09-23-2019 03:23 AM - edited 07-05-2021 11:02 AM
Hi,
I'm hoping someone can help me out here as I've been looking at this issue for the past week. I'm setting up a 9800-40 with a mixture of 9120 and 2802 APs. On it there are multiple SSIDs (two using RADIUS), and one using WebAuth (centrally switched).
The Guest Network is centrally switched WebAuth with an externally hosted consent webpage. It works fine, but whenever a client roams to another AP their session is dropped and they have to re-authenticate. Client session timeout isn't an issue, and it has Fast Transition Adaptive Enabled with 'Over the DS' option checked. No Layer 2 Security or Load Balancing. The APs are FlexConnect but the Guest Network is Central. WLC code is 16.11.1c. I'm seeing this on a mixture of Apple and Android mobile devices.
I also have a 5508 WLC in use, using the same Guest Network settings and same consent webpage. As far as I can tell the SSIDs are set up exactly the same, but this legacy WLC has zero issues.
09-23-2019 08:19 AM
10-18-2019 06:24 AM - edited 10-18-2019 06:31 AM
Hi, thank you for the advice. In the end I updated to 16.12.1s, it caused external WebAuth to fail completely due to ACL issues caused by the process no longer updating them automatically. In the end I copied the WebAuth contents and hosted them locally on the WLC and it has worked around the issue, with clients roaming correctly. That's one of the many 9800 issues dealt with for now.
02-04-2020 05:46 AM
If you're using ISE for CWA, Cisco told me that the ACL used for ISE is reversed between AireOS and IOS-XE.
I have both AireOS and IOS-XE controllers deployed and this is the only way we could get our CWA working properly.
All the AireOS rules are permit rules, but on the IOS-XE version, we had to make them all deny statements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide