Guest user captive portal redirection issue

singhsukdeep — Fri, 05 Apr 2024 08:30:14 GMT

Problem with Guest user captive portal redirection problem.

Looking for the help in WLC.

Guest user -> Cisco AP -> WLC -> ISE

- This problem is happening for one particular site. Other sites captive portal is working properly from the same ISE server.

- Auto captive portal is not opening at guest client pc

- When I am giving captive portal manually in the guest pc browser, its working. However, auto redirecting to captive portal is not happening.

at WLC side, ran debugs and below are the info what i have got.

IP address is getting assigned to guest user:

*DHCP Socket Task: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 Plumbing web-auth redirect rule due to user logout
*DHCP Socket Task: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 192.168.150.71 WEBAUTH_REQD (8) NO release MSCB
*DHCP Socket Task: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 Assigning Address 192.168.xxx.xxx to mobile
*DHCP Socket Task: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 DHCP success event for client. Clearing dhcp failure count for interface power-guest_100.
*DHCP Socket Task: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 Initiating Accounting request(0) update for mobile
*DHCP Socket Task: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 PemLocationConfigured [1]Adding VSA with NAS update and Role[1] with state[0]

Communication with ISE is also happening:

pemReceiveTask: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 192.168.150.71 Added NPU entry of type 2, dtlFlags 0x0
*aaaQueueReader: Feb 29 11:43:15.079: [SA] 22:18:38:6e:c4:09 radiusServerFallbackPassiveStateUpdate: RADIUS server is ready 10.252.yyy.zz port 1813 index 2 active 1
*aaaQueueReader: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 radiusServerFallbackPassiveStateUpdate: RADIUS server is maybe-ready 10.252.xxx.yy port 1813 index 3 active 1
*aaaQueueReader: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 NAI-Realm not enabled on Wlan, radius servers will be selected as usual
*aaaQueueReader: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 Send Radius Acct Request with pktId:148 into qid:1 of server at index:2
*apfReceiveTask: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 Recieved MS IPv4 Addr= 192.168.xxx.yy
*apfReceiveTask: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 Recieved IPv6 addresses count: 1
*aaaQueueReader: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 Sending the packet to v4 host 10.252.yyy.zz 1813 of length 346
*pemReceiveTask: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 Sent an XID frame
*apfReceiveTask: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 Updating MS IPv6[1] Addr= fe80:0000:0000:0000:2018:38ff:fe6e:c409
*aaaQueueReader: Feb 29 11:43:15.080: [SA] 22:18:38:6e:c4:09 Successful transmission of Accounting-Start (pktId 148) to 10.252.xxx.yy:1813 from server queue 1, proxy

*radiusTransportThread: Feb 29 11:43:15.296: [SA] 22:18:38:6e:c4:09 Counted 0 AVPs (processed 20 bytes, left 0)
*radiusTransportThread: Feb 29 11:43:15.296: [SA] 22:18:38:6e:c4:09 Accounting-Response received from RADIUS server 10.252.xxx.yyy (qid:1) with port:1813, pktId:148

*apfMsConnTask_1: Feb 29 12:18:47.395: [SA] f0:d5:bf:fe:a4:a2 Scheduling deletion of Mobile Station: (callerId: 20) in 10 seconds
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 Received SGT for this Client.
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 SGT is not applied, sgtLen 0, sgt_stringp 0x1c3ec843
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 AAA Override Url-Redirect 'https://mgwgp.power.com:8442/portal/gateway?sessionId=8b807e9a000053bf65e09fe2&portal=a3cc6225-905d-4ced-acdf-bc72593301be&action=cwa&token=f
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 Resetting web IPv4 acl from 0 to 255

*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 Resetting web IPv4 Flex acl from 65535 to 65535

*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 AAA Override Url-Redirect-Acl 'CWA_powerGuest' mapped to ACL ID 0 and Flexconnect ACL ID 65535
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 Applying Fabric vnid override for client f0:d5:bf:fe:a4:a2, client->reap 1 ,over bits 100100,isover FALSE
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 override for default ap group, marking intgrp NULL
*apfReceiveTask: Feb 29 12:18:47.620: [SA] f0:d5:bf:fe:a4:a2 Applying Interface(power-guest_900) policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 100

Re: Guest user captive portal redirection issue

Mark Elsen — Fri, 05 Apr 2024 08:48:26 GMT

- Have the client debugs further analyzed with Wireless Debug Analyzer
preferably with a longer trail. Also look into : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA
For looking at a summarized view at client issues have a look at : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5

Checkout the 9800 WLC configuration too using the CLI command show tech wireless and feed the output from that into Wireless Config Analyzer

- Check 9800 WLC controller software version ; advising to go for 17.9.5 and check again ,

Re: Guest user captive portal redirection issue

PSM — Sat, 06 Apr 2024 17:49:44 GMT

Do you have https intercept enabled in webauth parameter map ?

Try to disable http and https service on controller using 'no ip http server' and 'no ip http secure-server'.

Re: Guest user captive portal redirection issue

JPavonM — Mon, 08 Apr 2024 08:30:46 GMT

DO NOT DISABLE both http and https server in WLC otherwise it won't work.

This seems to me like a DNS issue, are al sites using the same DNS? do the APs at all sites use the same WLC?

This could also be a client side issue. Is that happening to specific devices types?

Re: Guest user captive portal redirection issue

singhsukdeep — Wed, 10 Apr 2024 08:27:09 GMT

Thanks for the suggestion..

No WLCs are different for every site.. Where other sites are working except one.

In case of DNS issue - When I am giving captive portal URL manually in the guest pc browser, its working. However, auto redirecting to captive portal is not happening. Still do i need to check DNS side anything??

Re: Guest user captive portal redirection issue

jagan.chowdam — Wed, 10 Apr 2024 14:41:33 GMT

Can you share the WLC model and version it is running on?

Have you tried different client or a mobile device to test?

Have you checked the "Redirection to the Guest Portal Does not Work" section from the link?

If the same config on other WLCs is working, you can compare the configs and see if you are missing any required config.

Jagan Chowdam

/**Pls rate useful responses**/

topic Re: Guest user captive portal redirection issue in Wireless

Guest user captive portal redirection issue

Re: Guest user captive portal redirection issue

Re: Guest user captive portal redirection issue

Re: Guest user captive portal redirection issue

Re: Guest user captive portal redirection issue

Re: Guest user captive portal redirection issue