External Web authentication server for Guest access

I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
Hotels do this type of web authentication for example.
Any help would be great.

Hi Patrick,
I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
thanks!
Claudio

Similar Messages

  • 2504 with new-architecture enabled breaks MAC auth for guest access

    Hello,
    We have (2) 2504 WLC running version 7.6.120. WLC1 is the local controller and WLC2 is an achor controller for guest-access. We need to incorporate a 3850 for use with the WLC2 anchor. The guest access is currently working with Mac-Auth and Mac-Auth-Fail to Web-Auth.
    When converged access is enabled on the WLC1 and WLC2, the MAc-Auth no longer works. That is, the previously authenticated user is now redirected to the Web-Auth page. The local controller shows the user as authenticated but the Anchor controller shows the state as WEb-Auth-REQD.
    Rolling back using "config mobility new-architecture disable" and rebooting resolves the issue.
    Does anyone what changes from the old to the new that would break this mac-auth/web-auth configuration?

    You should reach TAC for these sort of issues. Not many people deploying this CA setup yet & you may not get direct feedback immediately.
    HTH
    Rasika

  • Aironet 1140 FLEXCONNECT External Web Authentication and Apple Devices

    Hi!
    I'm having an issue with this Access Point.
    I've configured this access point with WLC in mode FlexConnect with web authentication.
    It's all right, i'm connecting with my PC in wireless, i open my web browser in windows, then the Access Point redirect me to External Web Authentication Page,
    i put my credentials, and  i'm redirected to my access point ( https:/1.1.1.1/login.html i accept the certificate) and then the Access Point redirect me to Internet.
    I do this with my android phone, it's all right again.
    I try to connect with iphone or ipad , i'm  redirected to External Web Authentication Page, i put my credentials, and i'm  redirected to https://1.1.1.1/login.html where the web browser don't ask me anything and i'm not redirected to Internet.
    Have you any idea?

    Thx you Scott, i understand what are you talking about, but my problem is different.
    I try to explain..
    I see the wireless network, i associate the iphone to this network, so i'm  redirected to Login page,
    as i use the "Apple Login" or i Open a Web Page .
    In this page , that i reach with all devices i put my credentials, then i will be redirected with all devices
    back to Access Point (https://1.1.1.1/login.html).
    In this page i should be   redirected to internet after Radius Authentication, but with Apple Devices this doesn't work.
    This is thw WEB AUTHENTICATION from Cisco Documents.
    The user associates to the web authentication SSID.
    The user opens their browser.
    The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
    The user authenticates on the portal.
    The guest portal redirects back to the WLC with the credentials entered.
    The WLC authenticates the guest user via RADIUS.
    The WLC redirects back to the original URL.

  • Office Web Apps server for Lync DNS question

    We are going to deploy an Office Web Apps server for our Lync 2013 clients, available internally and externally. We do not have a split-horizon DNS so it is not possible for wac.foo.com to have a different IP for internal vs. external clients. What is the
    best setup for our scenario? It looks like we can only add one address in the Lync topology builder, so would it make sense to send everybody to the external wac.foo.com regardless of whether they are internal vs. external? Or is there a better option?
    Thanks,
    Matt

    It might be easiest to use pin-point DNS.  Create an internal zone called wac.foo.com with a blank A record that points to the internal IP address of the OWAS/WAC server.  This way, wac.foo.com will resolve to the correct
    internal address, but you're not setting up a split zone for the rest of foo.com.
    This trick can come in handy for publishing other items without recreating the entire zone, it's a nice one to keep in your back pocket.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • Is there a Web Applications Server for Oracle8?

    hi!
    I need to know if there is a Web Applications Server for
    Oracle8 on Linux. (I know there is one for Oracle7)
    Thanks!
    null

    PoNY (guest) wrote:
    : hi!
    : I need to know if there is a Web Applications Server for
    : Oracle8 on Linux. (I know there is one for Oracle7)
    : Thanks!
    i solved the same problem while download the application server
    via ftp
    ftp ftp.oracle.com
    cd /pub/www/oas/linux
    get was302.tar.Z
    If the connection is lost, you can continue downloading with
    reget was302.tar.Z
    The download starts not from the beginning, but appends the
    already transmitted part of the file.
    Hans
    null

  • E2500 with multiple APs for guest access

    I got 5 E2500 routers and the main one has setup to IP address 192.168.1.254 and the rest APs are programmed into the bridge mode with the IP address 192.168.1.245 through 248. The secured wireless network  works fine when I roaming between these APs but the only AP that I can get internet access for guest wireless network is the main (192.168.1.254) router; for every other APs, I will get the guest log on screen (prompt for guest access password) and no internet access after I type in the correct access password. Does the E2500 support multiple APs guest or it requires a special way to configure it? Please help...
    Jim

    Guest Access allows you to provide Internet connection to your guests, however, they will not have access to your computers or other personal data. When you set up your Valet or Linksys Wireless-N router, the Cisco Connect software will create two wireless networks with the same Wireless Network Name (SSID) that differs from one another by a -guest suffix to one of the wireless network names.
    So first of all remove all the networks from the preferred list of the computer and then try to connect.  

  • Snmp error for guest access ticket on two WLC

    Hi,
    I have one wcs (5.0.56.2) and two wlc 4400 ( 5.0.148.2). When i try to create a ticket for guest access on the two wlc without time restriction, it works well. But when I defined time restriction for the ticket, i have a snmp error on the passive wlc (snmp operation to device failed, attempt to set conflicting attribute value) and not on the active xlc.
    Thks.

    The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
    The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries (on the Security > General page). This database is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients. Together these cannot exceed the configured database size.
    For the configuration following URL may help you
    http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html

  • Web Based Registration for Guest Wireless Access

    I just started a project to make a guest wireless network available at every site in my enterprise.  Guest wireless networks are currently available at some sites.  Two key goals of this project is to enable WPA/WPA2 encryption and to develop a web based registration/autentication solution.  All of the sites have a mixture of 1230, 1240, and 1250 autonomous access points.  What do I need to do/get in order to make this happen?

    You should get a WLC and upgrade the 1240 and 1250 and replace the 1230's if they are in remote sites.
    The WLC has a Webauth feature that is great. You can define users on the WLC also if you wish.
    Guest access should always be open authentication with the use of a Webauth page. This makes it easy and you won't have to help manage guest access. Autonomous ap's and to have a splash page will require a 3rd party software or you can use a Cisco NAC guest server.
    Search for Cisco Wireless Guest Access or Webauth and you will see many docs on this type of setup.
    Sent from Cisco Technical Support iPhone App

  • Authentication for Guest Access

    Hi, we are looking for a solution for either automated daily creation of guest user accounts or a console for clients enter their details which in turn creates the guest account on the controller.
    If we go down the path of automation, policy requires a single username/password for each day, unfortuntely WLC scheduled guest account creation is not an option as the reocurrence doesn't change the password, but it would be a handy feauture if Cisco would like to introduce it in a future release
    The CLI has the option to create 'config netuser add [name] [password] WLANID [X] userType guest lifetime [seconds]' - Can we schedule and email this from the CLI on the controller?
    Appreciate your time.
    Brendan

    Brendan,
    Currently there is no way to automate this process. The process that has been developed is either an admin on the wlc/wcs creates the account or the use of the lobby admin feature. WCS has the lobby admin feature also to create accounts but it isn't intended for guest users to create their own account.
    The wlc doesn't have a schedule to enter a command via the cli, but I bet you can developer some web base guest creation that would send the command to the wlc and remember that command to remove it later.
    Sent from Cisco Technical Support iPhone App

  • Cisco 5508 external web authentication

    Hi all,
    Firstly, I do apologise as this question has been posted in another forum, I believe it is the wrong one though hence me posting here.
    I am running with a pair of Cisco 5508 controllers with 7.4.121.0 installed. We offer a guest Internet service to our user base and guests. To access the guest service a user must first authenticate via an externally hosted server, I won't go into the specifics but it is a secure service will a valid, signed cert for the login page. The issue I am hitting is that when a user logs into the portal the controller cert is then displayed (2.2.2.2) which returns a cert error. It kind of makes the service look insecure when it isn't. I've read numerous articles about creating CSRs, etc and loading certificates on the controller, but the issue we have is that we use externally hosted DNS servers for the service and they are refusing to create a DNS record. We can't use internally hosted DNS servers as this breaks our security policy. Is there any other way around this or do I just have to have the user accept the cert error?
    Thanks

    I hear you and I was under the same impression. If I go through the steps I followed maybe it can be explained..
    Upgraded the primary controller from 6.0.x to 7.0.x a, APs upgraded. Upgraded FUS to 1.9. Upgraded controller to 7.4.121.0, upgraded APs. APs joined the controller. Disabled WebAuth Secure Web. Followed same steps for secondary controller. Shutdown primary controller to test failover to secondary. APs did not failover. Waited 15 mins, debugged CAPWAP and saw nothing coming in. Brought primary back online, waited 15 mins, debugged CAPWAP and saw nothing coming in. Waited a further 15 mins. Still no APs joining. Enabled WebAuth Secure on the primary, and boom, all the APs joined the primary. Not sure if this was just a coincidence, but this was the behaviour I witnessed. I'm running a pair of 5508's.
    I've not witnessed this before, but this is the first time I've disabled this setting. Understand it has nothing to do with APs joining and may just be a coincidence, but this is what I experienced. I ran out of time during the change window so couldn't test this further and try to simulate again, will try again when the next window becomes available.

  • External Web Authentication - HTTP Redirect or Proxy?

    I've been reading all of the information I can find about the use of authentication of guest users using an external web server, rather than the native portal provided by a WLC. I've looked at the configuration examples and configuiration guides.
    My question is this: when the WLC redirects the client to the external web server, is it a true http redirect (i.e. a http redirect sent to the client) or does the WLC act as a proxy (via its virtual address  - usually 1.1.1.1), altering the http headers as it does when re-directing requests to its internal web portal ?
    This is important as I need to understand if it is the client that has to be able to connect to the external web server, or whether it is the WLC that has to be able to connect to the external web server.
    The WLC for the solution I am working on is in a highly secure DMZ area, so it is imprtant to know which devices need to talk to which.

    So, to be clear, it is the WLC that needs connectivity to the external server or the client device?
    Both devices need to communicate to the external web server.  The WLC will need to communicate with the external server since it will be expecting a return of information from that server to process the l3 authentication.  The client will need to reach it as the WLC is going to redirect it to that site (reason for pre-auth acl). 
    Does the client communicate directly with the external web server, or will it direct its http requests to 1.1.1.1, which will then be proxied by the WLC to the external web server?
    Again this is both; So the client will lookup/resolve a site and initiate some HTTP traffic, so it starts a TCP SYN for to the real web server it is trying to reach, the WLC will see this request; hijack the IP of the destination server and reply back to the client(pretending to be the "internet" server) The WLC redirects the client to it's virtual IP; whether using internal or external web auth.  So the client will arrive at the virtual IP of the WLC; which will then redirect the client to the external web server in your case.  When this happens the WLC has also inserted some information in to the redirect URL on the clients behalf so which the external server will use to send the information it collects (assuming you're using one of our standard external bundles).  The external server will process the client HTTP GET, so as far as "viewing and using" the external web server; the client will make that request directly to the external web server.  The external server, upon submittion of the form on the page, will send the information collected from the client back to the WLC server (which it learned it's IP from the redirect URL).  The authentication of the client will take place at the WLC.
    So in this scenario you need a love triangle between the Client, WLC, and external server.  All will be talking to one another at some point.  Your client needs connectivity to the external server; and your WLC needs connectivity to the external server.
    David W.

  • Using ISE for guest access together with anchor controller WLC in DMZ

    Hi there,
    I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
    To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
    As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
    Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
    Thx
    Frank

    So i ran into a similar scenario on a recent deployment:
    We had the following:
    WLC-A on private network (Inside)
    ISE Servers ISE01 and ISE02 (Inside)
    WLC-B Anchor in DMZ for Guest traffic (DMZ)
    ISE Server 3 (DMZ)
    ISE01 and ISE02 are used for 802.1X for the private network WLAN.
    Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
    The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
    So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
    In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

  • Any Best Practices for Guest Access?

    Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.
    I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.
    My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?

    ***************Guest WLC****************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... DMZ Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x43cd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0 (Cisco Controller) > ***************Corp WLC***************** (Cisco Controller) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... Champion Corp Multicast Mode .................................. Disabled Mobility Domain ID for 802.11r................... 0x46d5 Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 2 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address        IP Address      Group Name                        Multicast IP    Status 00:19:aa:72:2e:e0  10.192.60.44    Champion Corp                    0.0.0.0          Up 00:19:aa:72:39:80  10.100.100.20    DMZ                              0.0.0.0          Up (Cisco Controller) >

  • Webproxy for guest access

    Hi,
    I have deployed web proxy in explicit mode with integration with Active directory.
    When my users are authenticated they are getting the access to the internet as per the policies.
    I want to know, if any guest user's come and try to access the internet he wont be a authenticated user hence there will be no access to rule.
    Is there any way to create a guest access policy that if the user is not found in the AD but he should get access through the second policy.
    I have seen there is a option for the guest but not sure how this works.

    Please see the user guide: http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa8-0/WSA_8-0-0_UserGuide.pdf and go to page 112 for "Granting Guest Access After Failed Authentication"
    Basically when you create an Identity with authentication, tick the option for "Support Guest privileges if a user fails authentication.
    Then ideally you will need to create 2 Access Policies using that Identity:
    1. Access Policy that is using the authentication.
    2. Access Policy that is using the same Identity and when you specify the Identity use and under "Authorized Users and Groups" select the "Guests (users failing authentication) then submit. (please note to put this second access policy under the authenticated access policy not place it before the authenticated access policy), after this you can specify the level of access for this access policy.
    Hope this helps

  • Office web apps Server for Sharepoint 2013

    Hello,
    I used the following article to install office web apps server and hook it up to a test sharepoint server:
    http://technet.microsoft.com/en-us/library/jj219455(v=office.15).aspx. The OWAS service was verified as working by loading:
    https://owas.companyname.com/hosting/discovery
    For the sharepoint configuration phase, the following commands were run on the sharepoint machine:
    1) New-SPWOPIBinding -ServerName "owas.companyname.com"   -- (owas.companyname.com) is the host name of the owas server)
    2) Get-SPWOPIZone
    3) Set-SPWOPIZone -zone "external-https"
    However, office documents are still launching in the desktop office applications, not in the browser. Any ideas of what else I may need to do?
    thanks,
    Sherazad

    Hi  ,
    According to your description, my understanding is that you fail to configure Office Web Apps for your SharePoint 2013.
    How about run Get-SPWOPIZone? If you can get a result, it says that your  SharePoint  have connected with Office Web Apps.
    Then you can run below command to  change the zone to internal-https.
    Set-SPWOPIZone -zone "internal-https"
    Reference:
    http://technet.microsoft.com/en-us/library/ff431687(v=office.15).aspx 
    http://stevegoodyear.wordpress.com/sharepoint-2013-build-guide/office-web-apps-2013-server-install-and-configuration/
    Thanks,
    Eric
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
    contact [email protected]
    Eric Tao
    TechNet Community Support

Maybe you are looking for

  • Ni-daqmx stand-alone matlab

    Dear all, I am about to compile my matlab code into a stand-alone program, which works fine. However, as soon as I start the data acquisition the program fails to initialize the DAQ-board. I'm using the NI-9201 USB-ADC in combination with the NIDAQmx

  • B/W G3 will not boot past the startup screen

    It boots all the way through to the last step - "Login Window Startup". It will not boot in Safe Mode, PRAM reset, etc. No Joy. It has sat and spun the colored wheel of death for hours. Any suggestions?

  • Activity is calculated on Production Order Quantity based .

    Hi Experts, My requirement is Planned Activity cost should be calculated based on Production order Quantity. and not on timing mentioned in Routing. For Example-   My PO Quantity is 10 - and activity assigned rate is 1 then = 10 RS is my planned acti

  • Additional Data B data not visible

    Hi Firends, I have my data coming in Additional Data B at item level from a Z table. The scenario is for Credit notes. I have created debit notes copying credit notes document type, but the data is not coming in Additional Tab B. There are 2 client o

  • Enormous problems with the wireless keyboard

    I have really big issues with the bluetooth slim keyboard from Apple. It is not working proberly with my MacBook Pro. 2 of 3 times when I press the Caps Look key, my keyboard says goodbye. The capslook LED display on the "real" keyboard gets green an