Hi Kasun,

Thanks very much for your reply.

Do you mean that it is not supported to put different authentication method in the same VLAN ? But why the system allow it to configure so?

Sometimes it works very good, and I can't replicate the issue... Several days later the issue occurred, and I don't know how to make it working...that's very strange..

P.S. Just now I run Ping 8.8.8.8 from an issued Android phone, and the first 2 packets were lost, then it got through... the WIFI was working!! I am still watching what time later the issue will occur again

Thanks again.

Best regards

                                       >...But why the system allow it to configure so?
 - Qualifying good configuring practices can be asserted when using the CLI command show tech wireless ; have the output analyzed with : https://cway.cisco.com/wireless-config-analyzer/
                                                Checkout all advisories , 

 M.

@117222400 its ok to share same VLAN by 2 WLANs. its supported. my intention is about recommendation because its about Guest VLAN (which need to be separate in all ways) and internal VLAN.  in your case, it may having issues in quick WLAN change same device. this need to troubleshoot. you can use Wireless troubleshooting tools to get an idea about the issues.

debug the client and analyze the issue with this tool

https://cway.cisco.com/wireless-debug-analyzer/

> Is it possible to collect Web Authentication logs ?
Yes, enable radioactive trace for the device MAC address.  Remember it may use a different MAC address for each WLAN so you'd need to add both.

Hi Rich, 

1. Thanks very much for your advice, and I used the analyser to get the below result, it seems all working.

2. I used WireShark to capture packets,

(1)on the issue laptop: it can't receive DNS query response from  8.8.8.8.  I can see the query traffic was allowed on the firewall to internet UDP 53. But there isn't response packets captured on the laptop. Also there isn't response traffic on the firewall been monitored (I am not sure whether the firewall monitor UPD response packets or not, as the UDP response traffic to working laptop was not found on the firewall either).

(2)On the working laptop: it query to 8.8.8.8 and get response packet very quickly. The query and response packets can be captured. It shows "internet access".  

The difference is working laptop can receive DNS response but non-working one can't.

That sounds suspiciously similar to the bugs which plagued the wave 2 APs (not supposed to affect 9100 series) - see Leo's list below.  Those are now supposed to be fixed in 17.3.6.  However there are a number of other critical bugs in 17.3.6 which Cisco have released APSP's for. If you don't already have those APSP installed then you should get them installed as a priority even if you aren't going to upgrade the IOS version yet:
https://software.cisco.com/download/home/286322605/type/286325254/release/17.3.6
If you insist on sticking to 17.3 then note that 17.3.7 is released now with a whole lot more fixes:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html#resolved-caveats-for-cisco-ios-xe-amsterdam-17.3.7
All the 17.3.6 APSP will be rolled up in 17.3.7.

ps. the wave 2 bugs were related to MU-MIMO - it might be worth testing by trying to disable MU-MIMO and see whether that cures your problem.  Notes at CSCwa73245 : Bug Search Tool (cisco.com) (as I said these were not supposed to affect 9100 series but sometimes there's overlap in the code anyway).  This is just an idea - maybe better to open a TAC case and let them investigate further.

Thanks very much for your reply, and I will look into the post carefully.

By the way, just as mentioned, on today's issued laptop, I also used  ping 8.8.8.8 to solve it temporarily. While I can't ask the end user to do so each time when the issue occurred.

After ICMP to 8.8.8.8 failed twice ( both are "no response") , the DNS response packets were captured soon, and it is all working... ping, domain name resolve, forget and reconnect wifi.. the issue was gone! 

Right now, I think I need to wait some days later until it happened again..

Today I find that the DHCP Pool settings in the issued VLAN hasn't enabled the "DNS proxy", but it is suggested to do so in the guide https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_dhcp_wlan_9800.html  , as below:

I can't find any article or discussion about this selection.

Considering we have seen so many DNS response packets lost, I suspect it is the root cause of the issue.

Better still don't use the WLC as a DHCP server.

As you are refer to https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#DHCPproxy