Hi,

I'm not sure which parameter-map commands can rectify this issue. Please see my configuration below (this configuration does not make splach page pop up in Win11 clients). It might also have something to do with the default browser as we're using Edge:

WLC#sh run | section parameter-map
parameter-map type webauth global
type webauth
virtual-ip ipv4 <IP Adress>
captive-bypass-portal
trustpoint TP-self-signed-xxx

security web-auth parameter-map global

WLC(config)#parameter-map type webauth global
WLC(config-params-parameter-map)#?
pre parameter-map params commands:
banner                                            Banner file or text
captive-bypass-portal                     Turn on captive bypass
cisco-logo-disable                          Disable Cisco logo on internal html pages
consent                                           consent parameters
custom-page                                  custom-page - login, expired, success or failure page
exit                                                  Exit from parameter-map params configuration mode
http                                                 Configure Webauth HTTP Server
intercept-https-enable                    Enable intercept of https traffic
login-auth-bypass                           Login Auth Bypass for FQDN
logout-window-disabled                  Webauth logout window disable
max-http-conns                               Maximum number of HTTP connections per client
no                                                    Negate a command or set its defaults
redirect                                            redirect url
secure-webauth-disable                  Disable HTTP secure server for Webauth
sleeping-client                                 enable sleeping client for webauth
success-window-disable                 Disable Success Window
timeout                                             timeout for the webauth session
trustpoint                                          Configure Trustpoint
type                                                  type - web-auth, consent or both
virtual-ip                                           Virtual IP Address
watch-list                                         Watch List of webauth clients
webauth-bypass-intercept                Configure Webauth bypass intercept
webauth-http-enable                       Enable HTTP server for Webauth

Hi, First there was a critical UDP packet loss bug in Win11 all devices which was patched by MS by last update. So please make sure that the latest update is installed. By the way configuration looks ok.

https://www.bleepingcomputer.com/news/microsoft/windows-11-microsoft-is-investigating-these-eight-problems/

The splash page pops up instantly when running win11 clients on the AirOS WLC (8.5-x code on WiSM module) with "action needed" message. Both WLC are using the same ISE PSN servers.

Hence I think there the issue are with some parameters on the C9800, but which ones?

Br

Frode

I still say you should be using a valid cert.

But if it's working on AireOS but not 9800 IOS-XE then I'd be suspicious that your pre-auth ACLs are correct?

Remember the ACLs on 9800 are the opposite of AireOS with permits and deny's.

It works as expected with Win10 on both C9800 and AireOS - the splash screen pops up automatically, while on Win11 I have to open a web browser first to display the splash screen (with C9800).

I've set up the redirect ACL to permit both www/https

So then I think you're at the point where you need to be doing debugs on WLC with packet capture on the PC to see where and why it breaks and that will tell you which is at fault and what needs fixing.

If in doubt open a TAC case.