Solved: WLC 9800 L authentication

TRNnHelp · ‎01-18-2023

I have a WLC 9800 L controller with 2 WLAN's. One with AAA Radius and Mac authentication. It is working without issue. The 2nd one is a Guest WLAN. It works without issue if I choose Consent as the authentication. But fails if I try to use Web Authentication or webconsent.

The message in syslog is Authc fail. Authc Failure reason No response from client.

Any help is appreciated

marce1000 · ‎02-02-2023

- Check this thread : https://community.cisco.com/t5/wireless/guest-user-for-webauth-not-working/td-p/4766554

M.

-- ' A nun once asked a penguin ' do you think the earth is flat ? ; the penguin replied :
Madam, it all depends , in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!

View solution in original post

Sandeep Choudhary · ‎01-18-2023

how did you configure the webuthon 9800 wlc ?

TRNnHelp · ‎01-18-2023

I create AAA method list Authenication

marce1000 · ‎01-18-2023

- Review the 9800 L current configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- ' A nun once asked a penguin ' do you think the earth is flat ? ; the penguin replied :
Madam, it all depends , in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!

TRNnHelp · ‎01-24-2023

Ethernet TW2GB0/0/1

Dynamic desirable (Dynamic Auto also works)

Vlan222

Native LAN 1

AAA Method List >

Authentication >Guest Type Login > Group Type Local

Authorization > Guest type Network > Group Type Local

AAA Advanced

Attribute list name Guest attribute

Security > Guest User > Guest and Guest2

Webauth > Global > Virtual IPV4 192.0.2.1

Webconsent ( Tried web Auth, Webconsent, and Consent) Consent works but the other 2 do not

WLAN Guest > layer3 -Web Policy >Web Auth Parameter map > Global > have also tried with one I created

Authentication list > Guest

ProfilePolicy > Guest > VLAN222

I ran the show tech wireless and ran the analyzer and there are no errors. I connect to the controller but weather I use a guest user that exists or one that doesn't exist I get authentication failed. I can do an NSlookup successfully to www.cisco.com and www.google.com but I cannot authenticate to get internet access.

I have gone thru multiple documents for configuration and it seems no matter what I change I still cannot authenticate.

marce1000 · ‎01-24-2023

- You may want to do some client debugging , check : https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3013.pdf , look for RA Traces , you can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer/

M.

-- ' A nun once asked a penguin ' do you think the earth is flat ? ; the penguin replied :
Madam, it all depends , in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!

TRNnHelp · ‎02-02-2023

I ran the traces and analyzed but all I get is Credential authentication failure during layer 3 authentication. I have created different user and passwords on the controller under guest users and this is the error in the trace no matter what account I use.

Rich R · ‎01-29-2023

Did you follow every step in the guide?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers/m-local-web-authentication-configuration.html

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Recommended
WARNING - see CSCwd37092 Throughput degraded after upgrading to code 8.10.181.0/17.3.6 - 2800/3800/4800 series
- The fix for CSCwd37092 is now released in 8.10.183.0 and
- For IOS-XE 17.3.6 select controller model, go to IOS XE Software AP Service Pack, select CSCwd40096 17.3.6 APSP2
Field Notice: FN-63942 Lightweight APs and WLCs Fail to Create CAPWAP Connections Due to Certificate
      Expiration - Software Upgrade Recommended
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     After 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.183.0 and 17.3.6 APSP5 (APSP_CSCwd83653)
     Also fixed in 8.5.182.7 (8.5 mainline) and 8.5.182.105 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that subordinate Mobility Express APs downloading by TFTP are not affected so ME 8.5.182.0 still works
     Note that 8.10.181.0 and 8.10.182.0 have been deferred (withdrawn) and are effectively unsupported by Cisco
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
___________________________________________
Richard R

TRNnHelp · ‎02-02-2023

Yes I have followed that guide and here is the error Credential authentication failure during layer 3 authentication

marce1000 · ‎02-02-2023

- Check this thread : https://community.cisco.com/t5/wireless/guest-user-for-webauth-not-working/td-p/4766554

M.

-- ' A nun once asked a penguin ' do you think the earth is flat ? ; the penguin replied :
Madam, it all depends , in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!