topic Re: Client status locked in "Web Auth Pending" on WLC 9800-4 in Wireless

Client status locked in "Web Auth Pending" on WLC 9800-40

Simone C — Fri, 19 Apr 2024 15:24:05 GMT

Hello all,

I'm having an issue with clients connected on my Guest SSID configured with Web Authentication Splash Page. Basically by today (NO CHANGES NOR ACTIVITIES WERE DONE) all the clients which are trying to connect to this SSID cannot reach the splash page to authenticate themselves. We do not have any Radius or ISE server configured since there's only the web portal to let the client authenticate, so I'm having some troubles to find out where the problem is. I checked the SSID to have the correct web policy configured and the "web policy" flag flagged, and also verified the policy as well and no changes has been done by yesterday where everyone could join without issues. I tried to get some infos by using the Debug trace, and from the clients i got these logs:

2024/04/19 16:22:36.479005452 {wncd_x_R0-0}{2}: [ewlc-infra-evq] [17292]: (ERR): SANET_AUTHC_FAILURE - No Response from Client, audit session id 0B20000A0000EF6DF68576AF

2024/04/19 16:22:36.479115338 {wncd_x_R0-0}{2}: [errmsg] [17292]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (3ace.c41a.8428) on Interface capwap_9000051f AuditSessionID 0B20000A0000EF6DF68576AF. Failure reason: Authc fail. Authc failure reason: No Response from Client.

2024/04/19 16:22:36.480372529 {wncd_x_R0-0}{2}: [ewlc-infra-evq] [17292]: (note): Authentication Success. Resolved Policy bitmap:4 for client 3ace.c41a.8428

2024/04/19 16:22:36.480736048 {wncd_x_R0-0}{2}: [client-auth] [17292]: (ERR): MAC: 3ace.c41a.8428 L3 Authentication FAIL.

2024/04/19 16:22:36.481275611 {wncd_x_R0-0}{2}: [client-orch-sm] [17292]: (note): MAC: 3ace.c41a.8428 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_L3AUTH_FAIL, details: , fsm-state transition 60|61|7c|56|15|1a|1b|2c|37|46|48|4a|4c|51|60|61|7c|56|15|1a|1b|2c|37|46|48|4a|4c|51|60|61|69|12|

2024/04/19 16:22:36.481385673 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_L3_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS

2024/04/19 16:22:36.482234263 {wncd_x_R0-0}{2}: [dpath_svc] [17292]: (note): MAC: 3ace.c41a.8428 Client datapath entry deleted for ifid 0xa0000070

2024/04/19 16:22:36.482463247 {wncd_x_R0-0}{2}: [sanet-shim-translate] [17292]: (note): MAC: 3ace.c41a.8428 Session manager disconnect event called, session label: 0xfc0003fd

2024/04/19 16:22:36.483758612 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED

2024/04/19 16:22:37.577485865 {wncd_x_R0-0}{2}: [client-orch-sm] [17292]: (note): MAC: 3ace.c41a.8428 Re-Association received. BSSID 00df.1db8.768d, WLAN CGGUEST, Slot 1 AP 00df.1db8.7680, APBV19_P1_18

2024/04/19 16:22:37.577703176 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING

2024/04/19 16:22:37.578421118 {wncd_x_R0-0}{2}: [dot11] [17292]: (note): MAC: 3ace.c41a.8428 Association success. AID 1, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False

2024/04/19 16:22:37.578738798 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS

2024/04/19 16:22:37.579008753 {wncd_x_R0-0}{2}: [client-auth] [17292]: (note): MAC: 3ace.c41a.8428 L2 Authentication initiated. method WEBAUTH, Policy VLAN 0, AAA override = 1

2024/04/19 16:22:37.582206899 {wncd_x_R0-0}{2}: [ewlc-infra-evq] [17292]: (note): Authentication Success. Resolved Policy bitmap:8011 for client 3ace.c41a.8428

2024/04/19 16:22:37.582671291 {wncd_x_R0-0}{2}: [client-orch-sm] [17292]: (note): MAC: 3ace.c41a.8428 Mobility discovery triggered. Client mode: Local

2024/04/19 16:22:37.582676265 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS

2024/04/19 16:22:37.584472026 {wncd_x_R0-0}{2}: [mm-client] [17292]: (note): MAC: 3ace.c41a.8428 Mobility Successful. Roam Type None, Sub Roam Type MM_SUB_ROAM_TYPE_NONE, Client IFID: 0xa0000070, Client Role: Local PoA: 0x900007dc PoP: 0x0

2024/04/19 16:22:37.584833474 {wncd_x_R0-0}{2}: [client-auth] [17292]: (note): MAC: 3ace.c41a.8428 ADD MOBILE sent. Client state flags: 0x72 BSSID: MAC: 00df.1db8.768d capwap IFID: 0x900007dc, Add mobiles sent: 1

2024/04/19 16:22:37.585055011 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_MOBILITY_DISCOVERY_IN_PROGRESS -> S_CO_DPATH_PLUMB_IN_PROGRESS

2024/04/19 16:22:37.585223147 {wncd_x_R0-0}{2}: [dot11] [17292]: (note): MAC: 3ace.c41a.8428 Client datapath entry params - ssid:CGGUEST,slot_id:1 bssid ifid: 0x90000744, radio_ifid: 0x9000067a, wlan_ifid: 0xf0400004

2024/04/19 16:22:37.585664313 {wncd_x_R0-0}{2}: [dpath_svc] [17292]: (note): MAC: 3ace.c41a.8428 Client datapath entry created for ifid 0xa0000070

2024/04/19 16:22:37.585843246 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_DPATH_PLUMB_IN_PROGRESS -> S_CO_IP_LEARN_IN_PROGRESS

2024/04/19 16:22:37.586462370 {wncd_x_R0-0}{2}: [client-iplearn] [17292]: (note): MAC: 3ace.c41a.8428 Client IP learn successful. Method: DHCP IP: 192.168.2.44

2024/04/19 16:22:37.587964270 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_IP_LEARN_IN_PROGRESS -> S_CO_L3_AUTH_IN_PROGRESS

2024/04/19 16:22:37.588275775 {wncd_x_R0-0}{2}: [client-auth] [17292]: (note): MAC: 3ace.c41a.8428 L3 Authentication initiated. LWA

These logs look the same for every tother client I checked (no matter what kind of device it is, the problem is the same, going from Android Cellphones, to Windows laptops and so on).

Current WLC version is 17.9.4.

Thank you for your help and advices.

Re: Client status locked in "Web Auth Pending" on WLC 9800-4

balaji.bandi — Fri, 19 Apr 2024 16:20:01 GMT

May be generate debug log and use the log analyse tool :

https://www.cisco.com/c/en/us/support/docs/wireless/standalone-controllers/220344-troubleshoot-with-wireless-debug-analyze.html

check some troubleshooting tips :

https://mrncciew.com/2022/07/08/9800-client-troubleshooting/

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213970-catalyst-9800-wireless-controllers-commo.html

is thie client IP : 192.168.2.44 ?

Re: Client status locked in "Web Auth Pending" on WLC 9800-4

Mark Elsen — Fri, 19 Apr 2024 17:09:46 GMT

- Note that client debugs can be analyzed further with Wireless Debug Analyzer
You may also find commands from https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 useful
For specific debugging related to Web Auth , look at : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA

Important have a checkup of the WLC 9800-40 configuration with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer

Re: Client status locked in "Web Auth Pending" on WLC 9800-4

David Ritter — Fri, 19 Apr 2024 19:43:02 GMT

I had a similar experience in the beginning. I forgot..

I can see only the following is configured:

wlan TCVisitor 7 TCVisitor2

security web-auth

security web-auth authentication-list TCVisitor

security web-auth parameter-map TCVisitor

We are missing the authorization list, please add it using command:

(config-wlan)#security web-auth authorization-list TCVisitor

Please test after the change and let me know if the issue is resolved.

and yes adding the missing element solved the issue.

Re: Client status locked in "Web Auth Pending" on WLC 9800-4

Simone C — Mon, 22 Apr 2024 06:49:37 GMT

Hello All,

Sorry for my delay on a feedback. I'm now reading all the answers you gave me. I'll come back to this thread once i Tried with the Debug analyzer and after checking if those commands are present:

security web-auth

security web-auth authentication-list XXXXXXXX

security web-auth parameter-map XXXXXXX

Re: Client status locked in "Web Auth Pending" on WLC 9800-4

Simone C — Mon, 22 Apr 2024 07:15:38 GMT

Hello David,

I checked the parameters you suggested and I confirm all those three commands are present inside the CLI of my WLC. I also verifired again the correct association between the SSID Guest and the Policy Map in the "Security" tab inside it and it's all correct.

I Just noticed this morning that some clients are properly authenticated and are in "Run" state, so perhaps something has changed in the splash portal settings (I cannot check that part). I will come back to this thread whenever I receive any update.

Meanwhile I want to thank you and all the other users who replied to this post and are helping me!!

Best regards!

Re: Client status locked in "Web Auth Pending" on WLC 9800-4

MHM Cisco World — Mon, 22 Apr 2024 07:25:23 GMT

First do

Debug client mac <mac of any guest device>

Then stop debug share it and do

Debug io http all

MHM

Re: Client status locked in "Web Auth Pending" on WLC 9800-4

Simone C — Mon, 22 Apr 2024 07:56:37 GMT

Hi!

I'm trying to perform the "Debug client" command but I do not have that command in the debug cli" . Is it ok if I do it with the Radioactive Trace and then apply the "debug IP http all" command?

By now the issue looks resolved by the way, many more clients are authenticating correctly.

I'll keep the situation monitored.