Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3121
Views
5
Helpful
6
Replies

Guest Devices unable to connect to Mobility Anchor - Cisco 9800

Ben_Sanderson
Level 1
Level 1

‎07-28-2021 08:15 AM - edited ‎07-28-2021 08:21 AM

Followed the guides on setting Guest LAN using a Cisco 9800-l as a Anchor to another Cisco 9800-l.

Mobility Tunnel is up between the Anchor and Foreign

On Anchor..

Created DHCP Pool for clients

Created anchor policy profile; in profile set VLAN for Guest_User network and on Mobility Tab set Export Anchor.

Configured Web Auth Global to "consent" with a Virtual IP

Created Web Auth "GuestWifi" changed to "consent" (disabled Success Window and Logout Window) and set custom pages.

On WLAN SSID- set Layer3 Web Policy to enable and set "GuestWiFI" in Web Auth Parameter Map.

For testing in AAA created LocalWeb Authentication AAA Method List and set to Type "login" and Group Local - Then set in WLAN SSID.

 

On Foreign..

Created anchor policy profile - in Mobility Tab Anchor WLC is selected. In General WLC Switching Central (All Enabled)

Under WLAN SSID (WLAN IDs are the same) Layer3 - Web Policy is selected no other selections made, in Add to Policy Tags Policy Profile is selected.

Created TAG and added WLAN Profile to Policy Profile and applied to Test AP.

Clients see the SSID and try to connect, I see the clients try and connect and State is mobility, but the clients do not get a IP address or redirected to the splash page. (Also do not see the clients in the Anchor Controller.)

 

Not sure what I am missing here, have setup a few on AirOS systems with no issues, first time on the new ones.

Thanks,

 

 

Labels:
0 Helpful
6 Replies 6

Arshad Safrulla
VIP Alumni
VIP Alumni

‎07-28-2021 01:02 PM

Have you matched the config on both controllers? 

I usually configure the foreign controller first, then grab the required config (only profiles and tags) via CLI, paste it to the Anchor and change only the mobility configuration under the policy profile. This will make sure that I am not missing out on anything. 

So regarding your setup, under the policy profile for anchored ssid, have you marked it as export anchor? SInce you have configured the DHCP server in WLC itself do you have a SVI for the VLAN? Did you check by assigning a static IP? Also note that configuring DHCP server in WLC is not a recommended practice.

Cisco guide can be found here;

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Ben_Sanderson
Level 1
Level 1
In response to Arshad Safrulla

‎07-28-2021 02:18 PM

Arshadaf.

 

Have you matched the config on both controllers?  - Yes multiple times I have doubled checked.

 

So regarding your setup, under the policy profile for anchored ssid, have you marked it as export anchor?  - Yes

 

SInce you have configured the DHCP server in WLC itself do you have a SVI for the VLAN?  - Yes

 

Did you check by assigning a static IP? - Have not tried that yet, but even if the client was not getting a IP address I should still see it on the Anchor trying to connect.

 

Also note that configuring DHCP server in WLC is not a recommended practice. - Yes, I know that is not best practice, but at this stage wanted to keep the DHCP pool as close to the WLC as possible to eliminate problems. 

 

Cisco guide can be found here; - Yes that is one of the guides I followed which I stated in my post.

Along with this guide...

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213923-configure-a-web-authentication-ssid-on-c.html

and this guide...

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-12/config-guide/b_wl_16_12_cg/cisco-guest-foreign.html

 

Tired to keep my simple, I am doing "consent" instead of webauth, the user just needs to hit "Accept"

 

Included both the configs, hopefully I am just missing something.

 

Thanks,

Ben

Preview file
13 KB
Preview file
14 KB
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎07-30-2021 04:44 AM

Your config is not matching between Foreign and Anchor. Please review again as per the guides.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

pkumari4
Cisco Employee
Cisco Employee

‎08-31-2021 05:05 AM

Hello,

 

Let me know if you are still facing this issue and what is the client status you can see on WLC ?

 

Is it in Web auth pending state?

 

Regards,

Priyanka

0 Helpful

Ben_Sanderson
Level 1
Level 1
In response to pkumari4

‎08-31-2021 05:09 AM

Priyanka,

 

Sorry, have not replied, but Arshadaf was correct in the WLANs were not matched but also had another issue with one of the policies. Ended up opening a TAC case to solve the issue. 

 

Thanks,

Ben

0 Helpful

pkumari4
Cisco Employee
Cisco Employee
In response to Ben_Sanderson

‎08-31-2021 05:51 AM

Good to know Ben!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card