Re: Guest wireless Issues

delpo40 · ‎05-10-2022

Hi,

Wondering if anyone else is seeing increasing issues with connectivity to their guest wifi networks..

We have a fairly straightforward setup - A guest ssid with captive portal that requires a user to enter an email address to login. We have a pair of 5520 WLCs and 2 5508 anchor controllers for guest internet access.

We are getting an increasing number of complaints from users that they are unable to connect. We have tested ourselves and have seen various issues - primarily the captive portal login screen not appearing and the connection hanging. Some devices work ok, some don't. Turning off the random mac address on the client seems to help but this is not a practical solution when members of the public are using the wifi.

I have raised a support call and gone through the process of various mac address debugs (which only work when you turn off random mac on the client anyway), subsequently upgraded firmware but still having issues. There are no basic issues like network bottlenecks - we have plenty of bandwidth.

I'm losing a bit of faith in the Cisco guest wifi offering - hoping someone may have some suggestions to help sort this out as we are getting a lot of grief about it now!

Many thanks,

Paul

Arshad Safrulla · ‎05-10-2022

How's your session & idle timeout is configured for Guest SSID?

What is the maximum number of clients seen by WLC at the time of the issue?

Are you using LWA or CWA or any other captive portal provider?

Did you see any weird DHCP behavior when the issue is noticed? (Random MAC address will consume new IP each time they connect)

Random MAC is a client security feature, but from the network admin side if you have the correct Radius server you can simply block the Random MAC addresses from connecting to your wired network.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Flavio Miranda · ‎05-10-2022

Guest solutions is always trick because you need to handle all kind of devices. I used to manage a trouble guest network in the past and problems almost desapear when we changed to CWA with ISE. At least those problem with portal was fixed.

If you already on this scenario, I have no more to add.

delpo40 · ‎05-10-2022

Thanks. We do have ISE although it's not yet being used for guest wifi. Perhaps that's the way forward.

Flavio Miranda · ‎05-10-2022

I am pretty sure that. As I said, I used to manage one guest network with 5K users daily and all kind of devices. You can imagine the problem. Most of time the problem was related to portal not coming.

ISE and CWA fixed that. From that on, my problem was related to Wireless problems but not portal.

Leo Laohoo · ‎05-10-2022

@delpo40 wrote:

Turning off the random mac address on the client seems to help but this is not a practical solution when members of the public are using the wifi.

NOTE:

There will be no more further feature "enhancements" (or improvements) of AireOS. This OS is scheduled to "die" when the 8.10MR8 pops.

There are two ways around this:

Use a standard authentication server like ISE.
Use PSK.

Rich R · ‎05-11-2022

We've had a low level of anecdotal reports of captive portal login screen not appearing on Apple devices but haven't been able to collect anything definitive on it yet. Our impression so far is that it looks like a device problem because forgetting the network and then re-joining 'fixes' it in most cases.

You don't mention what devices you've been seeing this with.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

delpo40 · ‎05-20-2022

It's happening with Apple and Android devices. Agree it may well be a device issue but we have no control over user's devices so have to try and make it work!

tadnan001 · ‎10-31-2022

Hello delpo40,

Have you found a solution to your problem.

Just recently we are receiving lot of complaints about clients not being redirected to captive portal.

We have not changed anything on controller (8540) or the CP server.

Rich R · ‎10-31-2022

You may not have changed anything but user devices are evolving constantly.
Most importantly security is becoming extremely strict on most browsers and operating systems.
So if you are not using sites using DNS resolvable FQDNs and matching public certificates issued by a trusted (by the devices) root CA that will guarantee problems to the point where nothing will work. *** If you are doing all that already then you'll need to troubleshoot individual clients on a case by case basis to understand what is causing those problems - could be one or more reasons. It would be best if you can reproduce the problem yourself for your troubleshooting.
*** ps: note that the device or browser must also be able to verify the cert online using CRL and/or OCSP which means you need to permit access to those URLs to ensure the captive portal certificate can be verified (pre-auth URL list). In order to do that you need to inspect your certificate properties for fields like:
X509v3 CRL Distribution Points: Full Name: URI:
Authority Information Access: OCSP - URI: and CA Issuers - URI:
Those domains need to be permitted.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs