</EM></FONT><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu72447" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu72447</A><BR />&nbsp; &nbsp; Regardless of the bug report , relevance w.r.t current ios-xe version used , from a support point of view ; it becomes more <STRONG>relevant</STRONG> if someone can <STRONG>repeat</STRONG> the problem on that version as you are observing and or testing it ,&nbsp;<BR /><BR /></P> <P>&nbsp;M.</P> Fri, 15 Mar 2024 12:04:06 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5040756#M268310 Mark Elsen 2024-03-15T12:04:06Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041283#M268399 <P>Hello</P><P>I assume that you use LWA with type consent. Right ?</P><P>Can you share your preauth ACL ?</P><P>Regards</P> Sat, 16 Mar 2024 10:43:58 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041283#M268399 Jerome BERTHIER 2024-03-16T10:43:58Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041617#M268479 <P>Correct. And I have the LWA address set to 192.168.199.199 for the test in my lab. Here is my pre-auth ACL</P><P>ip access-list extended utguest_preauth<BR />10 permit ip any host 192.168.199.199<BR />20 deny ip any any</P><P>&nbsp;</P> Sun, 17 Mar 2024 11:31:10 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041617#M268479 lawrence.allhands 2024-03-17T11:31:10Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041695#M268515 <P>I think this is the point.</P><P>AireOS and IOS-XE WLC do not behave the same with preauth ACL :</P><P>- on AireOS, use deny statement to trigger redirect</P><P>- on IOS-XE, use permit statement to trigger redirect</P><P>So to my understanding, you ACL should be the opposite :</P><P>ip access-list extended utguest_preauth<BR />10 deny ip any host 192.168.199.199</P><P>11 deny udp any host &lt;your DNS resolver&gt; eq 53</P><P>! not sure about these two next entries but you may have to open for DHCP. I don't know</P><P>12 deny udp any eq 68 any eq 67</P><P>13 deny udp any eq 67 any eq 68</P><P>! final permit to trigger for all traffic except previous entries<BR />20 permit ip any any</P><P>Hope this helps</P><P>Regards</P> Sun, 17 Mar 2024 15:24:59 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041695#M268515 Jerome BERTHIER 2024-03-17T15:24:59Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041712#M268523 <P>Thanks for that - tried it and got the same results</P> Sun, 17 Mar 2024 16:18:06 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041712#M268523 lawrence.allhands 2024-03-17T16:18:06Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041875#M268589 <P>OK so maybe you hit the bug pointed out by marce1000</P><P>Open a support case. That's the best way in your case.</P><P>Regards</P> Sun, 17 Mar 2024 20:27:37 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041875#M268589 Jerome BERTHIER 2024-03-17T20:27:37Z https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041931#M268594 <P>Yes I have a TAC case open. Thanks all!</P> Mon, 18 Mar 2024 00:10:49 GMT https://community.cisco.com/t5/wireless/clients-can-still-access-internet-while-in-web-auth-pending/m-p/5041931#M268594 lawrence.allhands 2024-03-18T00:10:49Z