Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
0
Helpful
4
Replies

Guest Clients associated to WLC unable to communicate

battyjohn
Level 1
Level 1

‎11-04-2014 01:55 AM - edited ‎07-05-2021 01:52 AM

Hello,

I have been working through the creation of a Guest portal using ISE 1.2 and WLC's version 7.6.

There is a foreign WLC and an anchor in this scenario, both are 5508 devices.

I have created a new Guest Wireless SSID on both.  I am doing Layer 2 MAC filtering on both and the Layer 3 on the Anchor.

Guests associate to the SSID, they are authenticated by ISE, and a redirect is in place that tells the client to go to the guest portal.

Everything stops at this point.

Client has an IP address.  I can ping the client from the anchor WLC only.  Client cannot ping anything nor its default gateway.  From teh default gateway (A router in this case), I can see the MAC address of the client in the arp table, pointing out the correct interface toward the WLC, I can ping the WLC, but I cannot ping the client from the gateway, despite having an ARP entry.

It correctly receives the redirect request to talk to ISE, but as it cannot communicate with anything, I now have no idea if my ISE portal is working.

Client is in a run state on the foreign WLC, client is in a Webauth state on the anchor WLC.

What is causing this?

What commands can I run to find out what is going on?

Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎11-04-2014 02:48 PM

Anchor-Foreign Scenario

This setup can also work with the auto-anchor feature of the WLCs. The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.

Refer the scenario from here

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11

0 Helpful

battyjohn
Level 1
Level 1
In response to Saurav Lodh

‎11-05-2014 12:34 AM

Hello,

In the end I stripped off the WLAN config I had implemented on the Foreign and Anchor device.  I put it back on exactly (I had screen shot all the settings) as it was before, and it all started working.

Totally bizarre, I can only assume some sort of bug was preventing a client talking to anything, as its now working perfectly!

Cheers

0 Helpful

Ravi Singh
Level 7
Level 7
In response to battyjohn

‎11-05-2014 11:55 AM

Sometime it happens. Just removing all the config and redo do the trick.

0 Helpful

xeum96700
Level 1
Level 1

‎04-26-2017 08:29 PM

Hello

I have similar Issues in this momento with the same scenario, I would like to ask if you clients from the Anchor can ping the ISE? or this segment is aislate from the rest of your LAN.

thanks in advance.

Regards!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card