Hi Scott,

Indeed, the issue was with the routing to the internet, and so (as you said above), the WLC will not have been able to resolve the clients homepage in order to proceed with Web Authentication.

The routing issue has been resolved, and now all is working well from this test site (Test Site 2 on the diagram)

I am however now facing another issue on the same network, but from Test Site 1. I need to understand the issue a little more, but will open another discussion if I get stumped again!

Thanks for your help Scott.

Regards

Tony

No problem Tony!  Just post and one of us will answer:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Hi again Scott (and others!),

I'm stumped again with guest access, but from a different site.

I've updated the diagram in my original post, showing clients accessing the guest wireless network from Test Site 1. Clients are receiving an IP address from the WLC, but have no connectivity other than to the interface IP address on the WLC.

I've disabled WebAuth and ACLs for the moment. The full configuration is:

Name: TS1_Int_Guest

Guest LAN: No

Quarantine: No

Enable NAT: No

VLAN ID: 98

IP Address: 10.98.253.254

Mask: 255.255.255.0

Gateway: 10.98.253.1

Physical Port No.: 1

Backup Port: 0

Active Port: 1

Enable Dynamic AP Management: No

Primary DHCP Server: 10.0.254.105 (The WLC is configured to issue addresses for the guest WLAN - 10.98.253.10 to 20/24)

ACL: None (This will eventually be locked down, but for the purposes of testing, I've disabled the ACL)

The default gateway for the Test Site 1 is 10.0.253.1, and has a sub interface configured which is in VLAN 98 with an IP address of 10.98.253.1 /24.

Once a client is connected to the WLAN on Test Site 1, it receives an IP address (e.g. 10.98.253.10), and can ping the interface for the WLAN (10.98.253.254), but not the gateway address (10.98.253.1) or beyond.

Incidentally, I can ping the VLAN 98 IP address (10.98.253.1) from the switch on Test Site 2, but not from the WLC.

Routing issue from the WLC??

Thanks

Tony

so really dumb question...but are you allowing VLAN 98 on the trunk to the WLC?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Hi Steve - the switch port that connects the WLC is a trunk with no restrictions (ACLs) applied.

Thanks

Tony

can you share the config of the port? 

The WLC doesn't 'route', it's just going to dump the traffic onto the port in the VLAN linked to the interface.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Switch port config (connection to WLC management interface - port 1)

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

end

WLC port configuration (management interface)

Interface Name................................... management

MAC Address...................................... d4:8c:b5:a7:05:80

IP Address....................................... 10.0.254.105

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 10.0.254.1

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

VLAN............................................. untagged

Quarantine-vlan.................................. 0

Active Physical Port............................. 1

Primary Physical Port............................ 1

Backup Physical Port............................. Unconfigured

Primary DHCP Server.............................. 10.0.254.10

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. No

L2 Multicast..................................... Disabled

Could this be down to NOT using Interface Groups?

Test Site 1 and Test Site 2 are different subnets, though I want Guest access to function the same way for all sites. (i.e. client connects to AP on Test Site 1, receives a 10.99.254.x IP address, authenticates through WebAuth and then has internet access. A client on test site 2, will go through the same process, but get an IP from the 10.99.253.x subnet).

Thanks

Tony

Okay this is getting confusing... this Is how I would do it. 

Option 1:

I would make sure that on the guest ssid, that flexconnect local switching is disabled.  So basically all the guest traffic will tunnel back to the WLC at test site 2 and be placed in the same interface as guest in test site 1.  This is the easiest way.

Option 2:

Is that you create AP's groups and you still keep the guest ssid the same as above... not using local switching and you define and ap group for test 1 and test 2.  In there, you map your guest ssid to the interface on the WLC.  SO in the WLC, you need to have two subnet's created for guest at test site 1 and test site 2.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Hi Scott,

It most certainly is confusing!

My current config is exactly as per your Option 2 (though my guest SSIDs are different)

TS1 (Test site 1) - Clients receive DHCP IP address, but have no access other than can ping the interface IP.

Interface (Dynamic)

- Name: TS1_Int_Guest

- VLAN 98

- IP Address: 10.98.253.254

- Mask: 255.255.255.0

- Gateway: 10.98.253.1

- Dynamic AP Mgt: No

- DHCP Server: WLC

- ACL: None (disabled for testing)

WLAN

- Type: WLAN

- Name: TS1_WLAN_Guest

- Status: Enabled

- Security Policy: None (disabled Web-Auth for testing)

- FlexConnect: Disabled

AP Group

TS1_AP_Group

- WLANs: TS1_WLAN_Guest

- Interface: TS1_Int_Guest

- Contains 1 AP (MAC ending 4E5C)

TS2 (Test site 2) - Currently works fine!

Interface (Dynamic)

- Name: TS2_Int_Guest

- VLAN 99

- IP Address: 10.99.254.254

- Mask: 255.255.255.0

- Gateway: 10.99.254.1

- Dynamic AP Mgt: No

- DHCP Server: WLC

- ACL: Configured & working

WLAN

- Type: WLAN

- Name: TS2_WLAN_Guest

- Status: Enabled

- Security Policy: Web-Auth

- FlexConnect: Disabled

AP Group

TS2_AP_Group

- WLANs: TS2_WLAN_Guest

- Interface: TS2_Int_Guest

- Contains 1 AP (MAC ending 4D22)

I have two DHCP scopes on the WLC (one for each subnet).

I'm currently in the process of ensure all router IOS versions are the same, the configs are the same, plus I've also spanned the port from the AP at Test Site 1 and run through a Wireshark capture. I can see the CAPWAP packets between the WLC and the AP, and within that I can see ping replies from the TS1 interface IP on the WLC. However, I can't see any other ICMP packets that I'm pinging from the client (i.e. pinging the gateway at TS1... 10.98.253.1).

Sorry if this is confusing - I am trying to keep the explainations as simple as possible.

Tony