Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2182
Views
10
Helpful
8
Replies

WLC 9800-80 fail to redurect to guest portal

DexterRoot
Level 1
Level 1

‎09-16-2022 05:03 AM

Hi,

We have WLC 9800-80 and use a third-party server to authenticate guest clients using guest portal. 

When a client try to authenticate, they get IP address but the guest portal behave differently every time we try to login. These behaviors happen with exact same configuration.

We face these three scenarios:

1- Client get the IP-address> the splash pages opens> client write the authentication information and the get connected. No problem at all!

2- Client get the IP-address, the splash page does not comes up but the browser page get into a loop and every few seconds, same url adds to the current url. For ex. if the guest urls is test.com, the loop types, test.com in the url and write again test.com after test.com every time the webpage loops. It continues without stopping and client does not get connect.

3- Client get the IP-address> the splash pages opens> client write the authentication information> Splash page redirect the client to another page with this url: https://1.1.1.1/login.html and it warns for certificate error. (Even we have a valid certificate on our authenticator server).

The authentication server works well with our WLC 8540 but the new WLC 9800 get in trouble.

Any Idea how we can fix the guest authentication?

Thank you in advance.

 

0 Helpful
8 Replies 8

marce1000
VIP
VIP

‎09-16-2022 06:58 AM

 

  

 

 -  For starters and or a good place to start review the current 9800-80   configuration with the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               Checkout all advisories!

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

eeebbunee
Level 1
Level 1
In response to marce1000

‎09-19-2023 11:34 AM

Hello @marce1000 

Thank you for your comment.

Is there any way that I can grab the 'sh tech wireless' as a file so that I can upload to Wireless Analyzer?

The result is too long to get, so I would get your opinion.

 

Thank you so much.

0 Helpful

Rich R
VIP
VIP
In response to eeebbunee

‎09-19-2023 04:07 PM

@eeebbunee either enable logging on your terminal emulator and log the output to file or if you're using ssh on a linux box then you can ssh <hostname> | tee <filename> and the output will be logged to <filename>.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Rich R
VIP
VIP

‎09-17-2022 06:06 AM

You should not be using 1.1.1.1 for your captive portal - you need a FQDN DNS domain name which matches your certificate otherwise it simply won't be reliable.
Make sure your pre-auth URLs and ACLs allow access to all the resources needed to load the captive portal and content.  Watch out for 3rd party content included in any of those pages - like fonts, jscript, images, social media links, tracking tags etc which will all trigger redirects if not permitted.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-17-2022 06:50 AM

Make sure that you have a proper working DNS setup and all the pre-auth ACL's are configured to allow DNS, DHCP and HTTP access to your captive portal solution. Also share how is your paramter map is configured in you 9800 WLC, importantly make sure that ip http server is enabled in your WLC, this will enable http access to WLC management GUI as well. Below is my parameter map when HTTP server is disabled in my WLC, however I still recommend that you enable it and check.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
webauth-http-enable

As @Rich R mentioned 1.1.1.1 is now a public IP, so not recommended by Cisco to use it anymore to be used within an organization. Consider changing that as well.

Certificate error can be mostly due to DNS issues, make sure that clients can resolve DNS before authenticated to captive portal.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Rasika Nayanajith
VIP
VIP

‎09-17-2022 03:33 PM

I had the similar issues

You have to get CA signed certificate (that issued for your 9800 virtual IP address) installed on your 9800. Most likely you have to use OpenSSL (use v 1.1.1)  to generate CSR & follow the instruction given below document to install the cert for WebAuth

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#anc15 

For external WebAuth, those ACL will created automatically, so you do not want to define them manually.

HTH
Rasika
*** Pls rate all useful responses ***

Rich R
VIP
VIP

‎09-18-2022 02:35 AM

The automatically created ACL only includes the single external portal IP.  If there's more than one IP you need to use the parameter map to add extra lines (max 9 lines).  Also must use the URL ACL for any external content used in the portal content.  Many now offer social media login etc which all require domains to be included in URL list as well as for any tracking tags, fonts, scripts used in the page.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Rasika Nayanajith
VIP
VIP
In response to Rich R

‎09-18-2022 02:39 AM

Good points @Rich R 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card