04-19-2024 08:24 AM
Hello all,
I'm having an issue with clients connected on my Guest SSID configured with Web Authentication Splash Page. Basically by today (NO CHANGES NOR ACTIVITIES WERE DONE) all the clients which are trying to connect to this SSID cannot reach the splash page to authenticate themselves. We do not have any Radius or ISE server configured since there's only the web portal to let the client authenticate, so I'm having some troubles to find out where the problem is. I checked the SSID to have the correct web policy configured and the "web policy" flag flagged, and also verified the policy as well and no changes has been done by yesterday where everyone could join without issues. I tried to get some infos by using the Debug trace, and from the clients i got these logs:
2024/04/19 16:22:36.479005452 {wncd_x_R0-0}{2}: [ewlc-infra-evq] [17292]: (ERR): SANET_AUTHC_FAILURE - No Response from Client, audit session id 0B20000A0000EF6DF68576AF
2024/04/19 16:22:36.479115338 {wncd_x_R0-0}{2}: [errmsg] [17292]: (note): %SESSION_MGR-5-FAIL: R0/0: wncd: Authorization failed or unapplied for client (3ace.c41a.8428) on Interface capwap_9000051f AuditSessionID 0B20000A0000EF6DF68576AF. Failure reason: Authc fail. Authc failure reason: No Response from Client.
2024/04/19 16:22:36.480372529 {wncd_x_R0-0}{2}: [ewlc-infra-evq] [17292]: (note): Authentication Success. Resolved Policy bitmap:4 for client 3ace.c41a.8428
2024/04/19 16:22:36.480736048 {wncd_x_R0-0}{2}: [client-auth] [17292]: (ERR): MAC: 3ace.c41a.8428 L3 Authentication FAIL.
2024/04/19 16:22:36.481275611 {wncd_x_R0-0}{2}: [client-orch-sm] [17292]: (note): MAC: 3ace.c41a.8428 Client delete initiated. Reason: CO_CLIENT_DELETE_REASON_L3AUTH_FAIL, details: , fsm-state transition 60|61|7c|56|15|1a|1b|2c|37|46|48|4a|4c|51|60|61|7c|56|15|1a|1b|2c|37|46|48|4a|4c|51|60|61|69|12|
2024/04/19 16:22:36.481385673 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_L3_AUTH_IN_PROGRESS -> S_CO_DELETE_IN_PROGRESS
2024/04/19 16:22:36.482234263 {wncd_x_R0-0}{2}: [dpath_svc] [17292]: (note): MAC: 3ace.c41a.8428 Client datapath entry deleted for ifid 0xa0000070
2024/04/19 16:22:36.482463247 {wncd_x_R0-0}{2}: [sanet-shim-translate] [17292]: (note): MAC: 3ace.c41a.8428 Session manager disconnect event called, session label: 0xfc0003fd
2024/04/19 16:22:36.483758612 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_DELETE_IN_PROGRESS -> S_CO_DELETED
2024/04/19 16:22:37.577485865 {wncd_x_R0-0}{2}: [client-orch-sm] [17292]: (note): MAC: 3ace.c41a.8428 Re-Association received. BSSID 00df.1db8.768d, WLAN CGGUEST, Slot 1 AP 00df.1db8.7680, APBV19_P1_18
2024/04/19 16:22:37.577703176 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_INIT -> S_CO_ASSOCIATING
2024/04/19 16:22:37.578421118 {wncd_x_R0-0}{2}: [dot11] [17292]: (note): MAC: 3ace.c41a.8428 Association success. AID 1, Roaming = False, WGB = False, 11r = False, 11w = False Fast roam = False
2024/04/19 16:22:37.578738798 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_ASSOCIATING -> S_CO_L2_AUTH_IN_PROGRESS
2024/04/19 16:22:37.579008753 {wncd_x_R0-0}{2}: [client-auth] [17292]: (note): MAC: 3ace.c41a.8428 L2 Authentication initiated. method WEBAUTH, Policy VLAN 0, AAA override = 1
2024/04/19 16:22:37.582206899 {wncd_x_R0-0}{2}: [ewlc-infra-evq] [17292]: (note): Authentication Success. Resolved Policy bitmap:8011 for client 3ace.c41a.8428
2024/04/19 16:22:37.582671291 {wncd_x_R0-0}{2}: [client-orch-sm] [17292]: (note): MAC: 3ace.c41a.8428 Mobility discovery triggered. Client mode: Local
2024/04/19 16:22:37.582676265 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2024/04/19 16:22:37.584472026 {wncd_x_R0-0}{2}: [mm-client] [17292]: (note): MAC: 3ace.c41a.8428 Mobility Successful. Roam Type None, Sub Roam Type MM_SUB_ROAM_TYPE_NONE, Client IFID: 0xa0000070, Client Role: Local PoA: 0x900007dc PoP: 0x0
2024/04/19 16:22:37.584833474 {wncd_x_R0-0}{2}: [client-auth] [17292]: (note): MAC: 3ace.c41a.8428 ADD MOBILE sent. Client state flags: 0x72 BSSID: MAC: 00df.1db8.768d capwap IFID: 0x900007dc, Add mobiles sent: 1
2024/04/19 16:22:37.585055011 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_MOBILITY_DISCOVERY_IN_PROGRESS -> S_CO_DPATH_PLUMB_IN_PROGRESS
2024/04/19 16:22:37.585223147 {wncd_x_R0-0}{2}: [dot11] [17292]: (note): MAC: 3ace.c41a.8428 Client datapath entry params - ssid:CGGUEST,slot_id:1 bssid ifid: 0x90000744, radio_ifid: 0x9000067a, wlan_ifid: 0xf0400004
2024/04/19 16:22:37.585664313 {wncd_x_R0-0}{2}: [dpath_svc] [17292]: (note): MAC: 3ace.c41a.8428 Client datapath entry created for ifid 0xa0000070
2024/04/19 16:22:37.585843246 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_DPATH_PLUMB_IN_PROGRESS -> S_CO_IP_LEARN_IN_PROGRESS
2024/04/19 16:22:37.586462370 {wncd_x_R0-0}{2}: [client-iplearn] [17292]: (note): MAC: 3ace.c41a.8428 Client IP learn successful. Method: DHCP IP: 192.168.2.44
2024/04/19 16:22:37.587964270 {wncd_x_R0-0}{2}: [client-orch-state] [17292]: (note): MAC: 3ace.c41a.8428 Client state transition: S_CO_IP_LEARN_IN_PROGRESS -> S_CO_L3_AUTH_IN_PROGRESS
2024/04/19 16:22:37.588275775 {wncd_x_R0-0}{2}: [client-auth] [17292]: (note): MAC: 3ace.c41a.8428 L3 Authentication initiated. LWA
These logs look the same for every tother client I checked (no matter what kind of device it is, the problem is the same, going from Android Cellphones, to Windows laptops and so on).
Current WLC version is 17.9.4.
Thank you for your help and advices.
04-19-2024 09:20 AM
May be generate debug log and use the log analyse tool :
check some troubleshooting tips :
https://mrncciew.com/2022/07/08/9800-client-troubleshooting/
is thie client IP : 192.168.2.44 ?
04-19-2024 10:09 AM
- Note that client debugs can be analyzed further with Wireless Debug Analyzer
You may also find commands from https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 useful
For specific debugging related to Web Auth , look at : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA
Important have a checkup of the WLC 9800-40 configuration with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
M.
04-19-2024 12:43 PM
I had a similar experience in the beginning. I forgot..
wlan TCVisitor 7 TCVisitor2
security web-auth
security web-auth authentication-list TCVisitor
security web-auth parameter-map TCVisitor
(config-wlan)#security web-auth authorization-list TCVisitor
Please test after the change and let me know if the issue is resolved.
and yes adding the missing element solved the issue.
04-22-2024 12:15 AM
Hello David,
I checked the parameters you suggested and I confirm all those three commands are present inside the CLI of my WLC. I also verifired again the correct association between the SSID Guest and the Policy Map in the "Security" tab inside it and it's all correct.
I Just noticed this morning that some clients are properly authenticated and are in "Run" state, so perhaps something has changed in the splash portal settings (I cannot check that part). I will come back to this thread whenever I receive any update.
Meanwhile I want to thank you and all the other users who replied to this post and are helping me!!
Best regards!
04-21-2024 11:49 PM
Hello All,
Sorry for my delay on a feedback. I'm now reading all the answers you gave me. I'll come back to this thread once i Tried with the Debug analyzer and after checking if those commands are present:
security web-auth
security web-auth authentication-list XXXXXXXX
security web-auth parameter-map XXXXXXX
04-22-2024 12:25 AM
First do
Debug client mac <mac of any guest device>
Then stop debug share it and do
Debug io http all
MHM
04-22-2024 12:56 AM
Hi!
I'm trying to perform the "Debug client" command but I do not have that command in the debug cli" . Is it ok if I do it with the Radioactive Trace and then apply the "debug IP http all" command?
By now the issue looks resolved by the way, many more clients are authenticating correctly.
I'll keep the situation monitored.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide