Showing results for 
Search instead for 
Did you mean: 

Guest Clients associated to WLC unable to communicate


I have been working through the creation of a Guest portal using ISE 1.2 and WLC's version 7.6.

There is a foreign WLC and an anchor in this scenario, both are 5508 devices.

I have created a new Guest Wireless SSID on both.  I am doing Layer 2 MAC filtering on both and the Layer 3 on the Anchor.

Guests associate to the SSID, they are authenticated by ISE, and a redirect is in place that tells the client to go to the guest portal.

Everything stops at this point.

Client has an IP address.  I can ping the client from the anchor WLC only.  Client cannot ping anything nor its default gateway.  From teh default gateway (A router in this case), I can see the MAC address of the client in the arp table, pointing out the correct interface toward the WLC, I can ping the WLC, but I cannot ping the client from the gateway, despite having an ARP entry.

It correctly receives the redirect request to talk to ISE, but as it cannot communicate with anything, I now have no idea if my ISE portal is working.

Client is in a run state on the foreign WLC, client is in a Webauth state on the anchor WLC.

What is causing this?

What commands can I run to find out what is going on?

Saurav Lodh
Rising star

Anchor-Foreign Scenario

This setup can also work with the auto-anchor feature of the WLCs. The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.

Refer the scenario from here


In the end I stripped off the WLAN config I had implemented on the Foreign and Anchor device.  I put it back on exactly (I had screen shot all the settings) as it was before, and it all started working.

Totally bizarre, I can only assume some sort of bug was preventing a client talking to anything, as its now working perfectly!


Sometime it happens. Just removing all the config and redo do the trick.



I have similar Issues in this momento with the same scenario, I would like to ask if you clients from the Anchor can ping the ISE? or this segment is aislate from the rest of your LAN.

thanks in advance.


Content for Community-Ad