Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2352
Views
5
Helpful
7
Replies

Clients in "Guest" SSID cannot obtain IP address from DHCP server

lnw-team
Level 1
Level 1

‎03-14-2022 06:47 AM

Hello, 

 

We've recently deployed wireless access point in one of our locations (previously the users were using only wired connection). Due to the size of the location and the number of wireless access points (only one) it's managed by Wireless LAN Controller in the remote site. Appropriate AP group and Flex Connect group have been created. There are three SSIDs in AP group:

 

1) Mobile for mobile devices (mostly Smasung smartphones with Android)

2) Laptop for Windows 10 workstations 

3) Guest for guest users and contractors

 

At the beginning there was a problem with "Mobile" SSID. Authentication failed due to incorrect or expired certificate. After renewing certificate it's working fine. So is "Laptop" SSID. However, we are still experiencing issues with "Guest" SSID. There's a WLAN to VLAN mapping in Flex Connect group. When the client is trying to get IP address from DHCP server, I can see IP address lease in DHCP console, however, the address is not assigned on the end device. "Cannot obtain IP addess" message is displayed on the device which leades me to the conclusion that DHCP packets are not properly forwarded by WLC. When I connect to "Guest" VLAN on the switch, it's working fine so the problem does not seem to be on the switch, router, DHCP server or firewall. Any ideas?

Labels:
7 Replies 7

ammahend
VIP
VIP

‎03-14-2022 09:23 AM

Check policy manager state and make sure client is in dhcp pending state. That’s will verify your theory.

on the endpoint you can run a packet capture to see at what stage dhcp is failing, base on what message is missing out of DORA you can start a troubleshooting point, it fairly easy to run a dhcp debug on switch or router to see where packet is not getting through.

also make sure your flex connect has dhcp set to central, if your dhcp server is set centrally, which seems like the case based on your description.

-hope this helps-
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎03-14-2022 10:42 AM

Which Authentication mechanism you use for this SSID? (LWA,CWA, PSK etc)

How the Guest SSID traffic is switched? (Local, Central)

Is this issue impacting only certain devices? If yes did you try upgrading the drivers?

Are you using any Pre-Auth ACL's? Have you allowed the DHCP packets as required? Did you check the WLC ACL hit count to see whether it is increasing or not?

Can you run a debug on the WLC "debug client <MAC> on AireOS or RadioActive Trace in 9800)

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

lnw-team
Level 1
Level 1
In response to Arshad Safrulla

‎03-16-2022 02:50 AM

Which Authentication mechanism you use for this SSID? (LWA,CWA, PSK etc)

Security is only on Layer 3. There's a sponsor portal that is used for user authentication (Cisco ISE). 

 

How the Guest SSID traffic is switched? (Local, Central)

It's switched locally. 

 

Are you using any Pre-Auth ACL's? Have you allowed the DHCP packets as required? Did you check the WLC ACL hit count to see whether it is increasing or not?
Yes, we are using exactly the same ACL as in other locations. Yes, DHCP packets are allowed.

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to lnw-team

‎03-17-2022 01:53 AM

What is the WLC model and the code? Can you post your Flex profile config?

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-14-2022 03:14 PM

@lnw-team wrote:

 When I connect to "Guest" VLAN on the switch, it's working fine

If you connect to the Guest SSID, it is fine.  But not for others, is this correct? 

Is "Guest SSID not working" affecting EVERYONE or just a handful of people? 

If it is just a handful of people, is their wireless devices enabled MAC randomization?

0 Helpful

lnw-team
Level 1
Level 1
In response to Leo Laohoo

‎03-17-2022 01:00 AM

It doesn't work for any user regardless of the device he/she is using. We've tried it both with Android and iOS.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to lnw-team

‎03-17-2022 02:52 AM

Try OPEN SSID or PSK.  Does it work?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card