Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
184
Views
2
Helpful
3
Replies

guest captive portal users not getting ip address

Anjana A
Level 1
Level 1

‎05-13-2024 11:22 PM

Hello all,

we are using 5520 wlc(8.10.190.0)and ap's in flex connect mode.

currently we have migrated to capptive portal for the guest authentication.

users are getting authenticated but they are not getting the ip address, in cisco ise the user is authenticated

*Dot1x_NW_MsgTask_5: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255,URL ACL ID 255,URL ACL Action 0)

*Dot1x_NW_MsgTask_5: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Updating info change db with CMX bitmap 0x0000

*Dot1x_NW_MsgTask_5: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Successfully Plumbed PTK session Keysfor mobile d8:fc:93:ba:c5:4d

*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Setting Mobility ReasonCode from (0) to (147)

*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) mobility role update request from Unassociated to Local

  Peer = 0.0.0.0, Old Anchor = 0.0.0.0, New Anchor = 10.69.16.4

*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Resetting Mobility reasonCode

*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Resetting client reasonCode

*apfReceiveTask: May 14 06:10:20.422: [PA] oofc:93:ba:c5:4s pemAdvanceState2 (pem_api.c:6878) Changing state for mobile d8:fc:93:ba:c5:4d on AP c8:84:a1:3b:79:60 from Associated to Associated

 

*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED

*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s Mobility peer ip is 0, failed to get session type

 

*apfReceiveTask: May 14 06:10:20.422: [PA] oo:fc:93:ba:c5:4s 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule

  type = Airespace AP - Learn IP address

  on AP c8:84:a1:3b:79:60, slot 1, interface = 8, QOS = 3

 

Regards,

Anjana

0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎05-13-2024 11:34 PM

 

 - You can have the mentioned client debugs analyzed with : Wireless Debug Analyzer
           Preferably take sufficient long snapshot (debugging output)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi
Hall of Fame
Hall of Fame

‎05-13-2024 11:55 PM

i would cross check the config on the ISE authentication and Authorization settings ?

where is the DHCP Server you able to reach the DHCP Server from the WLC ?

how is authentication mechanism setup - check the settings.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html#toc-hId-326554373

check DHCP requirement :

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rich R
VIP
VIP

‎05-14-2024 05:53 AM

Go through the guides and make sure you haven't missed anything.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html
https://community.cisco.com/t5/wireless-mobility-knowledge-base/central-web-authentication-cwa-for-guests-with-ise/ta-p/3121101
In particular - make sure you have CoA (RFC3576) enabled and any ACLs/firewalls allow the CoA packets from ISE to WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card