05-11-2023 06:57 AM
Hi all
I have a 9840 set up as a foreign controller with a 9800-L as an anchor running 17.3.4c. The mobility tunnel is up OK and the anchor is set as export anchor.
I have set up a guest WLAN to do web auth to an external site. When I connect a client to the guest WLAN it goes to run state on the foreign but sits at web auth pending on the anchor. The client never gets the redirect and hence eventually times out.
If I then go to the portal manually, I can eventually authenticate and get to the run state on both controllers. So looks like the backend authentication is all working as it should, but this is obviously not how it should work.
I basically took the working config from the 5500 and replicated that as much as possible for the 9800s, but it's just not doing the redirect.
Some other points:
We already have some older 5500 series acting in the same way (foreign/anchor) with external redirect to the same portal and these continue to function.
I have done packet captures and I do not seem to see the web redirect from either controllers to the client.
Any ideas? I was going to try and upgrade to version 17.6.5 to see if that made a difference just in case there's an undocumented bug I am hitting, but to be honest I think I'm missing configuration somewhere or I've done something wrong.
05-11-2023 07:21 AM
Hello
Do you have ISE? Who is managing the guest portal, the ISE or the WLC?
05-11-2023 08:21 AM
No Cisco ISE. We are using Aruba Clearpass for the guest portal. As I say, this is already a working solution on the older 5500 series WLCs, which are still running fine.
Essentially all we needed to do was add the new WLCs to the clearpass device group, which is the thing that would be referenced.
05-11-2023 09:31 AM
I've seen in the past some problems related to the portal not opening and basically it was related to ACL or DNS resolution.
Your scenario is not a simple one as it involves a mix of WLC IOS (AirOS and IOS-XE) and Third part Raduis.
I'd recommend this link for guidance, if you did not reach it already and besides that, I would go to debug and see if something arise on the logs.
05-03-2024 01:55 PM
How was the redirect issue resolved? I am having the same issue not getting the redirect from the 9800 to a ClearPass portal. I have tried a mix of deny DHCP, DNS, and allow http along with the tying in a parameter map and Authentication list to the layer 3 webpolicy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide