Webauth Redirect Issue WLC 7.2

Similar Messages

• Webauth redirect issue

  Hello,
  My guest access has not been redirected to guest portal on ISE.
  I setup a Guest wlan using foreign-anchor scheme and web authenticate on ISE. DHCP is managed by Anchot WLC and I got ip address without any problem. I can ping ISE and Default gateway without problem from guest laptop.
  Proxy and dns is on the same server and this server is the default gateway for guest network. My DNS Server stopped and all webauth stopped.
  What is the part of DNS In this scenario ? Does URL redirect stops if DNS goes down ?
  Please help.
  Sent from Cisco Technical Support iPhone App

  Thanks for your reply.
  I type directly google.com ip addres into web browser and it seems to work, however it redirect me to internal authentication portal. I think i did a change on my foreign controler and change to internal web auth (anchor still external web auth) So i want to ask another question, does foreign controller take part on this process even mobility anchor setting placed ?
  Sent from Cisco Technical Support iPhone App

• Webauth redirect through WLC not working for Mac OSX

  We have a WLC5508 setup to redirect guest users to an ISE for web authentication. We configured the Flexconnect ACL's and external authentication. It works when using Internet Explorer on a PC, or when connecting from a IOS device (iPad, iPhone). When trying to connect from a Macbook Pro or Macbook Air, I get prompted with the guest portal to login, I type in my credential, then I see a window pop up that is attempting to launch the redirect window. That window never fully comes up. I get prompted about the certificate being from an unsigned authority, and I select to trust always. If I disconnect and try reconnecting, I get the same problem.
  Any ideas on why this would be specific to OSX?

  I had a case where I wanted to set something similiar up I just wanted "passthrough" (discaimer page) L3 security instead of some radius authentication.
  If the WLC doing the authentication is an "Anchor" WLC, then the only L3 security setting that works is the "Authentication" under "WLAN->SSID->Security tab->Layer 3" tab and enabling web-policy. Since I don't know if you use an anchor WLC I can't say if you have the same problem as I did.
  I got this information from
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html#wp1233539 maybe you have somthing there that can help.

• Guest Anchor - Web Passthrough - Apple device web redirect issue

  Hi All,
  I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
  Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
  I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
  Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
  My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
  How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
  Thanks,
  CJ

  Hi All,
  The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
  Jagan

• Customized webauth redirect to favorites tabs

  Hi!
  I´m trying to create a Customized WebAuth page for WLC 5.0. The dilemma is that customers that have several tabs that starts different webpages at start of the webbrowser would like to have those tabs redirected to the chosen startpage for every tab after login. As it is now the customized webauth appears on every tab and when You try to hit the update buttom on the webbrowser a popupmessagebox appear with the notice that Your already logged in. Instead of that message I would like to be redirected to the appropriate website chosen for that specifik tab. Hope You understand the dilemma and that there are someone that have an answer to share. How do I configure the customized "Login.html" to achieve the desired act?
  Regards
  Peter Vahlersvik

  In order to have the web page load properly, it is not sufficient to set the web-authentication type as customized globally in the Security > Web Auth > Web login page. It must also be configured on a particular WLAN . In order to do this, complete these steps:
      Log into the GUI of the WLC.
      Click on the WLANs tab, and access the profile of the WLAN configured for Web-authentication.
      On the WLAN > Edit page, click the Security tab. Then, choose Layer 3.
      On this page, choose None as the Layer 3 Security.
      Check the Web Policy box, and choose the Authentication option.
      Check the Over-ride Global Config Enable box, choose Customized (Downloaded) as the Web Auth Type, and select the desired login page from theLogin Pagepull down menu. Click Apply

• CT5760 - virtual-host in parameter-map not used in webauth redirect

  Hi all.
  I'll try posting my issue here before I post a TAC on this:
  Cisco CT5760 wireless controller running IOS-XE version 3.6.0.
  This issue is related to web authentication on an SSID with external web portal. It seems that the statement "virtual-host" in "parameter-map type webauth global" is not used as intended. I'll try to explain:
  When a user connects to an SSID with external web authentication enabled and the user opens a web browser, the user will get redirected to the external web portal for authentication. In this redirect URL we see the parameter "switch_url=http://1.2.3.4/login.html". The IP address 1.2.3.4 is, in this example, our virtual IP. But we have also configured "virtual-host" to be webauth.example.com. And in my opinion the "switch_url" parameter should be "switch_url=http://webauth.example.com/login.html". This is how it works on our old Cisco WiSM1 implementation.
  The reason why this is a problem is that the clients web browser will not accept the certificate installed on "http://1.2.3.4" because it is not issued with that IP address, only the hostname webauth.example.com. I know that it is possible to get certificates issued with an IP address (as long as it's not an RFC1918 IP address), but rumors say that many Certificate Authorities will stop issuing these soon, even with "real IPs". Therefore it is important that the redirect URL gets corrected.
  Does anyone disagree with me that this is a bug?

  Hi and thank you for your response.
  I feel that I need to clarify a few things. Here is my parameter-map config (a bit edited):
  parameter-map type webauth global
  virtual-ip ipv4 1.1.1.1 virtual-host webauth.example.com
  intercept-https-enable
  parameter-map type webauth webauth_external
  type webauth
  redirect for-login https://webauth-external.example.com/v2/login.html
  redirect portal ipv4 x.x.x.x
  So the problem here is that a web browser of the client gets the following redirect URL:
  https://webauth-external.example.com/v2/login.html?switch_url=https://1.1.1.1/login.html&redirect=http://www.cnn.com
  Then after a successful login on the external portal, the user gets redirected back to https://1.1.1.1/login.html. Here is the core of my problem. I think that the parameter "switch_url" should be with the name webauth.example.com since I configured it as the "virtual-host". This is the behavior we see with our old Cisco WiSM1.
  When the redirect goes to https://1.1.1.1/login.html the client complains about the certificate, because it is not issued to that IP address but to the hostname.
  I can verify that the client does not complain about this if I manually edit the redirect URL on the client to the following:
  https://webauth-external.example.com/v2/login.html?switch_url=https://webauth.example.com/login.html&redirect=http://www.cnn.com
  Then the redirect after authentication goes to https://webauth.example.com/login.html and the client accepts the certificate and everything is peachy.
  Do you see my problem? And yes, the virtual IP resolves to the name in DNS.

• WebAuth redirect DNS Host not resolving

  Hello,
  I'm trying to get my WebAuth redirect for guest to resolve a hostname, not an IP address.  If I delete the hostname information it redirect's fine to the IP address (but has a cert error).  I'd like to have to redirect to a hostname so it will match the CN of the cert i've loaded on the controller.  We're using OpenDNS for the public DNS so I cannot put an A Record on there associating 192.168.254.1 to washcoguest.co.washington.mn.us. 
  Right now when I connect to the SSID, it try's to direct me be cannot resolve the hostname and I get a page cannot be displayed.
  Any help would be great.
  Pete

  Pete,
  You can host that A record inside, but that would mean your guest need to have access to your inside DNS. Not ideal, but some people do that ...
  Correct, you can host it with your ISP and it would need to match your domain. Which means you need a new cert.
  For this very reason, I own "guestnetwork.org" and I host and provide certificates to get around all the confusion customers have. I can host XXXXXX.guestnetwork.org and its published in a few minutes and ready to go..
  As for your NAT question. The Virtual IP should not be routable, which in your question its not, but  just want to mention it. The client will need to reslove the name to the virtual IP. Adding all these extra steps only adds confusion.
  I might suggest, redo the cert, publish it with yout ISP.

• WebAuth Redirect URL Duplication

  Hello
  I have WLC2106 with sw 4.2.205.0 and have enabled webauth, such that any users first attempt to connect to the internet will be intercepted as expected.
  This works fine if going direct to a link with NO proxy, and it works fine if adding ":8080" to the end of the url as well.
  I have the following problem though if I specify a proxy server in my IE settings (IE7).
  I go to open a web page
  http://192.168.1.1
  get redirectected to
  https://10.1.1.1 of the WLC, correctly so, however, the actual URL appears like this:
  https://10.1.1.1/login.html?redirect=192.168.1.1http://192.168.1.1
  so, once authenticated, which works fine, the redirect will try to pass the user to the website
  http://192.168.1.1http//192.168.1.1   (note the obvious duplicate in the address, but also the missing : in the second url)
  This does not happen when the proxy server setting is turned off and I have put the WLC virtual address in the proxy bypass list.
  I have also tried both with and without an address in the "Redirect URL after Login" text box.
  Has anyone experienced this, or, does anyone have any idea what it might be?
  Thanks in advance
  Anthony

  So the portal woks, but the user goes to their page on their iPhone. Have you tried to add the redirect in the HTML code instead? I have not had problems the way you have it setup on the wlc. On the iPhone are you using the browser to log in or are you joining the SSID and letting the iPhone pop up the login.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Webauth redirection page title

  Hi,
  We are using webauth on an external web server. The controller redirects clients to this external web server successfully and the authentication process is working fine.
  However, during the redirection process the following message appears as a page title:
  "Cisco Systems Inc. Web Authentication Redirect"
  for sometime and then disappears when the login page opens. (see attached sample snapshot)
  As I understand, this temporary page is login.html which is on the controller flash.
  How do we remove this message and redirect the client to the login page without showing this message?

  HI,
  Currently there is no way to remove that as the client traffic will hit the WLC first and then go to the external web server.  You could use a custom web auth bundle on the WLC itself where you have full control over the web page on the WLC and change that text.
  Thanks,
  Lee

• Https redirection issue for Wireless Guest CWA - ISE 1.3

  Our Setup is
  ISE 1.3 (Patch level 2) running on ACS 1121
  2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
  Configured SSID Guest for Centralized web authentication with ISE.
  We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
  By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
  There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
  Please advice.

  Hi Neno
  They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
  So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
  Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

• Acrobat 9.0 Runtime Error Vista SBS 2003 Folder Redirection Issue

  I just got off of a two hour phone call with Adobe. They are unable to resolve my issue.
  After installing Acrobat 9.0, we receive the following error:
  "Microsoft Visual C++ Debug Library
  Runtime Error!
  Program: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
  The application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
  I have tried the recommend fix without success: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb404597
  Someone please help. The user is an Administrator of the machine. The typical AppData path is \\servername\direct\username\Application. I changed it to x:\username\application to no avail.
  This is a Vista machine, all updates, with Small Business Server 2003 with File Redirection.

  Try http://www.adobe.com/go/kb401589
  Especially solution 4.

• Button URL Redirect - Issue passing %null% from LOV

  I have issue when attempting to pass %null% from a LOV to a subsequent target page. The URL Redirect works fine when a value in selected in the LOV but passes gibberish "?ll" when no value is selected from the LOV. Can anyone shed some light on what's is going on?
  Redirect looks like this:
  f?p=112:411:508326687872582::NO:RP,411:P411_AGENCY,P411_CATEGORY,P411_BUDGET_YEAR,P411_OIT_OFFICE,P411_DESCRIPTION:002,%null%,2012,1665,webJeff
  Edited by: jwellsnh on Jun 2, 2010 4:42 PM

  svk1965,
  Thank you for your response, I read many other threads and you are definitely on the right track. Got impatient though and took my project on a different track which ended being a better solution for me after all.
  Jeff

• Oracle Apps R12 iRec URL Redirection issue

  Dear Friends,
  We have configured R12 i-Rec in an server and placed in DMZ.
  we have made this server as external and we have made the irec responsibilities to external and using the DMZ Server URL we were able to work without any issue.
  Now to publish this URL to Interner users with https and Port masking , we have mapped this URL http://abc.com:8020 to https://xyz.com using Microsoft UGC Firewall 2010.
  Now from Internet we were able to hit the URL https://xyz.com and could login as oracle application user with the same url https://xyz.com
  But when we click any of the irec responsilities (irecruitmnt agency (or) others) which is made external, the page is redirected to the Real DMZ Server URL http://abc.com:8020/OA_HTML/...
  and it shows error:
  The page cannot be displayed.
  I believe it should not happen , throughout the session it has to maintain the same new URL
  Please let us know the Fix.
  Regards,
  DB

  Hi;
  What is error in apache log file?
  Regard
  Helios

• CWA redirect issue and access across the WAN

  Hello,
  I am trying to get CWA working on my wireless ISE setup and am having an issue where the guest portal redirect is pointing to the wrong port.  My setup is as follows:
  The PSN has two connections - Gig 0 is on our management VLAN 172.24.x.x  Gig 1 is on our guest network VLAN 10.190.x.x
  Using a laptop I connect to the guest ssid and guest portal times out as it is pointing to 172.24.x.x instead of the guest vlan 10.190.x.x
  We do not want guest traffic on the corp network for obvious reasons.
  One more question - Is it possible to have guest access work across the WAN?  For example, we have the admin box in Detroit and a PSN in Chicago.  Detroit's guest network is routed through a tunnel to Chicago currently.
  Some more info:
  Here is from the radius authentication details -
  cisco-av-pair=url-redirect=https://172.24.24.41:8443/guestportal/gateway?sessionId=ac18180a000024a45151d92d&action=cwa
  How do I force it to 10.190.x.x and how does ISE get 172.24.24.41 for the redirect address? DNS? I guess I am unfamiliar with how cisco-av-pair attribute is determined.  Any help will be greatly appreciated.

  Have you ran anything such as MTR on a Linux box (or WINMTR equivalent on PC)?  If so, can you find a trend in loss or high latency on a specific hop on the path? I would ensure you adjust the ICMP payload size to a higher size such as 1000Bytes and adjust the ping interval to every two seconds or so.  This ensures you are not running into an issue where the provider is rate limiting your pings, which is not uncommon for some providers, if the pings (ICMP messages) are terminating on their endpoints.
  Do you have QoS policies applied on interfaces on either end of these pings / traces?  If so, do you have assurance that ICMP messages will not be impacted by queue based dropping or shaping latency?  One solution is, move traffic from your ICMP traffic with the source or destination of your ICMP ping and trace endpoint in a priority queue with adequate bandwidth (should be a very low requirement).  This may not make sense since your bandwidth utilization is low, but shaping of busy flows can actually occur long before congestion, depending on your design. 
  Another item that may give you better insight is running and monitoring / graphing IP-SLA probes between your routers on each end.  You could then trend issues and give graphed evidence to your provider.  They could then compare your lossy  and high latency periods to their appliance interface, memory, and CPU loads to see if they can find a correlating trend.  It can be a hard battle to get ISPs to not only admit they have issues, but allocate resources to isolate and resolve these issues.  Good SLA probe data showing that their paths are not meeting delivery standards speak much louder that pings to them.

• Virtual page redirection issue - VWLC

  Hello All,
  I am using ISE for external web authentication. Once client enter the UN and PWD in the ISE guest portal, the client must redirect to 1.1.1.1 that is the local web page. But i get a blank page..? And also if i use local web page for the redirection also it is not working ..?
  Any idea..
  KVS

  Symptoms or Issue
  The URL redirection page in the client machine's browser does  not correctly guide the end user to the appropriate URL.
  Conditions:
  This issue is most applicable to 802.1X authentication sessions  that require URL redirection and Guest Centralized Web Authentication  (CWA) login sessions.
  Possible Causes:
  There are multiple causes for this issue. See the Resolutions descriptions that follow for explanation.
  Please check the below link for URL Redirection Resolutions:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_troubleshooting.pdf