Captive Portal with Wireless Mobility

Has anyone successfully configured a captive portal/proxy while maintaining their WDS infrastructure?
We're wanting to make users accept a user agreement before being able to progress to the outside world. We're currently using m0n0wall to accomplish this on our wired network, but with the interesting way that the wireless traffic actually enters the network through the tunnel/loopback int its creating some confusion for me.
Can it be as simple as changing the tunnel source to a VLAN instead of a loopback? Anyone have any insight?

The Captive Portal is used to control what happens when an application request, layers 5-7, is redirected to Layer 3-4 (i.e. when the destination IP address or port number of a request from an application is changed, and the application layers in the protocol request still have the previous IP address or domain and port number encode in them). This is analogous to the Network Address Translation (NAT) function performed by a router.
http://www.cisco.com/en/US/tech/tk722/tk721/technologies_white_paper09186a00801a0c62.shtml

Similar Messages

  • Captive Portal with two or more WAP321

    Hello,
    I plan to use the WAP321 as a WLAN Hotspot. But I need more than one AP. What is the Design for this?
    Do I need to configure every WAP321 with the captive portal and the user need to re-login every time they roam to another WAP321?
    Or can I redirect all WAP321 AP to one captive portal?
    Thank for your support.
    Christian

    Nicola,
    It may be too late, but with the new version1.0.2.3 software you can create a cluster of up to 8 WAP321's in order to share one configuration.  The feature is called Single Point.   Here is a paper on the feature
    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12237/ps12249/brochure_c02-717568.pdf

  • ISE Wired captive portal

    I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
    For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

    In the same document you have
    Wired NAD Interaction for Central WebAuth
    If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
    The Central WebAuth triggered by a MAB failure flow follows these steps:
    1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
    2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
    3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
    4. The client machine connects and the NAD initiates a MAB request.
    5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
    The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
    https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
    6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
    7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
    8. The gateway URL value with action CWA redirects to the guest portal login page.
    9. The client enters the username and password and submits the login form.
    10. The guest action server authenticates the user credentials provided.
    11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
    12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
    Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
    13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
    14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
    15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
    16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

  • Bug in wifi/wireless connection with captive portal in UK/London ?

    With my macbook pro (10.6.4) & iphone (iOS 4), I do not manage to have an easy connect on free wifi captive portals in London. They all are new connections (unknown networks before).
    * dhcpd lease seems to be instable. I can get wifi connection (with good wifi signal strength) but most of the time get a "non-allocated" lease like 169.254.57.x/24 without any router/dns. A few rare times, the dhcp server give a me a complete ip connection.
    * in the rare case where IP connection could established, I was not redirected to the captive portal. I had to manually enter its address (in my case <IP>:8000, you need to guess) and even after authentication, I can't browse the Internet. In one of my test, I managed to resolve dns entry but can't browse the web.
    I tried during an hour and I couldn't make it on work on my Macbook. work a small time with the iPhone.
    tested in McDo free wifi and Airbox Public Wifi of EasyHotel (Airbox system). also have problem with "Wifi Zone - The Cloud".
    ok in Starbucks and in St Pancras Free Wifi.
    Found these threads which could be related but no real solutions:
    http://discussions.apple.com/thread.jspa?messageID=11875166&#11875166
    This is probably the router's fault but I can't check this.

    Hmm...pretty interesting. What redirection mode did you use for m0n0wall? (http or dns) Have you tried disabling the NAT on the router as well as unchecking the block anonymous internet requests on the security tab?
    I have a similar setup on a T1----media converter----WRT54G setup. Basically, the router was able to get public wan ip addresses on the status page. So do the computers behind it (wired and wireless) but they aren't online. We pinged the three dns numbers on the router, only 1 replied. Now, the ISP has Cisco all-access installed on the converter (quite similar to captive portal) and it shows up on every computer when we try to go online. We open up the browser, it prompts for the authentication. We fill-in the details but still it doesn't go online. Bottom line was we cloned the mac of the main computer and they didn't need to authenticate...but then again it defeats the purpose of the software.
    Also, the router was set as a DHCP server with NAT enabled. I'm thinking that the router's firewall still blocks your computers even when it's already set as a switch. Try to disable the NAT and see if it works.

  • Dual Band Concurrent AP with captive portal?

    Hi, Was looking at purchasing WAP321 however after looking at the spec's I see it has not got concurrent dual band (2.45Ghz/5Ghz) is there any simular access points with dual band and captive portal?
    Thank You

    Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
    There is not an access point in the Small Business collection that has dual radio capability. The AP541 and WAP321 has dual band 2.4 and 5 ghz, but only one band at a time because they only have a single radio.
    To find something with dual band, dual radio that can do 2.4 and 5 ghz at the same time you will have to look at Cisco Enterprise, AP1262N or 1142N for example.
    Hope this helps.
    Thanks
    Eric Moyers
    Cisco Network Advanced Support Engineer
    SBSC Wireless and Surveillance SME
    CCNA, CCNA-Wireless
    1-866-606-1866
    *Please rate Post so other will know when answer have been found.

  • Adobe AIR with Captive Runtime Support for Mobile | ADC Presents | Adobe TV

    In this video, Technical Evangelist Andrew Trice covers Adobe AIR with captive runtime support for mobile application development, which will benefit your Flash Builder projects for the Android OS.
    http://adobe.ly/wyNYjD

    Witch version of flash builder is this?

  • Bug - mobile configs in wifi captive portal state

    The default behavior for installing mobile config files is to redirect the user back to the webpage they were on upon installation.  However, in the captive portal state, it directs the user back to the profile page in the settings menu, it should go back to the psuedo browser.  I believe this is a bug and not a security feature.

    The file found here is the communication between this captive portal and Mozilla Firefox as confirmed working, taken using Wireshark. Probably the Pre browser interprets the javascript code incorrectly.

  • Can't sync bluetooth mobile phone with wireless keyboard or mouse

    Hi,
    I can't sync my mobile phone (K750) when I am working with my wireless keyboard and my wireless mighty mouse.
    When I start the sync progress I loose contact to my mouse & keyboard....the sync progress starts with the mobile phone, but after transferring some data it also looses contact to the phone, so the sync interrupts. After some seconds I get back in contact to my mouse & keyboard.
    When I turn off my wireless mouse & keyboard and I am using a wired keyboard & mouse instead everything is working fine!
    Any ideas????
    Many greetings,
    rob
    Mac Pro   Mac OS X (10.4.7)   Wireless Keyboard+Mouse, Sony Ericson K750

    this happens alot, use a usb2 flash drive (not usb3) and as a precaution for other issues, also disconnect any other usb devices except your kb and mouse

  • Captive Portal for Guest wireless using a Cisco ASA 5510 or just 1231 Autonomous AP's

    Our environment consists of about 7 Cisco 1231 Access Points.  We have multiple SSID's including a Guest SSID for internet only access.  All Ap's are in autonomous mode.  We have a Cisco ASA5510 at the internet perimeter.  I would like to use what we have in house to setup a way in which all Guest Wirelsss users will be re-directed to a Captive Portal (Splash Page where there are given a custom warning page that instructs them about our Internet Accepted Usage Policy.  Can I do anything with the ASA to dish out a page like this.  I know that I can turn on an AAA rule on the ASA and force those users to have to authenticate when going to the internet but the Prompt page can't be customized too much.  I can add some text but it gets mixed in with all the other default text.
    I am not seeing a way to do URL redirection inside of the 1231 AP's themselves.  I know that a controller environment would help me out but looking to find a solution with what equipment the I already have in place.
    Any ideas??

    Hi,
    AFAIK.  using Autonomous.. there is no way we can do that..
    Regards
    Surendra

  • HT201274 Can a Sprint Iphone 5 work with T-mobile network? How can one unlock with the MSL code? Sprint is not abiding by the Unlocking Consumer Choice and Wireless Competition Act.  FCC will only enforce if we file more complains.

    Can a Sprint Iphone 5 work with T-mobile network? How can one unlock with the MSL code? Sprint is not abiding by the Unlocking Consumer Choice and Wireless Competition Act.  FCC will only enforce if we file more complains.

    T-Mobile is a GSM network whereas Sprint is a CDMA network. They are incompatible. Sprint is not obliged to unlock a phone that is still under contract. Their phones may not be capable of being unlocked.

  • Will the airport devices and time capsule work with telstras mobile hotspot (Sierra Wireless AirCard 753S Mobile Hotspot)??

    will the airport devices and time capsule work with telstras mobile hotspot (Sierra Wireless AirCard® 753S Mobile Hotspot)??

    Yes. There are 2 ways you could use these devices:
    Wirelessly 'join' the network. This would be slower and doesn't offer extending functionality.
    Use an Ethernet cable (through Powerline if you can't run a cable). This is faster and offers extending functionality. I would recommend using Bridge Mode if possible.

  • Captive Portal Help

    Hello All,
    working with the RV180W and a Ubuntu server I have established a FreeRADIUS server and have it setup for PEAP authentication based on a users file with NTLM encrypted passwords.  This is working pretty well, however I have one problem.  My certificates are self-signed and windows freaks out over it (all mobile OS's, OSX, and Linux work fine).  I'm trying to investigate other options and right now I'm curious, is there any way for the RV180W to use a captive portal setup that isn't the one built in? or is there any way to have the users be authenticated against the radius server I already have rather than setting them up on the router?  I'm open to other suggestions, but I'm trying to avoid paying for certs (I know they aren't incredibly expensive but this is mostly for home use/development/learning) so paying for certs aren't worth it and wanted to see if this was an option.  I will also accept the option of hosting a wireless network that is open but only goes to a page to download an XML & batch file which can be run to add the wireless network to the system (I have this working from USB atm, but trying to develop self-serve options)
    Thanks in advance... P.S. very happy with this router so far! its great!

    Hi Lucas,
    I was looking for a solution with my colleagues from the Support Center, but I am afraid the answer of what you ask is no - you can only use the internal database of the router, when using the Captive portal.
    Can you use a Captive portal that isnt' the build in? Theoretically yes, if the users in the LAN has as gateway a machine with a captive portal, which will make the radius authentication and only after that will forward the trafic to RV180 and inet.. Unfortunately I cant offer you a practical configuration on this.
    If meanwhile you find another solution, please chare it with us
    Regards,
    Kremena

  • ISE captive portal timeouts and radio policy

    Hello!
    I have two questions.
    First, have some of you guys worked with the captive portal in ISE (guestportal)?
    I have set up a new wireless network for a customer and they want to use the guest portal for som users.
    The problem that I am expering is that on a particular site with many small buildings user complains that they have to reauthenticate using the webportal when moving between the buildnings.
    I have tired extending the idle user timeout on that particular wlan in the cisco 5508, but I still having this problem.
    I would actually like if the user login via the guestportal at the beginning of the work day and after say 4-5 hours they have to reautencitcate.
    And if they loose network connectivity (moving between buildings, iphone/andriod shutting down wifi adapter, etc) they shuld be fine connecting again because they have aldready authecnticated once during the last 4-5 hours.
    Is this possible via the ISE?
    My second question deals with 2.4 and 5 Ghz band.
    I use AP groups on each of my distribution areas. All groups have the same SSID but diffrenet egress interfaces (interfaces groups).
    And in some of these I want to save the 5 GHz band for voice over wlan and in others i would like to use both bands.
    Do I have to create diffrent wlan profiles with diffrent radio policys and same SSID or could I do this in the AP group settings using RF-profiles?
    Hope for some help!
    //Simon

    Your first answer  is there is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
    2nd : You can use the AP group settings using RF-profiles to achieve this task.1st: There is no such option in ISE till now there you can specify the login time fix for a client. If the client disconnect from the network and reconnect again, it require re-authentication Every time.
    your seconde answer : You can use the AP group settings using RF-profiles to achieve this task.

  • Laptop no longer loads Captive Portal following Windows 8.1 upgrade

    Since upgrading to Win 8.1 from Win 8, I no longer see a captive portal displayed whenever I try to connect to a wireless network that requires additional login information.  Some WiFi networks require you to click their Terms and Conditions box
    or add some additional logon information and they splash up a Captive Portal screen to allow you to enter the information.  Without entering this information I receive an IP address for my wireless adapter ok, but end up with a "Limited Internet"
    connection.  Which means I cannot connect to the Internet at all.  This exact same problem has happened to two colleagues of mine that recently upgraded to Windows 8.1 on their laptops.  Any help will be much appreciated.

    Hello Grantlsmith,
    Do you receive any error message when you connect to a wireless network that requires additional login information?
    Or you just connect to the Wi-Fi with limited Internet, and nothing pop up?
    Please take the following steps for troubleshooting:
    1. Please provide the result of the command ipconfig –all
    2. Ping the IP address of URL and check if we can contact.
    3. Type in the URL that can use in Windows 8 and check if we can open the Captive Portal
    Best regards,
    Fangzhou CHEN
    Fangzhou CHEN
    TechNet Community Support

  • Captive Portal not working correctly

    I've seen issues with our wireless systems on WebOS devices running the latest software. If I try and use the HP Tablets with a captive portal log on. I can put in my creds to login hit submit, but nothing happens. Reviewing a sniff trace of the transaction I see "you have reached this page because you browser does not support standard http redirection commands"
    My concern is most people are probably hitting the same issue based on what I have read thus far.

    I am also having trouble with a captive portal on my school's (UC Berkeley) wifi network.
    I can get to the login page, and enter my credentials, but after hitting "submit," nothing happens.
    The little blue bar loads, and completes, but the page stays the same.
    Any answers to this?

Maybe you are looking for

  • "Error loading BASIC for document" while saving (solved)

    In case someone else has this problem here's my solution. I have a network (Netware 6.5) installation of SO7 (WinXP and 98). My PC's have harddrives that are protected by Deep Freeze. I start the Quickstart from a Run entry in the registry. Starting

  • Special characters in 10g dev

    I am using 10g dev. I am converting the reports from 6i. I have some values in DB using special characters ie. for deg C (instead of deg i use o ) . now when I display it on PDF it shows as a junk character. How can we solve it. while I was using Ora

  • Podcast subscriptions on iPhone

    I subscribe to a number of podcasts through iTunes and invariably listen on my iPhone. Since I can sync the phone with only one of my computers, I often find myself on the road without the ability to access the iTunes data linked to the phone. This p

  • Substrating a value from its previous value

    suppose i have the data in a column like col 200 230 250 290 300 then the output should show col output 200 Null 230 30 250 20 290 40 300 10 can anybody help?

  • Inconsistent decimals in crystal report(max 5decimals)

    Hi, I have a BEx report which contains some selections and formulas that is used also in crystal reports. BEx analyzer can show up to 9 decimals, however in crystal the numbers can not go further then 5 decimals which is resulted faulty. Exm: 13,2554