09-20-2021 10:17 AM
aires os wlc as foreign running - 8.10.142.0
9800 anchor wlc running 17.3.3
client connects on an ap on the foreign wlc , gets an ip.address from the dhcp scope , gets redirected toward ISE login page. client signs in and gets the login successful message. on the foreign wlc , client state is "run" and says export- foreign . but even though the client login is successful, the 9800 state says "webauth pending". the 9800 anchor wlc contains the dhcp scope for guest clients . also the internet breakout is at the 9800 anchor location.
upon checking client configuration , user gets a valid IP, dns which is 8.8.8.8
dns resolve works but user cannot open any website.
what can i do ?
09-20-2021 10:24 AM
the redirect acl is already applied to guest policy profile on the 9800 controller. the same acl is applied on the foreign wlc but of course the 9800 has a punt acl with denh statements , and the aireos wlc has acl with permit statements . another site with a different foreign wlc tunneling to the same 9800 wlc works fine . so not sure what is the issue here .
09-20-2021 01:03 PM - edited 09-20-2021 01:04 PM
Is COA is being received by WLC? Can you post a RA Trace for the client?
09-20-2021 10:27 PM
COA is enabled on both the foreign and anchor controllers, i will paste the debug from aireos and 9800
09-21-2021 05:35 PM
Cisco recommends use of version 8.10.151.0 to IRCM environment. Try to upgrade you AireOS WLC.
09-22-2021 12:03 AM
Can you check your config again:
http://www.netprojnetworks.com/cisco-9800-with-ise-central-web-authentication/
or
https://wifininjas.net/2019/10/24/wn-blog-017-cisco-c9800-local-web-auth-config/
Regards
Dont forget to rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide