cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5070
Views
6
Helpful
19
Replies

Cisco 9800 Guest users getting disconnected post portal authentication

Hello All,

We have Cisco 9800 Guest users getting disconnected post portal authentication. Not all users few of users. 

Setup:

Foreign 9800-L --> Anchor WLC 9800-L

Guest SSID --> Open Layer 2 Security, Layer 3 Web-Auth External URL redirection(Aruba Clearpass)

Mobility Tunnel between Foreign and Anchor. 

Issue:

Users able to connect to Guest SSID and they redirect to portal and they entering username and password and get connected. That time user status as Run in both Anchor and Foreign WLC. In couple of minutes they disconnecetd and ask for authenticate portal again. That time in Foreign is Run state. In Anchor side it says Web-Auth Penidng state. 

Both Foreign and Anchor in 17.6.4.

If anyone came across this kind of issue. That would be great. We need to fix ASAP. Any clue on this. 

Regards,

Chandhuru

Thanks and regards, Chandhuru.M
19 Replies 19

Arshad Safrulla
VIP Alumni
VIP Alumni

Hi In your scenario, Radius authentication is handled by the anchor WLC. So you can run a RA trace to check exaxtly why the user was disconnected. You can have that analyzed using the WLC debug analyzer.

https://community.cisco.com/t5/wireless/wlc-debug-analyzer/td-p/2876223

That being said, I would like to see the timeouts that you have configured under Policy prrofile, also post the parameter map that is configured in the WLC. 

Thanks Arshad,

Under Policy, Session Timeout - 28800 seconds, Idle Timeout is 3000 Seconds.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
!
!
parameter-map type webauth guest_web_auth
type consent
redirect for-login http:// <Aruba Clearpass IP>/guest/Cisco-Sponsor-Guest-Reg_2_4.php?_browser=1
redirect append ap-mac tag ap_mac
redirect append wlan-ssid tag ssid
redirect append client-mac tag client_mac
redirect portal ipv4 <Aruba Clearpass IP>
logout-window-disabled
success-window-disable
cisco-logo-disable

Thanks and regards, Chandhuru.M

Hi Chaduru,

I am not sure what is the problem is, but I will start with checking whether you've enabled COA under the radius server settings and aaa override and NAC under the policy profile? These are mandatory for COA to work.

Then I will check whether the MAC randomization of the clients is having any impact here, do your testing with MAC randomization off from the client side. 

How your WLC is connected to upstream switch? how the upstream switchports are configured? Is the APs in Flex (if flex local or central switching) or Local mode? Do you have any SVI's configured in the WLC (SVI's are needed only when you have mdns gateway or dhcp relay features in WLC) Do you have any kind of dhcp/arp snooping enabled in the switches?

Hello Arshad,

Please find the answers below,

I am not sure what is the problem is, but I will start with checking whether you've enabled COA under the radius server settings and aaa override and NAC under the policy profile? These are mandatory for COA to work. Yes, COA enabled in Radius server configuration. AAA OVerride and NAC enabled and pointed at WLAN Policy profile.

Then I will check whether the MAC randomization of the clients is having any impact here, do your testing with MAC randomization off from the client side. We didnt check that.

How your WLC is connected to upstream switch? how the upstream switchports are configured? Is the APs in Flex (if flex local or central switching) or Local mode? Do you have any SVI's configured in the WLC (SVI's are needed only when you have mdns gateway or dhcp relay features in WLC) Do you have any kind of dhcp/arp snooping enabled in the switches?Upstream switch port configured as trunk and it is Central Switching not flex. APs in local mode. Foreign and Anchor mobility setup  for Guest SSID. DHCP server(wintel server-common for all users 5508 WLC users as well) in anchor side . Snooping not enabled at switch side. SSID is Web-auth external URL redirection(Aruba Clearpass- same URL for 5508 users). 

note: 5508 users able to connect and working fine.

Issue: Few of users able to connect to Guest SSID and working fine. Few users getting connected completing web-auth and getting internet for few minutes and re-authenticating and coming to web-auth page again.

we have tried creating new SSID with WPA2-PSK by skipping radius auth but anchor and foreign setup. Still same issue. Users getting reconnect every few minutes(approx 2 minutes)

Thanks and regards, Chandhuru.M

Hello Arshad,

when we do RA trace on foreign side we could see “Mobility peer reset” logs. Could you please help us what could be the reason for this debug log???

Thanks and regards, Chandhuru.M

 

 - Use this command show platform hardware chassis active qfp feature wireless punt  statistics   . check for error info's related to mobility issues , (if any)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hello Marce,

Please find the logs below,

 

CPP Wireless Punt stats:

App Tag Packet Count
------- ------------
CAPWAP_PKT_TYPE_DOT11_PROBE_REQ 901602
CAPWAP_PKT_TYPE_DOT11_MGMT 78793
CAPWAP_PKT_TYPE_DOT11_IAPP 10497761
CAPWAP_PKT_TYPE_DOT11_RFID 0
CAPWAP_PKT_TYPE_DOT11_RRM 0
CAPWAP_PKT_TYPE_DOT11_DOT1X 37146
CAPWAP_PKT_TYPE_CAPWAP_KEEPALIVE 620327
CAPWAP_PKT_TYPE_MOBILITY_KEEPALIVE 255561
CAPWAP_PKT_TYPE_CAPWAP_CNTRL 3052198
CAPWAP_PKT_TYPE_CAPWAP_DATA 0
CAPWAP_PKT_TYPE_CAPWAP_DATA_PAT 30
CAPWAP_PKT_TYPE_MOBILITY_CNTRL 149926
WLS_SMD_WEBAUTH 0
SISF_PKT_TYPE_ARP 129504
SISF_PKT_TYPE_DHCP 28724
SISF_PKT_TYPE_DHCP6 7266
SISF_PKT_TYPE_IPV6_ND 96520
SISF_PKT_TYPE_DATA_GLEAN 200
SISF_PKT_TYPE_DATA_GLEAN_V6 205
SISF_PKT_TYPE_DHCP_RELAY 1632
WLCLIENT_PKT_TYPE_MDNS 0
CAPWAP_PKT_TYPE_CAPWAP_RESERVED 0

Thanks and regards, Chandhuru.M

 

  -     Check the output(s) of these commands too :
                show wireless mobility summary
                show wireless stats mobility
                  show wireless stats mobility messages

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

thanks Marce!!!

Could you help me to navigate the issue. I am new to 9800. 

Thanks and regards, Chandhuru.M

Hello All, 

we have tried creating new SSID with anchor foreign relation with same VLAN and without radius authentication. Just WAP2-PSK. That client also facing same disconnection after connecting in few minute or so. 

Debug analysis didn’t helped much. 

now we isolated it’s not issue with radius auth configurations issue. Also we have increased session timeout to 86400 from 28800 didn’t help. Disabled FT didn’t help. 

we are running out of ideas. Any help it would be appreciated. 

TAC saying from the logs, client initiating dhcp release request. But verified working and not working lap both same model and same driver and version. But no luck. 

please help us. 

Thanks and regards, Chandhuru.M

 

   - Have a checkup of the configuration of both controllers with   the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               Checkout all advisories!

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hello Marce,

Thanks for your reply!!!

I could see no errors and only warnings there. I dont think those are harm to disconnect clients. 

Quick Question: DHCP source interface not calling in Foreign controller Wireless management VLA, does it will impact client to get disconnect after authenticated(due to Asymmetric DHCP packets) in few minute(like 2 minutes)?

We saw clients getting webauth and connected able to browse for atleast 2 minutes and reauth happening. What would be the reason? Note: not all clients only few users

Thanks and regards, Chandhuru.M

Hi Chandhuru,

We are facing exact same issue but here the WLC model is 5520 version 8.10.183.0. This is weird as not all users facing this problem. Are you able to get something on your problem ? Did you find the solution?

Hello Nieo,

still no clue. Even TAC team don’t have any clue on this. Gave workaround as local SSID for Guest users. If you find anything please help me too.

Thanks and regards, Chandhuru.M
Review Cisco Networking for a $25 gift card