topic Re: Local Webauth across multiple controller types in Wireless

Local Webauth across multiple controller types

dselfridge — Mon, 24 Feb 2025 11:57:07 GMT

Greetings,

My Customer is in the middle of migrating multiple sites from AireOS (5508) to IOS (9800) WLCs.

Most sites work fine and guest users are serviced by the LobbyAdmin feature and local web-auth on the 9800 controller.

Some APs are yet to be replaced, so until that happens, they need to stay on the 5508, which of course has it's own LWA Portal. The issue is that a minority of sites have a mix of APs, old & new, so i have a 'salt & pepper' environment. Therefore, if a user is on say an older 3502 AP, they will hit the 5508 portal. If they then roam to say a 9120 AP they then are on the 9800 controller, will the session stay up? Like wise if they start on 9800 AP and roam to a 5508 AP. Also, there are 2 Lobby Admin Portals to maintain, which is confusing.

I have mobility tunnels setup between the controllers (IRCM Code). No Anchors are in the mix, because internet breakout is local to each site. The controllers are in data centers and the APs are in Flexconnect mode with local switching.

What I want to achieve is that if a guest user connects to the guest SSID and no matter if they are on an old or newer AP, they consistently hit the Lobby on the 9800. is this even possible? It's only temporary, to give time for the customer to replace all the older APs.

Obviously, i would prefer they use CWA with ISE - but for various reasons, that's not a runner at this time.

TIA

Dan

Re: Local Webauth across multiple controller types

Mark Elsen — Mon, 24 Feb 2025 12:08:56 GMT

- That's impossible to achieve because each controller (type) has it's own authenticating rules behind the Lobby , best is to finish the AP migration as soon as possible ,

Re: Local Webauth across multiple controller types

Flavio Miranda — Mon, 24 Feb 2025 12:57:05 GMT

@dselfridge

Long shot here but what is you setup the 5508 with external web portal and point to 9800 ?

Re: Local Webauth across multiple controller types

dselfridge — Mon, 24 Feb 2025 12:58:25 GMT

Thank you for replying so quickly @Mark Elsen

But am I correct in thinking if a client registers on say the 5508 Portal then roams across to a 9800 homed AP, they should stay connected? Assuming of course that the mobility tunnels are up.

Re: Local Webauth across multiple controller types

Mark Elsen — Mon, 24 Feb 2025 15:07:16 GMT

- @dselfridge : I suppose that should work ; (But am I correct in thinking if a client registers on say the 5508 Portal then roams across to a 9800 homed AP, they should stay connected? Assuming of course that the mobility tunnels are up.)

- If not you can debug the client on the 9800 'when it arrives' using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
You can have client debugs (so called RadioActive Traces) ; analyzed with Wireless Debug Analyzer
Commands from https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#toc-hId-866973845
can also be useful

- Checkout the configuration on both controllers to (w.r.t. mobility and other stuff)
For the 9800 use the CLI command show tech wireless and feed the output into Wireless Config Analyzer

- For the 5508 use WirelessAnalyzer input (procedure) for AireOs controllers
and feed the output from that into Wireless Config Analyzer

Re: Local Webauth across multiple controller types

Scott Fella — Mon, 24 Feb 2025 15:37:45 GMT

That mix and match just isn't a preferred way to migrate, not just for guest, but you have a lot of inter controller roaming that has to happen. I would of waited to migrate one whole site, take that 5508 and use that for an anchor at the next site, so that you can push guest to that anchor until you have migrated that one site, which then you can disable the anchoring on the 9800 and that becomes the controller with LWA. I think you just have to play around with what you have available and like what @Flavio Miranda and @Mark Elsen mentioned, give that a try also.