Solved: Re: 9800-CL Webauth issue "No Response from Client"

DW96 · ‎11-03-2022

Hi All, Hoping this is something simple and it's just me doing something dumb. I'm setting up a Flexconnect environment with 3 SSID's

Corporate Network - Local Switching and Local Authentication using an external Windows NPS server

Mobile/BYOD Network - Same configuration as above

Guest Network - Local Switching and Central Authentication using the WLCs WebAuth portal

The Corporate and Mobile networks are fine and working as intended however I'm running into some issues with the Guest network. I have a AAA Method List of "Type - Login" & "Group Type - Local". I have a Guest User created on the WLC but when trying to use this to authenticate against the Guest Network I'm just getting Authentication failed on the client device and in the WLC logs the failure reason I'm seeing is "No Response from Client".

Any advice would be greatly appreciated.

Mark Elsen · ‎11-03-2022

- Review your 9800-CL configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

Mark Elsen · ‎11-03-2022

- Review your 9800-CL configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

DW96 · ‎11-08-2022

Thanks for this, didn't realise this tool actually existed. Turns out I was missing the "aaa authentication network default local" command, once I got this configured it started working as intended.

Thanks for your help

Rich R · ‎11-03-2022

What version of software are you using?

You should use a TAC recommended release ideally. See link below.

And run radioactive trace and/or get a packet capture to see what's actually happening.

Are you using a public certificate matching the DNS FQDN for your portal?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390