Guest

Cisco 4400 Series Wireless LAN Controllers

WLC Wired and Wireless Networks: Troubleshooting Guest Access

Cisco - Wireless Lan Controller Wired and Wireless Networks: Troubleshooting Guest Access

Document ID: 111736

Updated: Feb 12, 2010

   Print

Introduction

This document describes how to troubleshoot guest access in both a wired and wireless network where WLC is deployed to authenticate and assign IP addresses to the clients in a guest VLAN.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Guest access in a unified network

  • Web authentication

Components Used

The information in this document is based on these software and hardware versions:

  • WLC 4400 that runs software version 5.2

  • Cisco Catalyst 6500 Series Switch

  • Laptop with Cisco 802.11 a/b/g client adapter on Win XP

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

In a typical guest deployment scenario, two WLCs are involved: one in the local wired network and the other deployed in the DMZ zone. Local WLC is anchored to the WLC in the DMZ zone and an EoIP tunnel is established between the WLCs. Local WLC in the wired network directs all the guest traffic (both wired and wireless) to the WLC in the DMZ zone through the dedicated tunnel. DMZ WLC authenticates and assigns an IP address to the clients. Typically, web authentication is the mechanism used to authenticate guest clients.

Troubleshoot Guest Access

Troubleshooting guest clients involves three main aspects:

  • Troubleshoot the EoIP Tunnel

  • Client Authentication

  • IP Address Issues

Troubleshoot the EoIP Tunnel

The EoIP tunnel is established using IP protocol 97 to pass the guest traffic between the local WLC and the DMZ WLC. Failure in the tunnel results in the interruption of data flow. Perform these checks in order to make sure the tunnel is established poperly:

  • Check if the WLCs are configured in each other's mobility list even though they might be in different mobility groups.

  • Make sure that the DMZ controller is configured as a Mobility Anchor for itself and for the WLC in the wired network, so that the guest VLAN clients get anchored to the DMZ WLC in order to get authenticated and obtain an IP address.

  • Make sure the SSID and authentication parameters are configured exactly the same on both the WLCs.

  • Make sure that the DMZ and local WLC in the wired network are reachable. Use mobility pings (eping and mping) to test.

    • Mobility ping over UDP—This test runs over mobility UDP port 16666 and tests whether the mobility control packet can be reached over the management interface.

      mping mobility_peer_IP_address
    • Mobility ping over EoIP—This test runs over EoIP - IP port 97 and tests the mobility data traffic over the management interface.

      eping mobility_peer_IP_address

    Note: Only one mobility ping test per controller can be run at a given time.

  • If there is a firewall present, make sure that the UDP port 16666 and IP port 97 are opened for communication between the WLCs.

Client Authentication

Web authentication is the authentication method typically used for authenticating clients in a guest network. Clients can access the Internet only after successful authentication. Even if they try to browse before authentication, the WLC redirects the user to the Web Authentication Login page automatically, where the user gets authenticated.

However, in WLC version 3.2 or earlier, the client must manually type https://1.1.1.1.html in a web browser in order to get to the web authentication page. For more information on web authentication, refer to the Wireless LAN Controller Web Authentication Configuration Example.

If the feature does not work as expected after you configure web authentication, perform these troubleshooting steps:

  • For authentication to occur, the client should first associate with the appropriate WLAN on the WLC. For more information on troubleshooting this issue, refer to the Configuration Issues section of the Unified Wireless Network: Troubleshoot Client Issues document.

  • A firewall or pop-up blocker installed on the client computer sometimes blocks the Web Authentication Login page, where users enter their authentication credentials. Disable them before you try to access the login page. They can be enabled again once the web authentication is completed.

  • Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication. Other browsers might or might not work.

  • Disable the proxy settings on the client browser until web authentication is completed.

For more information on troubleshooting web authentication, refer to Troubleshooting Web Authentication Redirection on the WLC.

IP Address Issues

Any wireless client needs a valid IP address in order to communicate with the rest of the network. Once the client associates to the WLC, it initiates the DHCP process. The WLC acts as a relay agent and relays (that is, forwards) this request to the DHCP server and appears as a DHCP server to the client on its virtual interface 1.1.1.1. The WLC then forwards the IP address assigned by the DHCP server to the client and records the IP address in its table.

Note: The WLC can also act as a DHCP server. For more information on how to configure the WLC as a DHCP server, refer to the Configuring DHCP section of the Cisco Wireless LAN Controller Configuration Guide, Release 6.0.

Perform these checks if a valid IP address is not obtained:

  • Make sure the IP address of the DHCP server is defined correctly and that the DHCP server is reachable.

  • Make sure the DHCP service is enabled on the DHCP server.

  • Make sure the server is configured with a DHCP pool for guest VLAN so that the server can assign IP addresses from that VLAN.

  • Certain DHCP servers do not accept DHCP relay requests. Since the WLC primarily performs relay service to the DHCP requests from the clients, make sure the DHCP server is set up to accept relay service.

Assign a static IP address from the guest VLAN and make sure the client works. For more information on troubleshooting IP Address issues, refer to the IP Address Issues section of the Unified Wireless Network: Troubleshoot Client Issues document.

Related Information

Updated: Feb 12, 2010
Document ID: 111736