Solved: Cisco WLC 9800 Guest access to web is not instant on first connection

Axians Networks · ‎05-29-2024

I have an issue with getting to the internet once authenticated via our Cisco ISE guest portal. Access to the internet does not work for at least 3 to 5 minutes before everything just kicks in and it works without any network intervention. We have Cisco 9800 WLC's, Cisco ISE for the guest and sponsor portals, and Fortinet firewalls.

We also have our AP's randomly dropping packets whilst users are connected to the wireless networks. We are predominately using Cisco 9115AXI, AIR-AP2802I-E-K9, AIR-AP1852I-E-K9, AIR-AP1832I-E-K9 access points.

Any suggestions to resolve or diagnose the problem are welcome.

Ammo Devgun

Rich R · ‎05-31-2024

Are you sure you've enabled CoA on the WLAN (policy profile advanced tab) and the WLC (AAA) and that the flow from ISE -> WLC is allowed in ACLs or firewalls (the connection is initiated by ISE)?

I suspect your CoA is getting blocked so eventually the WLC tries to re-authenticate the client and discovers that they're authorised instead of it happening instantly when ISE sends the CoA.

Pay close attention to the flowchart in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html

And go through all the configuration steps to make sure you have not missed anything.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

marce1000 · ‎05-29-2024

- Start with a checkup of the 9800 WLC configuration with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer

- Debug guest access further using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA

- Further engage in full client debugging according to https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer

- Check logs on the firewalls.

- Outputs from the commands mentioned in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 can also be useful

- 9800 controller software version in use was not reported ; go for 17.9.5 especially if an older version is currently being used ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo · ‎05-29-2024

What is the exact model of the WLC?

Axians Networks · ‎05-31-2024

The WLC is a Cisco C9800-L-F-K9 running firmware 17.3.8a

marce1000 · ‎05-31-2024

>....The WLC is a Cisco C9800-L-F-K9 running firmware 17.3.8a
- Because 17.3.x is EOL , consider moving to https://software.cisco.com/download/home/286321399/type/282046477/release/Cupertino-17.9.5

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Axians Networks · ‎06-05-2024

I will look to do this first. As it may resolve a fair few issues, although knowing my luck introduce new ones as well. We initially setup on the latest version going back a few months back but the firmware version was not compatible with our access points. So had to go to an older firmware.

Thankyou

Rich R · ‎05-30-2024

Sounds like you're talking about multiple different problems which doesn't help when troubleshooting. Identify each separate problem then concentrate on finding the root cause for each problem then you can solve them one at a time.

As Marce says making sure your software is up to date as per TAC recommended link below is the first step along with checking your WLC config with the config analyzer.

Web access should be more or less instantaneous once the guest user is logged in so you need to concentrate on a single client to work out where that delay is occurring. Web browser trace on client, packet capture on client, radioactive trace on WLC (for the client MAC), packet capture on the WLC for that client (if centrally switched) or on the local switch (if locally switched). Also packet capture on the WLC for the radius between WLC and ISE to confirm you are receiving the CoA promptly. As soon as client CoA is received client should change to Run state.

I can't think of anything that would cause a delay that long - suggests you might have misconfiguration of something which eventually times out and fails to backup option.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

eglinsky2012 · ‎05-30-2024

Is the first issue a delay after clicking accept/submit (or whatever happens on the portal page)? Whereas, beforehand, the portal itself loads quickly upon connecting to the SSID?

Axians Networks · ‎05-31-2024

The portal loads, ( I still have to implement the public signed ssl certs, which i am struggling with). After registering on the guest wifi, and the sponsor approving the requesthas approved the request. The screen on the client says approved but then the client cannot access the internet for some time and then it just kicks in and starts working.

marce1000 · ‎05-31-2024

- I can only see hope for determining the cause for that by full client debugging as explained in :
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity ,
these debugs (so called Radio Active Traces) can then be analyzed with Wireless Debug Analyzer

- What could happens is that some backend authenticating service does not respond fast enough and the client
has to try a few times , the above mentioned procedure should make that clear.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎05-31-2024

Are you sure you've enabled CoA on the WLAN (policy profile advanced tab) and the WLC (AAA) and that the flow from ISE -> WLC is allowed in ACLs or firewalls (the connection is initiated by ISE)?

I suspect your CoA is getting blocked so eventually the WLC tries to re-authenticate the client and discovers that they're authorised instead of it happening instantly when ISE sends the CoA.

Pay close attention to the flowchart in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html

And go through all the configuration steps to make sure you have not missed anything.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Axians Networks · ‎06-05-2024

So the guest wifi takes account registrations via a Cisco ISE portal. The user account is created and then approval for the account is requested and approved via the Cisco ISE Sponsor portal. However the accounts are local to the controller and not being authenticated via a radius server for the Guest WiFi.

For our corporate WiFi which works fine, we have radius authentication to a Cisco ISE server at our parent company.

Axians Networks · ‎06-06-2024

Hi Rich

After going through all the config again today I found that COA was disabled on the ISE Radius setup used for the guest wifi. Enabling this and implementing various other WLC best practices made a massive difference.

Thank you everyone for the support and suggestions. I am new to WLC's but getting there slowly.

Rich R · ‎06-07-2024

Glad you got there in the end <smile>
It can be tedious going through the documentation but when it doesn't work first time it really is important to go through the guides, step by step, to make sure you haven't missed any because it's very easy to miss something along the way even when you are more experienced.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

eglinsky2012 · ‎05-31-2024

In the 9800 AAA config, if you have multiple RADIUS servers, do you have the "Load Balance" feature enabled on the server group? (If not, don't enable it. If you do, turn it off, see if that improves, and I'll explain later.)