Solved: Cisco WLC 9800L GUI Login Issue

viv42 · ‎06-05-2023

Hi Team,

I have an on-prem Cisco WLC 9800-L Controller. I configured all the parameters properly. Now I am able to get the Console CLI login as well as the GUI login via SP port.

But I am not able to log in through GUI when using Wireless management IP.

I tried below,

ip http server

ip http secure-server

ip http authentication local

ip http secure-trustpoint CISCO_IDEVID_SUDI

ip http client source-int "wireless mgm int"

Also, tried to create new user.

Still, no luck.

note:- This WLC 9800 is newly deployed, after initial configuration all was working fine I can able to log in through GUI, but suddenly when I tried to log in through GUI using Wireless management IP I am getting the wrong username password which was working previously.

Rich R · ‎06-06-2023

- Refer to best practice guide below
- Remember SP is a separate managment VRF - different routing table. All your config must reflect that. The routing in the default VRF needs to be able to reach the same things as the management VRF.
- Check your config at https://cway.cisco.com/wireless-config-analyzer/ using output of "show tech wireless"
- Run a packet capture on the "wireless mgm int" to see whether your packets arrive there and whether the WLC responds and take it from there.

Note that ip http client source-int "wireless mgm int" only applies to http/https connections originated/initiated by the WLC - for example connecting to Smart Licensing.

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

Rich R · ‎06-06-2023

- Refer to best practice guide below
- Remember SP is a separate managment VRF - different routing table. All your config must reflect that. The routing in the default VRF needs to be able to reach the same things as the management VRF.
- Check your config at https://cway.cisco.com/wireless-config-analyzer/ using output of "show tech wireless"
- Run a packet capture on the "wireless mgm int" to see whether your packets arrive there and whether the WLC responds and take it from there.

Note that ip http client source-int "wireless mgm int" only applies to http/https connections originated/initiated by the WLC - for example connecting to Smart Licensing.

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs

viv42 · ‎06-09-2023

Hi Rich R,

Thank you for the quick support.