Re: Unable to get web auth authentication to work on 9800L WLC

caustin · ‎09-25-2023

Hello,

I've been working with my company's consultant to upgrade our old Cisco 5520 WLC pair to our new Cisco 9800-L pair.

We have attempted to mirror our current environment. We have two SSID's, one for corporate devices and another for contractors/guests. The corporate is fine, we are having trouble with the guest side. We are just trying to use web auth to use accounts created locally on the WLC. We have attempted to match setting for setting on the old vs. new devices and we continue to get "authentication failed" when attempting to log into the web auth portal with any of the accounts.

The following syslog error message is what is generated on each attempt:

Sep 25 14:59:49.737: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (2ade.278e.c8c3) on Interface capwap_90000004 AuditSessionID E9115D0A00000269CCD8B3A9. Failure reason: Authc fail. Authc failure reason: No Response from Client.

Has anybody else had these problems with the 9800 controllers?

Thanks in advance.

balaji.bandi · ‎09-25-2023

what version of IOS Xe code running on controller .

also verify the config again : below example :

https://wifininjas.net/2019/10/24/wn-blog-017-cisco-c9800-local-web-auth-config/

also use client troubleshooting :

https://mrncciew.com/2022/07/08/9800-client-troubleshooting/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

caustin · ‎09-25-2023

Thanks for your post balaji.bandi.

Version is 17.03.04c

I also forgot to mention, when looking at the clients dashboard on the GUI, it will typically show devices I'm attempting to join to this SSID in a state of either "web auth pending" or "ip learning".
The WLC is setup to be the DHCP for this SSID and it's devices.

Thanks again.

balaji.bandi · ‎09-25-2023

i would personally cross check the settings - Looks IP DHCP issue or some where in the auth process breaking.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

marce1000 · ‎09-25-2023

1) Have a checkup of the Cisco 9800-L controller(s) configuration with the CLI command show tech wireless ; feed the output into : https://cway.cisco.com/wireless-config-analyzer/

2) Perform client debugging according to : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

caustin · ‎09-27-2023

I was able to get the web auth to work on my application.

I now have an issue of the clients on the guest/contractor SSID getting the wrong IP addresses. They are getting the same addresses that our corporate side are getting. I have the DHCP setup on the 9800 controller. I've tried also adding the helper address on the advanced settings for the VLAN.. In my case is VLAN192. That didn't seem to make a difference.
I presume there is some small thing left causing me these issues but I'm not having much luck at this point. Any input is appreciated.

Rasika Nayanajith · ‎09-27-2023

Is there specific reason to stay with 17.3.x code. If not I would go for 17.9.4 first. (those DHCP leaking could be code related)

Typically you do not want to use 9800 as DHCP server (unless test or small scale deployment). In best practice deployments, we only get WLC management SVI on 9800 and no other SVI. In your case to support internal DHCP server, you have to have guest VLAN SVI on your 9800. So when the DHCP discover broadcasts come to that SVI and it might forward it across trunk port and hence upstream switches get it.

HTH
Rasika
*** pls rate all useful responses ***

Rich R · ‎10-01-2023

Agreed with @Rasika Nayanajith - don't waste another minute on 17.3.4c! Upgrade to 17.9.4 before you do anything else.

If you insist on using internal DHCP (which is not recommended as Rasika said) then take note of the best practices guide:
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#InternalDHCPserver

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Scott Fella · ‎10-02-2023

Just to add.... are you anchoring by chance or were you anchoring on the 5500's and wanting or not wanting to anchor? You best bet here again is to start of basic. Create and open SSID and then make sure clients can't on and get the correct SSID. If not, then you have to look elsewhere to see what is breaking this. Then slowly move to webauth and see what happens, but just start with a basic accept button and then see what happens.

-Scott
*** Please rate helpful posts ***

caustin · ‎10-02-2023

Not looking to anchor anything.

I'm fairly new to my company and this type of upgrade. With that said, I've looked further into this and our two primary firewalls are hosting the DHCP server for this particular SSID we have stood up but cannot get to pull the correct addresses.
With that known now, do we just need to configure another port and connection on the 9800 WLC and then configure the port on the firewall and enable them both? I mention configuring more ports on the firewall because we are setting up the 9800 while the old 5500s are still in place so not as easy as just switching cables over.

Thanks.

Scott Fella · ‎10-02-2023

I don't know your setup so it's hard to say what you should do and what you shouldn't. If you don't have an anchor controller on your existing setup, then that should be fine. Like I said, you should test out with an open SSID and see if the FW provides an ip address or not. You need to be familiar with AireOS and IOS-XE to really understand how to get this working. I would assume you have support and it wouldn't hurt to open a TAC case. It's easier to remote in and look at your 5520's and then your 9800's which TAC would have to do.

-Scott
*** Please rate helpful posts ***