Showing results for 
Search instead for 
Did you mean: 
Ask Me Anything – How to Enable Network Connectivity to Remote Workers

guest access




We have a guest access set up and was wondering what exactly are the sequence of events from connecting to SSID to being granted internet access, see below steps I'm unsure of are left blank

1. connect o SSID through AP

2. traffic hits Foreign WLC

3. traffic is tunnelled to Anchor WLC

4. client gets IP address from dhcp source




8. AUP page from ISE

9. internet access 




Cisco Employee

Based on some of the things you said I am assuming this is anchored between 2 WLCs and using CWA with ISE.


1. The client sends AP assoc request.

2. AP send assoc request to foreign WLC.

3. Foreign WLC build a authc request using the service type "call-check" and the client's mac address of the client as the user and sends it to ISE

Note that all RADIUS communication is between the foreign and ISE. The anchor never talks to ISE which is why you shouldn't have accounting enabled on the anchor's WLAN.

4. ISE will bypass authc as mab and, based on your authz policy, send back an access accept with some AVPs. Two of these AVPs will be an ACL and a redirect to the portal.

5. Once the WLC receives this it will apply the ACL and redirect to the client and send the assoc response.

6.At this point the client thinks its on the network. and will start the dora process. These packets will flow through the anchor.

7. The client will then need to open a browser. Most clients have ways of detecting a captive portal but if not the client will have to open one manually.

7. The client will send a DNS request for a site, setup tcp with that ip(really it is the anchor wlc) and then send an HTTP GET for the page.

8. The anchor will send an HTTP OK back to the client with the redirect url saying the site has been moved.

9. The client should then go to the redirect, which is the ISE AUP page

10. If successful, ISE will then send back a CoA to the foreign. The foreign should send a CoA ack.

11. The Foreign will deauth the client.

12. The client will join back to the WLAN. The WLC will send the authc call-check to ISE.

13. ISE will send back an access accept this time without the redirect and the client goes into the run state on both WLCs and client data will flow through the anchor.


I hope this answers the questions you had. If not let me know and I will try to help you out.


Hi Great answer thanks

so you mean anchor WLC ?

(5. Once the WLC receives this it will apply the ACL and redirect to the client and send the assoc response.)


so once succesfully on the network the foreign WLC just tunnels traffic to Anchor and dosent play any other role.??







Cisco Employee

Right, so in point 5 the ACL and redirect are sent to the foreign. The foreign would send it to the anchor. The ACL has to be present on both and both would list the ACL and redirect in the client details. Since client traffic flows through the anchor that's the one that matters. The ACL on the foreign can be blank as long as it's there.

After a successful auth the foreign still handles all layer1 and layer 2 stuff. For instance, if you anchor a dot1x SSID with 802.11r, the keys are held on the foreign. If you wanted to deauth the client it would come from the foreign. All layer three stuff would be done on the anchor. If you wanted to remark DSCP with AVC, it would be done on the anchor.  Applying VLAN tags is done at the anchor. Throughout the whole process, both WLCs will play a part in the client's connection to the network.


Hi Jay

Thanks for that now I understand,


Thank you for the detailed and clear explanation,  very helpful 



Cisco Employee

Please mark the question as solved so others know they can find the answer here :)


Someone guide me regarding wireless controller. Like that I want to use my cisco controller with MS 2016 Server to provide guest wireless network.

As I already used wireless for staff. but for customer I want to deploy guest wireless in which they can get internet for given time..


Waiting for true response.

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey