Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
1
Helpful
5
Replies

Local Webauth across multiple controller types

dselfridge
Level 1
Level 1

‎02-24-2025 03:57 AM

Greetings,

My Customer is in the middle of migrating multiple sites from AireOS (5508) to IOS (9800) WLCs.

Most sites work fine and guest users are serviced by the LobbyAdmin feature and local web-auth on the 9800 controller.

Some APs are yet to be replaced, so until that happens, they need to stay on the 5508, which of course has it's own LWA Portal. The issue is that a minority of sites have a mix of APs, old & new, so i have a 'salt & pepper' environment. Therefore, if a user is on say an older 3502 AP, they will hit the 5508 portal. If they then roam to say a 9120 AP they then are on the 9800 controller, will the session stay up? Like wise if they start on 9800 AP and roam to a 5508 AP. Also, there are 2 Lobby Admin Portals to maintain, which is confusing.

I have mobility tunnels setup between the controllers (IRCM Code). No Anchors are in the mix, because internet breakout is local to each site. The controllers are in data centers and the APs are in Flexconnect mode with local switching.

What I want to achieve is that if a guest user connects to the guest SSID and no matter if they are on an old or newer AP, they consistently hit the Lobby on the 9800. is this even possible? It's only temporary, to give time for the customer to replace all the older APs.

Obviously, i would prefer they use CWA with ISE - but for various reasons, that's not a runner at this time.

TIA

Dan

0 Helpful
5 Replies 5

marce1000
Hall of Fame
Hall of Fame

‎02-24-2025 04:08 AM

 

  - That's impossible to achieve because each controller (type) has it's own authenticating rules behind the Lobby , best is to finish the AP migration as soon as possible ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Flavio Miranda
VIP
VIP

‎02-24-2025 04:57 AM

@dselfridge 

Long shot here but what is you setup the 5508 with external web portal and point  to 9800 ?

0 Helpful

dselfridge
Level 1
Level 1

‎02-24-2025 04:58 AM

Thank you for replying so quickly @marce1000 

But am I correct in thinking if a client registers on say the 5508 Portal then roams across to a 9800 homed AP, they should stay connected? Assuming of course that the mobility tunnels are up.

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to dselfridge

‎02-24-2025 07:07 AM

 

 - @dselfridge   : I suppose that should work ; (But am I correct in thinking if a client registers on say the 5508 Portal then roams across to a 9800 homed AP, they should stay connected? Assuming of course that the mobility tunnels are up.)

   - If not you can debug the client on the 9800 'when it arrives' using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
      You can have client debugs (so called RadioActive Traces) ; analyzed with Wireless Debug Analyzer
    Commands from https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#toc-hId-866973845
    can also be useful

   - Checkout the configuration on both controllers to (w.r.t. mobility and other stuff)
      For the 9800 use the CLI command show tech wireless and feed the output into Wireless Config Analyzer

  - For the 5508 use WirelessAnalyzer input (procedure) for AireOs controllers
     and feed the output from that into Wireless Config Analyzer

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-24-2025 07:37 AM

That mix and match just isn't a preferred way to migrate, not just for guest, but you have a lot of inter controller roaming that has to happen. I would of waited to migrate one whole site, take that 5508 and use that for an anchor at the next site, so that you can push guest to that anchor until you have migrated that one site, which then you can disable the anchoring on the 9800 and that becomes the controller with LWA. I think you just have to play around with what you have available and like what @Flavio Miranda and @marce1000 mentioned, give that a try also.

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card