Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2009
Views
3
Helpful
15
Replies

9800L - Guest WLAN - MAC Filtering / external site for WebAuth

perrymcgrew
Level 1
Level 1

‎03-27-2023 12:32 PM

9800L-F running 17.10.1.  We are moving off a 5508 running 8.5.182.105.   I can not seem to get the Guest WLAN to work on the 9800L.

On the 5508 Security Tab:

L2: MAC Filtering

L3: Web Policy, On MAC Filter failure

Preauth ACL:  is set to ACL that allows access to the web server's IP that has our https WebAuth page.

Override Global Config is checked.

Web Auth Type: External (redirect to external server)

Redirect URL: https:<webserver/login.aspx

AAA Servers: Authentication servers (Read Only DC and NPS) & Accounting server. 

I have just can't get the 9800 to even display the external web page.  I have the ACL defined etc.   I've been reading Configure and Troubleshoot External Web-Authentication on 9800 WLC - Cisco but have not found where the problem lies.   I've found that navigating the WebUI is like a walking through a house of mirrors!   Unfortunately, all I have to test Guest WLAN is an iPad. 

Thx

0 Helpful
15 Replies 15

perrymcgrew
Level 1
Level 1

‎04-11-2023 11:07 AM

Well, Actually went up to 17.11.1 as it has better debugging capabilities.  The 9800Ls were both in my office connected to a 3650X.  The RP ports were directly connected to each other.   The Active 9800 had the lower MAC so I made it Chassis 1 Priority 2.  The HA-SSO was Chassis 2 Priority 1.  I have a 9115AXi and 2802i AP connected to the same 3560X in my office.  A second 9115AXi is connected to a 3650 switch that serves our floor.   The testing APs and MGT Subnet for the 9800Ls are completely separate from our production 5508.  After we solved the External WebAuth issue, we continued to successfully test a few WLANs.  I thought it was safe to move the designated PASSIVE 9800 back to its permanent home in the network rack.  The PRIMARY 9800L is still here in my office connected to the 3560X.  I simply disconnected the PASSIVE 9800L data cables and power supply when I went to move the 9800L.  

As far as the Bug is concerned, I am hoping it more a cosmetic thing.  The 3 APs I am using are not showing up trying to join 5508.  The DHCP Option 42 is set to point to the 9800's Mgmt IP.  It's the 9800's MAC address that is appearing in its log:

IOSXE-4-PLATFORM: Chassis 1 R0/0: cpp_cp: QFP:0.0 Thread:003 TS:00000064831649371104 %SWPORT-4-MAC_CONFLICT: Dynamic mac 8C1E.XXXX.YYYY from Port-channel10 conflict with SVI

The bug may not even be relevant here.   My big concern is that it took 2 days for the 2802 to rejoin the 9800.  I have another TAC session this afternoon.  Hope to have some answers.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card