05-26-2025 02:02 AM
Hi All,
I'm just newbie on cisco Wireless. We have guest users that can't connect to our guest wifi using the UN and PW we provided and when they login it was loading only.
After some doing research I found this I set go to our WLC and set the NAC settings from NONE to ISE NAC and it allows the guest users to connect without entering the credentials. Our local IT said that the GUEST WIFI shows not secured and open. I set back the settings of NAS to NONE and rebooted the WLC and issue still persist. I did check our ACL WEB redirect and ISE policy and its all their. The problem is its nor generating logs anymore. I need your help.
I'm thinking its open now, should I disable the guest wifi SSID?
https://community.cisco.com/t5/wireless/what-does-nac-state-do/td-p/3859969
05-26-2025 03:37 AM
- @Weezy-F What type of wireless controller and software version are you using ?
M.
05-26-2025 06:37 PM
We are using AIR-CT3504-K9
05-26-2025 06:00 AM
I am assuming that you are using CWA. Please ensure that the config is as per - https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html.
05-26-2025 08:41 PM
o I just found out that when I compare the settings of all of our WLC in APAC sites, the GUEST WIFI NAC Settings is set to ISE NAC. This will allow the users to enter the UN and PW once only and will automatically connect them. Also I notice the other guest WIFI on other APAC sites are open too so it's safe I think as we have mac filtering and policy, web-auth redirect and policies on CISCO ISE.
But right now we are having an issue again, the local IT said new guest users can't connect on WLC again so I set the NAC to NONE and it allows them to connect again which is weird lol.
05-26-2025 04:41 PM
The insecure is due to the SSID using open authentication, captive portals are this way. You would need to set the SSID to OWE which may have client support issues.
Other options are to change to WPA2/3 Enterprise and use EAP-PEAP authentication
05-26-2025 06:44 PM
Hi Haydn,
So I just found out that when I compare the settings of all of our WLC in APAC sites, the GUEST WIFI NAC Settings is set to ISE NAC. This will allow the users to enter the UN and PW once only and will automatically connect them. Also I notice the other guest WIFI on other APAC sites are open too so it's safe I think as we have mac filtering and policy, web-auth redirect and policies on CISCO ISE.
But right now we are having an issue again, the local IT said new guest users can't connect on WLC again so I set the NAC to NONE and it allows them to connect again which is weird lol.
05-26-2025 07:14 PM
I did send you a private message please check.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide