Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
1
Helpful
3
Replies

Cisco 9800 Foreign and Cisco 5520 Anchor CWA Guest SSID

Chris Terry
Level 1
Level 1

‎05-06-2024 12:10 PM

I'm trying to configure a guest SSID on the Cisco 9800 with a 5520 as the anchor controller. The SSID has a CWA portal hosted on the external ISE appliance. Normally the flow (which is still working on the existing 5520 foreign controllers) is that you connect to the SSID and hit a CWA portal to enter your credentials. The issue I'm having with the 9800 is that the clients are bypassing the CWA.  The ACL should be blocking everything except traffic to/from the portal and DHCP/DNS traffic.

The client is in a RUN state on the foreign, but on the anchor is shows CENTRAL_WEB_AUTH. On the 9800 for the client details I see nothing under the Client ACL, but I do see the ACL and redirect URL under Server Policies and Resultant Policies. On the anchor I see the redirect URL and Pre-Auth ACL

 

Cisco 9800-40 version 17.09.05.0.6450 (foreign WLC)
Cisco 5520 version 8.10.190.0 (anchor WLC)

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎05-06-2024 01:31 PM

may be debugging should help here. but check configuration again as per below document :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216500-catalyst-9800-central-web-authenticati.html#toc-hId-264302890

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

marce1000
VIP
VIP

‎05-06-2024 11:40 PM

 

 - You can debug CWA on the 9800 using https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA
   Also  have a checkup of the 9800 foreign controller  configuration with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer

     - You may do the same on the 5520 using WirelessAnalyzer input (procedure) for AireOs controllers
        and feed the output from that into Wireless Config Analyzer  too

  M.
    



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Chris Terry
Level 1
Level 1

‎05-23-2024 08:36 PM

I can see the ACL being applied under the client details.

I know the CWA ACL has to be reversed on the 9800 compared to the 5520. Is that the same case if the anchor is a 5520? Does it need to match exactly what the CWA ACL is for the 9800, or does it stay the same? We have two other pairs of 5520s as foreign WLCs in our environment that use that 5520 anchor using the same CWA ACL.

I.E. (Not the full ACL)
ACL: 9800 foreign - Deny traffic to ISE server | 5520 anchor - Allow traffic to ISE Server
or would it be
ACL: 9800 foreign - Deny traffic to ISE server | 5520 anchor - Deny traffic to ISE server

For the current 5520 foreign controllers:
ACL: 5520 foreign - Permit traffic to ISE server | 5520 anchor - Permit traffic to ISE server

I can post the full ACL if needed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card