Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4701
Views
15
Helpful
9
Replies

Guest wireless Issues

delpo40
Frequent Visitor
Frequent Visitor

‎05-10-2022 07:22 AM

Hi,

 

Wondering if anyone else is seeing increasing  issues with connectivity to their guest wifi networks..

We have a fairly straightforward setup - A guest ssid with captive portal that requires a user to enter an email address to login. We have a pair of 5520 WLCs and 2 5508 anchor controllers for guest internet access.

 

We are getting an increasing number of complaints from users that they are unable to connect. We have tested ourselves and have seen various issues - primarily the captive portal login screen not appearing and the connection hanging. Some devices work ok, some don't. Turning off the random mac address on the client seems to help but this is not a practical solution when members of the public are using the wifi.

 

I have raised a support call and gone through the process of various mac address debugs (which only work when you turn off random mac on the client anyway), subsequently upgraded firmware but still having issues. There are no basic issues like network bottlenecks - we have plenty of bandwidth. 

 

I'm losing a bit of faith in the Cisco guest wifi offering - hoping someone may have some suggestions to help sort this out as we are getting a lot of grief about it now!

 

Many thanks,

Paul

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Arshad Safrulla
VIP Alumni
VIP Alumni

‎05-10-2022 07:47 AM

How's your session & idle timeout is configured for Guest SSID? 

What is the maximum number of clients seen by WLC at the time of the issue?

Are you using LWA or CWA or any other captive portal provider?

Did you see any weird  DHCP behavior when the issue is noticed? (Random MAC address will consume new IP each time they connect)

 

Random MAC is a client security feature, but from the network admin side if you have the correct Radius server you can simply block the Random MAC addresses from connecting to your wired network.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Flavio Miranda
VIP
VIP

‎05-10-2022 07:48 AM

Guest solutions is always trick because you need to handle all kind of devices. I used to manage a trouble guest network in the past and problems almost desapear when we changed to CWA with ISE.  At least those problem with portal was fixed. 

 If you already on this scenario, I have no more to add. 

delpo40
Frequent Visitor
Frequent Visitor
In response to Flavio Miranda

‎05-10-2022 07:57 AM

Thanks. We do have ISE although it's not yet being used for guest wifi. Perhaps that's the way forward.

0 Helpful

Flavio Miranda
VIP
VIP
In response to delpo40

‎05-10-2022 07:59 AM

I am pretty sure that. As I said, I used to manage one guest network with 5K users daily and all kind of devices. You can imagine the problem. Most of time the problem was related to portal not coming. 

ISE and CWA fixed that.   From that on, my problem was related to Wireless problems but not portal. 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎05-10-2022 04:18 PM

@delpo40 wrote:

Turning off the random mac address on the client seems to help but this is not a practical solution when members of the public are using the wifi.

NOTE

There will be no more further feature "enhancements" (or improvements) of AireOS.  This OS is scheduled to "die" when the 8.10MR8 pops.  

 

There are two ways around this:  

  • Use a standard authentication server like ISE. 
  • Use PSK.

Rich R
VIP
VIP

‎05-11-2022 06:56 AM

We've had a low level of anecdotal reports of captive portal login screen not appearing on Apple devices but haven't been able to collect anything definitive on it yet.  Our impression so far is that it looks like a device problem because forgetting the network and then re-joining 'fixes' it in most cases.

You don't mention what devices you've been seeing this with.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

delpo40
Frequent Visitor
Frequent Visitor
In response to Rich R

‎05-20-2022 02:55 AM

It's happening with Apple and Android devices. Agree it may well be a device issue but we have no control over user's devices so have to try and make it work!

0 Helpful

tadnan001
Frequent Visitor
Frequent Visitor
In response to delpo40

‎10-31-2022 04:03 AM

Hello delpo40,

Have you found a solution to your problem.

Just recently we are receiving lot of complaints about clients not being redirected to captive portal.

We have not changed anything on controller (8540) or the CP server.

0 Helpful

Rich R
VIP
VIP

‎10-31-2022 04:28 AM - edited ‎10-31-2022 04:39 AM

You may not have changed anything but user devices are evolving constantly.
Most importantly security is becoming extremely strict on most browsers and operating systems.
So if you are not using sites using DNS resolvable FQDNs and matching public certificates issued by a trusted (by the devices) root CA that will guarantee problems to the point where nothing will work.  *** If you are doing all that already then you'll need to troubleshoot individual clients on a case by case basis to understand what is causing those problems - could be one or more reasons.  It would be best if you can reproduce the problem yourself for your troubleshooting.
*** ps: note that the device or browser must also be able to verify the cert online using CRL and/or OCSP which means you need to permit access to those URLs to ensure the captive portal certificate can be verified (pre-auth URL list).  In order to do that you need to inspect your certificate properties for fields like:
X509v3 CRL Distribution Points: Full Name: URI:
Authority Information Access: OCSP - URI: and CA Issuers - URI:
Those domains need to be permitted.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card