Re: Changing Virtual IP from 1.1.1.1 for CWA registration

j656 · ‎12-04-2022

We are running CWA wireless guest in a Foreign/Achor setup using two 9800 pointing to ISE 2.3. We have been using 1.1.1.1 as the virtual IP address, left over from our 5508 WLCs. Now that browsers seem to be using 1.1.1.1 to resolve to Cloudflare, we are seeing issues on some devices as they go through the portal registration process.

So, I am looking at changing the Virtual IP address to the recommend 192.0.2.1 address under the Global Web Auth settings. I have changed the IP on both the Foreign and Anchor WLCs, but the redirect is still going to 1.1.1.1.

Any thoughts on why we can't get devices to use the 192.0.2.1 address instead of the 1.1.1.1?

marce1000 · ‎12-04-2022

- Make sure that clients are not suffering from browser caching effects , or try browser that was not used until today , also check all WLC logs for sanity check.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rasika Nayanajith · ‎12-04-2022

Hi

I hope you followed below document guidelines when configuring it. Check DNS entries configured for 1.1.1.1 vs 192.0.2.1 to make sure old entries for guest portal redirection updated to new IP address.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html

HTH
Rasika
*** Pls rate all useful responses ***

j656 · ‎12-05-2022

We never had a any DNS entries specifically for 1.1.1.1. It would always just redirect to the correct portal once the browser loaded the 1.1.1.1 URL. BTW, on the devices now, if we manually change the 1.1.1.1 in the URL to 192.0.2.1 , then it does successfully redirect to the portal pages. We just cant get the devices to go to the 192.0.2.1 instead of the 1.1.1.1 when they connect. its like the devices don't know to use 192.0.2.1 instead of 1.1.1.1.

Rich R · ‎12-05-2022

Then it's your config on the WLC or ISE still redirecting to the wrong IP.
You should be using fully qualified domain names with CA issued certs rather than raw IP addresses for a reliable solution since by default captive portal handlers on most modern devices will not trust those pages.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs