Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1271
Views
0
Helpful
19
Replies

wireless -web-auth problems

Go to solution
Network Pro
Level 1
Level 1

‎06-21-2013 03:10 AM - edited ‎07-04-2021 12:16 AM

Hi,

We have a setup where by we have internal WLC (cisco 5508) and a Guest WLC (cisco 4402) in the DMZ. The Gues SSID in internal wlc is anchrorded back to Guest WLC in DMZ (the guest dmz also serves as dhcp). We seem to have problems with this recently with users complaining that they get limited access or not able to get the redirection page (web page certificates - redirection to 1.1.1.1)

Does any one know if the cisco 5508 controllers / cisco 4400 running dhcp have any problems with this ?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Network Pro

‎06-21-2013 05:38 AM

The config shows it is anchored to itself.... I'm assuming that 50.250 is the 4400 and 60.250 is the 5508?

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

4           192.168.50.250        Up

4           192.168.60.250        Up

How big is the dhcp scope?  since this is guest, you try to lower the lease to like 4 hours or 8 hours?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
19 Replies 19

Go to solution
grabonlee
Level 4
Level 4

‎06-21-2013 03:37 AM

Hi,

When this problem occurs, you check the DNS server that serves the guest network to see if it's down. Also you need to clarify that it's not corporate users not reporting the problem as the home page would default to your corporate page, and it's only when u open an external website that the web authentication page will show up.

Are u using the internal web authentication page or an external web server?



Sent from Cisco Technical Support Android App

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎06-21-2013 04:00 AM

Just to add... Also look to see if your mobility happens to go down. If it does, then the anchoring breaks and the guest will be placed in the interface that you have specified on the internal WLC for the guest SSID

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Scott Fella

‎06-21-2013 04:15 AM

we are using internal web authentication. the DNS server is google's ip. the users are trying to use an external website and not internal one.

regarding the mobility breaking, its a good point but dont think it goes down that often as users seems to get error quite often and i cant see there are that many mobility breaks in the logs - it does happen but occationally

any other thoughts ? i read about this eap bcast-key-interval seconds - at the moment its set to 3600 sec - will this help if i  increase this ?

Thanks

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎06-21-2013 04:17 AM

Can you post your show WLAN in both WLC's.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Scott Fella

‎06-21-2013 04:44 AM

attached. also does increasing user time out help ?

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Network Pro

‎06-21-2013 05:11 AM

I don't think it would... first off, the inside or foreign wlc should only anchor to the guest anchor wlc and the guest wlc should anchor to itself... Looks like the 5508 also is anchored to itself.  I would also disable dhcp required for now and see if that helps. 

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎06-21-2013 05:12 AM

With webauth, the client has to get an ip address prior to even getting a splash page.  if the client device gets an ip address but doesn't get the splash page, then its a dns issue.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Scott Fella

‎06-21-2013 05:20 AM

Thanks scott, i had a look at the can confirm that the insidewlc is anchroed to guest wlc and guest wlc is anchored to itself (local)

I have tried disabling dhcp required and no joy

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Network Pro

‎06-21-2013 05:38 AM

The config shows it is anchored to itself.... I'm assuming that 50.250 is the 4400 and 60.250 is the 5508?

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

4           192.168.50.250        Up

4           192.168.60.250        Up

How big is the dhcp scope?  since this is guest, you try to lower the lease to like 4 hours or 8 hours?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Scott Fella

‎06-21-2013 05:40 AM

thats a different controller Scott. The internal controller ip is different from 60.250. i have increased the dhcp scope to 4 hours already

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Network Pro

‎06-21-2013 05:48 AM

Okay, so what is 60.250?  Why are you anchoring to that?  If this is a redundant guest anchor setup, then make sure the dhcp scopes on the two wlc are split and not overlapping.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Scott Fella

‎06-21-2013 07:27 AM

That is for officeextend controller which is another wlc apart from the two in question.

We hve only 1 dhcp scope which is on 50.250

What i have noticed is that if conect to it and then disconnect and immideatly connect to it then i get limited access. but if i leave it for 60 sec or more then try connecting to it, it seems to connect sometimes (i have a client exclusion timer of 60 sec so not sure if this is causing this ?)

I also noticed that the time is bit different (internal controller is running an hour and few mins slower than dmz controller) - will this cause a problem ?

HAve you come across this unexpected behavior ?

Thanks

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Network Pro

‎06-21-2013 09:40 AM

Well if your connecting to another ssid and then trying to connect to the guest ssid or vice versa, you need to enable fast ssid change or else you have to wait 60 seconds.  The time should be set properly no matter what..... ntp should be used if possible.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Scott Fella

‎06-24-2013 03:15 AM

i have set it to ntp and the ntp server is running the correct time and serves to all our devies but just the internal wlc alone does not seem to pick up summer time (the time is correct but running an hour behind though it gets time from ntp server) - do i have to enable summer time from some where ?

Fast ssid was enabled on internal wlc and have enabled it now on dmz wlc

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card