9800 WLC configure GLAN without Web Auth

mark-wise · ‎07-13-2025

We have a "guest" LAN used for the on-site health center and security. Their devices are not compatible with a portal. Is there a way to configure the GLAN to function without requiring an authentication? Physical security is very effective for these 4 ports, so the "risk is accepted" for authentication. Current config uses the Foreign-Anchor architecture. When configuring the GLAN, under the security tab, web auth is disabled but the devices still cannot get internet access. They successfully receive an IP address. From the controller GUI, clients look successfully connected (in the RUN state) but will randomly drop after 30-45 seconds. When checking the cli logs, we find this: CLIENT_ORCH_LOG-4-ANCHOR_VAP_SECURITY_MISMATCH: Chassis 1 R0/0: wncd: Export anchor required but local and remote security/profile configuration is not matching

We have tested enabling the web auth in the GLAN security tab and leaving the web auth parameter field blank but then the user is stuck in web auth pending state.

marce1000 · ‎07-13-2025

- @mark-wise FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb38238
The bug reports mentions Known Fixed Releases

Besides those however , validate the configurations of both anchor and foreign
controllers using the CLI command show tech wireless and feed the output from that into
Wireless Config Analyzer
When modifications would be needed , check if clients get 'aligned' using commands from
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#toc-hId-866973845

17.12.5 and 17.15.3 are currently advised the latter however does no longer support the older
IOS-COS access point models,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

mark-wise · ‎07-13-2025

Currently running on 17.9.5

We have validated configurations on both Foreign and Anchor. All is in sync. That is why this is confusing. Per what all we can find, this should be working. Only thing I can surmise is there needs to be some sort of webauth config. But then the question comes, what should that be? If we are trying to eliminate it, why should we be required to use it? Or at the very least, how to work around that? What webauth config can we apply that requires no client interaction?

marce1000 · ‎07-13-2025

- @mark-wise None , the idea about webauth and guest authentication is that credentials are entered by humans. If we talk about devices, the we need to look at solutions such as MAB (Mac Authentication Bypass) or PSK (iPSK) based authentication(s) for instance.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

mark-wise · ‎07-13-2025

Maybe I need to simplify my issue.

Device plugs in to physical port. Client is connected vlan "X". This is sent to the Foreign controller that then forwards this client to the Anchor. The Anchor maps this to vlan "Z" and is forwarded to DHCP server on "Z" vlan. Client gets an IP but has no connectivity.

Web Auth is not in the config and not meant to be. Yet, client still can not connect.

marce1000 · ‎07-13-2025

- @mark-wise Fully debug the client using instructions from https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
These client debugs , so called RadioActive Traces can be analyzed with : Wireless Debug Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

mark-wise · ‎07-13-2025

Still unable to pinpoint issue.

Debug analyzer output:

wajidhassan · ‎07-14-2025

Hi @mark-wise ,

The ANCHOR_VAP_SECURITY_MISMATCH error indicates a configuration mismatch between the local and foreign anchor security settings. To fix this, ensure both controllers have matching security and web auth settings—if web authentication is disabled, it must be disabled on both ends.

Since you require no authentication, verify the WLAN profiles on both sides allow open access and check for any ACLs that might block traffic.

If the Foreign-Anchor setup continues causing issues, consider using a dedicated open WLAN without anchor for these trusted ports.

Hope this helps!

MHM Cisco World · ‎07-15-2025

Hi

I am not have so ack about anchor wlc

But let start with this doc

Do you follow correct steps to config foreign and anchor wlc?

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html#toc-hId-2012470473

Let me know what both wlc plat abd ver.

MHM