Client connection - WLC9800 try auth L2 first rather than L3?

eeebbunee · ‎03-24-2025

Hello, I'm trying to verify my WLC9800 controller configurations because I'm having an weird issue.

Here's the thing:
- SSID: CORP (WLAN setup with L2 auth, Macfiltering from WLC9800 (local)
- SSID: GUEST (WLAN setup with L3 auth (guest portal), id/password account managed from WLC9800 (local)

Most of users are only needed to connect SSID: CORP, but some of them are required to connect both.

Problem is, they always get failed to login in SSID:GUEST.

However, when I delete their mac address from the controller, they are able to connect SSID:GUEST with id/password.

Since they are able to login Guest wifi with same id/password what I created from controller, that means L3 auth working fine.
When you see SSID: GUEST config, L2 auth is selected as 'none'.

Users who needs to connect both wifi, they are having 'none' attribute.

Why the WLC gives auth-failed in L3 webauth when the device registered to device authentication?

Thank you for your time.

Scott Fella · ‎03-24-2025

I think you just found your issue. The mac address doesn't just get removed, there is an idle timer and session timer. So when a device coneects to CORP, the controller knows of that mac address connecting to the SSID. Now if you test with an open SSID mapped to the guest vlan or even a PSK network mapped the guest vlan, you can probably connect fine because the auth is L2 and the controller will now know because its a successful layer 2 authentication. Also test first connecting to the guest and then switch to the CORP. I would think that would connect fine. If the user has randomized mac enabled when connecting to the guest, you probably don't see any issues because its a different mac address. Another good test is to connect to CORP and then don't just connect to the guest, but disconnect for the CORP SSID or turn your wifi adapter off fro a few seconds. What happens in that case?

-Scott
*** Please rate helpful posts ***