Showing results for 
Search instead for 
Did you mean: 
Heath Deschenes

Flexconnect Local Guest Wireless w/ Web-Auth

Is it possible to provide locally switched guest wireless access in flexconnect mode with Web-Auth? All of the documentaion examples I can find show guest webauth with central switching.

I want a remote office, connected via DMPVN, to provide guest wireless from a flexconnect access point using local switching so it will go out the local Internet connection. The local switching works great for the Internal wireless that do central auth via EAP-FAST. The problem seems to arrise when I try to configure it for Web-Auth.

If I configure the local client DHCP scope to provide an external DNS it will not reach the Web-Auth page.

If I configure the local client DHCP scope to provide an internal DNS it will reach the Web-Auth page, but it will not go anywhere after that.

Is there something I am missing?

Heath Deschenes

I forgot to add that the controller is an AIR-CT2504-K9 running version

The access point is internal to the DMVPN router model CISCO891W-AGN-N-K9

Abhishek Abhishek
Cisco Employee


As per your query i can suggest you the following link-

Hope this will help you.

Scott Fella
Hall of Fame Master

Here is a simple link. And yes it will work


This table lists the legacy and new services supported with WLC version with FlexConnect.

WAN Up (Central Switching) WAN Up (Local switching) WAN Down (Standalone)
Internal Webauth Yes Yes N/A
External Webauth Yes ( Yes ( N/A

Sent from Cisco Technical Support iPhone App

*** Please rate helpful posts ***

Dear Scott,


Thank you for your comment. I checked the link you shared, however I also checked one more link where it is mentioned -Note Guest user configuration is not supported with FlexConnect local switching.

Does this mean that guest web auth is not possible in flexconnect?

Actually, I looking that my guest users should authentication via webauth(as I want to control user with time based access) and once authentication the browsing should happen locally for internet access. Can you please suggest if this is possible, as I tried searching many documents for this.


Thank You,

I am having the same issue have you been able to resolve this? Neither of the links above explain how to properly configure this setup.

I have the same issue, clients cant connect to wi-fi with web auth passthrough (flexconnect local switching) when ap dissassociated from controller, TAC says that now thay cant do nothing.

Saravanan Lakshmanan
Cisco Employee

#Webauth on local switching behavior is bit complicated but it works.

#It uses the DNS ip received from central-dhcp or local/remote dhcp server at the site for that client based on the config.

#the DNS response is snooped by AP(if remote/local dhcp is used or WLC for central-dhcp) and forwards it to WLC via capwap to display the internal page, if configured to use internal webauth page.

Try this:

#Set WLC to do http redirection, disable https redirection which is default.

#set AP to flexconnect, wlan to locally switched and enable webauth. Connect the wireless client, do nslookup, check what dns it is trying to use, it should use the one from the configured DHCP scope, if not statically configured on client.

#if nslookup doesn't works then try http:// . And fix the dns access or enable/use central dhcp option on wlan .

#if redirection doesn't happen irrespective of auto/manual then enable tcp mss.

#Enable TCP-mss for APs, default is 1363. keep reducing until redirection works.

If stil doesn't work Open TAC case for further troubleshooting.

Can you please email the steps to me Thanks


I hope this help for future references:

Locally switched guest and central web authentication works. Make sure the "Local Net Users" are set up for the right WLAN, or chose "Any WLAN".

Content for Community-Ad