Solved: 9800 Foreign 5520 Guest Anchor with Web Passthrough

bjmcveety · ‎02-25-2023

I am having a heck of a time finding information on config setup for "web passthrough" between a 9800 as the foreign and 5520 as the guest anchor. The mobility tunnel between the two is up/up. I know how to setup web passthrough on the 5520 but finding info on the 9800 has not been as easy.

9800 version 17.3.6 and 5520 version is 8.10.182.0.

The clients are not being presented with the AUP, no IP is being issued.

Any help would be greatly appreciated. Thanks

bjmcveety · ‎03-02-2023

Thank you all for the responses and direction! I really appreciate all the input. The issue was the Profile Policy name. As simple as that. The WLAN and Profile Policy need to be the exact same name - which makes sense but I had tried to utilize a single Profile Policy for all the Guest SSIDs - that was a fail.... Changed the Profile Policy names according to the same WLAN names and then magic!

So - issue resolved with a slight change to the config.

Thanks again!

View solution in original post

balaji.bandi · ‎02-25-2023

you need to enable debug and see what is wrong ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

marce1000 · ‎02-25-2023

- You may debug clients using these info's : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA , also review the 9800's current configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Rich R · ‎02-26-2023

And FYI 8.10.182.0 is deferred so if you need TAC support they'll just tell you to upgrade to 8.10.183.0.
And do you have the AP service packs installed with 17.3.6 as per TAC recommended (below)?

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs

bjmcveety · ‎03-02-2023

Yes, I upgraded the code on the 5520 and the 9800 the AP service packs had been applied. Thank you

Scott Fella · ‎02-26-2023

Well I just searched up "9800 web passthrough" and found this at the top of the search list. Look through this for reference to make sure everything in the link is present in your setup.

http://www.netprojnetworks.com/cisco-9800-equivalent-of-aireos-webpass-through/

-Scott
*** Please rate helpful posts ***

bjmcveety · ‎03-02-2023

@Scott Fella Yes, I had that link as well. The info did not truly address the nuances with a 9800 with 5520 guest anchor. With the WLAN & Profile Policies things are obviously a little different than 9800 to 9800.

bjmcveety · ‎03-02-2023

Thank you all for the responses and direction! I really appreciate all the input. The issue was the Profile Policy name. As simple as that. The WLAN and Profile Policy need to be the exact same name - which makes sense but I had tried to utilize a single Profile Policy for all the Guest SSIDs - that was a fail.... Changed the Profile Policy names according to the same WLAN names and then magic!

So - issue resolved with a slight change to the config.

Thanks again!

Scott Fella · ‎03-02-2023

Glad you got it working and posting your solution. It is interesting to see how many folks, even me, mess that up. I have always told myself to make sure everything matches 100% and identify items that don't . Once I get it to work, then I tinker a bit to see what I can change and still get it to work. That's me though.... always tinkering and then breaking stuff:)

-Scott
*** Please rate helpful posts ***

bjmcveety · ‎03-02-2023

Yes! I definitely did the same thing once it was working. It makes complete sense that the naming should be exact but "note to self".... Thanks again for the help & feedback!