Cisco WAP321 Captive Portal Redirect

Hi I have setup a Cisco WAP321 as an Internet Cafe Captive Portal. When initially switched on clients connect and are redirected to the Log on page where they can add their name and tick to say they agree with the usage policy.
Works great, unfotunately the next day when the clients connect again they are never redirected to the logon page so cant access the internet.
I have tried putting in the redirect url and if i do that it works fine.
I have checked all my settings but cant find out why.
Anyone know why im not getting the redirect?
Thanks
Darren

Hi Luis
Thanks for the reply. I have been reading up on possible issues and just need to clarify whether the Guest WIFI has to be on VAP0? I have it configured on VAP2 and as i said initially it works OK and gives me the Redirect.
My WAP321 is connected to a Cisco 887 Router with the Port set to Trunk and the VAP2 is set to Vlan2.
VLAN 1 set to 192.168.192.1 255.255.255.128 and VLAN2 set to 192.168.192.193 255.255.255.224. DHCP scope on the Router is from 192.168.192.194 to 192.168.192.220.
Im back on site again this morning and its working after a reset. Ill monitor over the next day or so and see what happens
Regards
Darren

Similar Messages

  • WAP321 - Captive portal in 2 different VLAN

    Hi,
    I have a Wap321 installed in my network.  IP: 192.168.0.36 - VLAN 1
    If I'm in the local area network, I do not have any problem to use the wireless.
    I just added a guest VLAN for people who need Internet connection without LAN access. So I setup a second SSID and tag it with vlan 50. I can access to Internet.  But If I want active the captive portal, I'm unable to access to it because the adress is in the VLAN 1 (or 192.168.0.36).
    How I can setup my Wap321 to have the captive portal in the VLAN 50, not in the VLAN 1?
    Thank you               
    Alex

    Hello Alexandre,
    If you have a router upstream, please make sure that you have enabled inter-vlan routing in there. Also, on the WAP321, please configure the router's VLAN 1 IP address as the default gateway. With these settings, you should be able to use Captive Portal for both VLAN 1 and VLAN 50.
    Hope this helps.
    Regards,
    Nagaraja

  • Cisco ISE guest portal redirect not working after successful authentiation and URL redirect.

    Hi to all,
    I am having difficulties with an ISE deployment which I am scratching my head over and can't fathom out why this isn't working.
    I have an ISE 3315 doing a captive webportal for my guest users who are on an SSID.  The users are successfully redirected by the WLC to the following URL:https://x.x.x.x:8443/guestportal/Login.action?portalname=XXX_Guest_Portal
    Now when the user passes through the user authentication splash screen they get redirected to https://x.x.x.x:8443/guestportal/guest/redir.html and recieve the following error:
    Error: Resource not found.
    Resource: /guestportal/
    Does anyone have any ideas why the portal is doing this?
    Thanks
    Paul

    Hello,
    As you are not able to  get the guest portal, then you need to assure the following things:-
    1) Ensure that the  two  Cisco av-pairs that are configured on the  authorization profile should  exactly match the example below. (Note: Do  not replace the "IP" with the  actual Cisco ISE IP address.)
    –url-redirect=https://ip:8443/guestportal/gateway?...lue&action=cpp
    –url-redirect-acl=ACL-WEBAUTH-REDIRECT (ensure that this ACL is also  defined on the access switch)
    2) Ensure that the URL redirection portion of the ACL have been  applied  to the session by entering the show epm session ip   command on the switch. (Where the session IP is the IP address  that is  passed to the client machine by the DHCP server.)
    Admission feature : DOT1X
    AAA Policies : #ACSACL#-IP-Limitedaccess-4cb2976e
    URL Redirect ACL : ACL-WEBAUTH-REDIRECT
    URL Redirect :
    https://node250.cisco.com:8443/guestportal/gateway?sessionId=0A000A72
    0000A45A2444BFC2&action=cpp
    3) Ensure that the preposture assessment DACL that is enforced from  the  Cisco ISE authorization profile contains the following command  lines:
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    remark ping
    permit icmp any any
    permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
    permit tcp any host 80.0.80.2 eq www --> Provides access to internet
    permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
    port
    permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8906 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    deny ip any any
    Note:- Ensure that the above URL Redirect has the proper Cisco ISE FQDN.
    4) Ensure that the ACL with the name "ACL-WEBAUTH_REDIRECT" exists on  the switch as follows:
    ip access-list extended ACL-WEBAUTH-REDIRECT
    deny ip any host 80.0.80.2
    permit ip any any
    5) Ensure that the http and https servers are running on the switch:
    ip http server
    ip http secure-server
    6) Ensure that, if the client machine employs any kind of personal  firewall, it is disabled.
    7) Ensure that the client machine browser is not configured to use any  proxies.
    8) Verify connectivity between the client machine and the Cisco ISE IP  address.
    9) If Cisco ISE is deployed in a distributed environment, make sure  that  the client machines are aware of the Policy Service ISE node FQDN.
    10) Ensure that the Cisco ISE FQDN is resolved and reachable from the  client machine.
    11) Or you need to do re-image again.

  • Captive Portal with two or more WAP321

    Hello,
    I plan to use the WAP321 as a WLAN Hotspot. But I need more than one AP. What is the Design for this?
    Do I need to configure every WAP321 with the captive portal and the user need to re-login every time they roam to another WAP321?
    Or can I redirect all WAP321 AP to one captive portal?
    Thank for your support.
    Christian

    Nicola,
    It may be too late, but with the new version1.0.2.3 software you can create a cluster of up to 8 WAP321's in order to share one configuration.  The feature is called Single Point.   Here is a paper on the feature
    http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps12237/ps12249/brochure_c02-717568.pdf

  • How to redirect https traffic to captive portal?

    Any WLC controller model (8500/5508/2504/vWLC) version 7.3 and up..
    This is unusual scenario wherein clients have a default homepage to https://www.google.com (sample only)
    Typical http web redirection don't have any problem at all. When you open your browser and type http://www.google.com it will redirect to captive portal without any problem.
    Is there any way to redirect https traffic to captive portal as well?

    redirection only happen on http traffic, a feature request has been issued to have the redirection happen on https.
    please check the following
    CSCar04580
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCar04580
    Please make sure to rate correct answers

  • Captive Portal for Guest wireless using a Cisco ASA 5510 or just 1231 Autonomous AP's

    Our environment consists of about 7 Cisco 1231 Access Points.  We have multiple SSID's including a Guest SSID for internet only access.  All Ap's are in autonomous mode.  We have a Cisco ASA5510 at the internet perimeter.  I would like to use what we have in house to setup a way in which all Guest Wirelsss users will be re-directed to a Captive Portal (Splash Page where there are given a custom warning page that instructs them about our Internet Accepted Usage Policy.  Can I do anything with the ASA to dish out a page like this.  I know that I can turn on an AAA rule on the ASA and force those users to have to authenticate when going to the internet but the Prompt page can't be customized too much.  I can add some text but it gets mixed in with all the other default text.
    I am not seeing a way to do URL redirection inside of the 1231 AP's themselves.  I know that a controller environment would help me out but looking to find a solution with what equipment the I already have in place.
    Any ideas??

    Hi,
    AFAIK.  using Autonomous.. there is no way we can do that..
    Regards
    Surendra

  • Inquiry - Cisco Captive Portal without WLC

    Hi
    based on article http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
    Is it possible or how should I design captive portal without WLC.
    In our organization, I have about 20 AP (various models) running on standalone with VLAN and ACS server for MAC authentication.
    I have plan to create new VLAN just only for guest users to browse with username/password URL redirectiotion (without MAC authentication).
    Seek your help.
    Thank You

    Without a wlc you would need another solution to handle the portal piece.
    Sent from Cisco Technical Support iPad App

  • Cisco ASA SourceFire Captive Portal

    Hello
    I would like to know if the Sourcefire is capable to use a captive portal to authenticate the users in the domain and get access to Internet?
    Stay pending for an answer, thanks a lot.

    Hi all,
    This feature is very useful for "guest users" and/or no domain computer, that doesn't log in to AD.
    Unfortunately, Others competitor has this feature and others important feature as:  "SSL decrytion" PBR, virtual routers.
    It's possible to request this  "feature requrest" to Businiess Unity? or to have majoir visibility about the road-map of this implementation?  
    thank all
    F.

  • Restric Access to Captive Portal after successfull authentication

    I have setup a WAP321 with the captive portal activated.
    2 WLAN networks defined, one for the Normal-user and 1 Guest-user access (with captive portal).
    The WAP Management is on its own vlan (vlan 1 ) , network 10.0.0.0 /24
    The Normal network has a different vlan (vlan 14) , network 192.168.14.0/24
    Guest user(s) are on VLAN143 , 172.16.10.0 /24
    So when a guest connects to the wap, the management interface is openend (10.0.0.x), after successfull authentication the user is redirected to a predefined site.
    What i would like to establish is to make it impossible for the Guest-user(s) to access the management portal.
    Defining an acl on the management portal is not possible as i would like to use any ip adres on the Normal Network (192.168.14.0/24).
    unfortunally you can only define 5 Fixed ipaddresses and not a (sub)-network.
    regards
    eddy

    Good morning  Mr. Mulder,
    It it possible to set and access-list on your WAP321 that restrict access from users on the complete network 172.16.10.0/24.
    Let me share with you the information found on guide me section on this forum about this topic.
    I encourage you to make use of this useful tool if you have any other question about configuration on the future.
    http://sbkb.cisco.com/CiscoSB/ukp.aspx?vw=1&docid=c1a32843a14846af8c20a91532c39d16_acl.xml&pid=4&fcid=&fpid=&slnid=6
    Check the section 6, where you could set the configuration using the network 172.16.10.0/24 as source address and 10.0.0.0 /24 as destination.
    hope you find this answer useful, if it was satisfactory for you, please mark the question as Answered.
    Thank you
    Diego Rodriguez.
    Cisco network engineer

  • Bug in wifi/wireless connection with captive portal in UK/London ?

    With my macbook pro (10.6.4) & iphone (iOS 4), I do not manage to have an easy connect on free wifi captive portals in London. They all are new connections (unknown networks before).
    * dhcpd lease seems to be instable. I can get wifi connection (with good wifi signal strength) but most of the time get a "non-allocated" lease like 169.254.57.x/24 without any router/dns. A few rare times, the dhcp server give a me a complete ip connection.
    * in the rare case where IP connection could established, I was not redirected to the captive portal. I had to manually enter its address (in my case <IP>:8000, you need to guess) and even after authentication, I can't browse the Internet. In one of my test, I managed to resolve dns entry but can't browse the web.
    I tried during an hour and I couldn't make it on work on my Macbook. work a small time with the iPhone.
    tested in McDo free wifi and Airbox Public Wifi of EasyHotel (Airbox system). also have problem with "Wifi Zone - The Cloud".
    ok in Starbucks and in St Pancras Free Wifi.
    Found these threads which could be related but no real solutions:
    http://discussions.apple.com/thread.jspa?messageID=11875166&#11875166
    This is probably the router's fault but I can't check this.

    Hmm...pretty interesting. What redirection mode did you use for m0n0wall? (http or dns) Have you tried disabling the NAT on the router as well as unchecking the block anonymous internet requests on the security tab?
    I have a similar setup on a T1----media converter----WRT54G setup. Basically, the router was able to get public wan ip addresses on the status page. So do the computers behind it (wired and wireless) but they aren't online. We pinged the three dns numbers on the router, only 1 replied. Now, the ISP has Cisco all-access installed on the converter (quite similar to captive portal) and it shows up on every computer when we try to go online. We open up the browser, it prompts for the authentication. We fill-in the details but still it doesn't go online. Bottom line was we cloned the mac of the main computer and they didn't need to authenticate...but then again it defeats the purpose of the software.
    Also, the router was set as a DHCP server with NAT enabled. I'm thinking that the router's firewall still blocks your computers even when it's already set as a switch. Try to disable the NAT and see if it works.

  • ISE Wired captive portal

    I've a new ISE Integration, I've implemented captive portal for wireless and wired guests, for Wireless all is working perfect
    For Wired I can see that ISE put the url captive on the interface of the switch but from the laptop of windows machine, I'm unable to see the link on browser, please advice

    In the same document you have
    Wired NAD Interaction for Central WebAuth
    If your client's machine is hard wired to a NAD, the guest service interaction takes the form of a failed MAB request that leads to a guest portal Central WebAuth login.
    The Central WebAuth triggered by a MAB failure flow follows these steps:
    1. The client connects to the NAD through a hard-wired connection. There is no 802.1X supplicant on the client.
    2. An authentication policy with a service type for MAB allows a MAB failure to continue and return a restricted network profile containing a URL-redirect for Central WebAuth user interface.
    3. The NAD is configured to post MAB requests to the Cisco ISE RADIUS server.
    4. The client machine connects and the NAD initiates a MAB request.
    5. The Cisco ISE server processes the MAB request and does not find an end point for the client machine. This MAB failure resolves to the restricted network profile and returns the URL-redirect value in the profile to the NAD in an access-accept. To support this function, ensure that an Authorization Policy exists featuring the appropriate "NetworkAccess:UseCase=Hostlookup" and "Session:Posture Status=Unknown" conditions.
    The NAD uses this value to redirect all client HTTP/HTTPS traffic on ports 8080 or 8443 to the URL-redirect value. The standard URL value in this case is:
    https://ip:port/guestportal/gateway?sessionId=NetworkSessionId&action=cwa.
    6. The client initiates an HTTP or HTTPS request to any URL using the client browser.
    7. The NAD redirects the request to the URL-redirect value returned from the initial access-accept.
    8. The gateway URL value with action CWA redirects to the guest portal login page.
    9. The client enters the username and password and submits the login form.
    10. The guest action server authenticates the user credentials provided.
    11. If the credentials are valid, the username and password are stored in the local session cache by the guest action server.
    12. If the guest portal is configured to perform Client Provisioning, the guest action redirects the client browser to the Client Provisioning URL. (You can also optionally configure the Client Provisioning Resource Policy to feature a "NetworkAccess:UseCase=GuestFlow" condition.)
    Since there is no Client Provisioning or Posture Agent for Linux, guest portal redirects to Client Provisioning, which in turn redirects back to a guest authentication servlet to perform optional IP release/renew and then CoA.
    13. If the guest portal is not configured to perform Client Provisioning, the guest action server sends a CoA to the NAD through an API call. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access. If Client Provisioning is not configured and the VLAN is in use, the guest portal performs VLAN IP renew.
    14. With redirection to the Client Provisioning URL, the Client Provisioning subsystem downloads a non-persistent web-agent to the client machine and perform posture check of the client machine. (You can optionally configure the Posture Policy with a "NetworkAccess:UseCase=GuestFlow" condition.)
    15. If the client machine is non-complaint, ensure you have configured an Authorization Policy that features "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=NonCompliant" conditions.
    16. Once the client machine is compliant, ensure you have an Authorization policy configured with conditions "NetworkAccess:UseCase=GuestFlow" and "Session:Posture Status=Compliant" conditions), From here, the Client Provisioning issues a CoA to the NAD. This CoA will cause the NAD to reauthenticate the client using the RADIUS server. This reauthentication makes use of the user credentials stored in the session cache. A new access-accept is returned to the NAD with the configured network access.

  • Captive Portal spinner is ultra small

    Please refer to attachment. Not annoying stuff but a little of strange there.

    Hmm...pretty interesting. What redirection mode did you use for m0n0wall? (http or dns) Have you tried disabling the NAT on the router as well as unchecking the block anonymous internet requests on the security tab?
    I have a similar setup on a T1----media converter----WRT54G setup. Basically, the router was able to get public wan ip addresses on the status page. So do the computers behind it (wired and wireless) but they aren't online. We pinged the three dns numbers on the router, only 1 replied. Now, the ISP has Cisco all-access installed on the converter (quite similar to captive portal) and it shows up on every computer when we try to go online. We open up the browser, it prompts for the authentication. We fill-in the details but still it doesn't go online. Bottom line was we cloned the mac of the main computer and they didn't need to authenticate...but then again it defeats the purpose of the software.
    Also, the router was set as a DHCP server with NAT enabled. I'm thinking that the router's firewall still blocks your computers even when it's already set as a switch. Try to disable the NAT and see if it works.

  • Captive Portal

    my customer is educational istitution,they have Cisco 1252 AP (autonomous).i want to setup a captive portal, i can build a linux based server..
    they cannot spend much... is there a way out..
    Thanks in advance
    Mak

    Hi,
    Setting a specific web page for the clients everytime when they connect to the AP is not possible
    by using the AP only. AP only has the option to redirect all the client traffic to any other IP
    on the network and thenfurther the device associated to that IP can provide the Web page for the
    clients that will be displayed on their client screens. That device can be a
    BBSM(Building Broadband Service Manager) or a Cisco NAC Appliance.
    As per the below link, BBSM is out of sale:
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5689/ps533/ps5463/prod_end-of-life_notice0900aecd805aeb23.html
    In order to configure a SSID/VLAN to open a particular website when any user
    connects to it, you need to connect a BBSM(Building Broadband Service
    Manager) or a Cisco NAC Appliance to any one of the Access ports on the
    switch which is a part of that VLAN. We can configure the BBSM device or the
    NAC device to open a specific webpage and after that we can configure the AP
    to forward all the packets coming from client connected to that specific
    SSID/VLAN to the IP address of the BBSM server with the help of "IP
    redirect" command we can configure on the AP. Here is a document for the
    same:
    http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuratio
    n/guide/s34ssid.html#wp1049571
    Here is an application note about the list of APs which support IP redirection
    http://www.cisco.com/en/US/docs/wireless/technology/ip-redirect/technical/re
    ference/ipredir.html
    Most of the cases that we have seen on "IP redirection" go way back to when
    BBSM was available.  Nowadays, this is deployed using WLCs for the guest
    access.
    I hope the above answered your question.
    Regards
    Surendra

  • Captive Portal with Wireless Mobility

    Has anyone successfully configured a captive portal/proxy while maintaining their WDS infrastructure?
    We're wanting to make users accept a user agreement before being able to progress to the outside world. We're currently using m0n0wall to accomplish this on our wired network, but with the interesting way that the wireless traffic actually enters the network through the tunnel/loopback int its creating some confusion for me.
    Can it be as simple as changing the tunnel source to a VLAN instead of a loopback? Anyone have any insight?

    The Captive Portal is used to control what happens when an application request, layers 5-7, is redirected to Layer 3-4 (i.e. when the destination IP address or port number of a request from an application is changed, and the application layers in the protocol request still have the previous IP address or domain and port number encode in them). This is analogous to the Network Address Translation (NAT) function performed by a router.
    http://www.cisco.com/en/US/tech/tk722/tk721/technologies_white_paper09186a00801a0c62.shtml

  • WLC Captive Portal not loading images or via HTTP correctly

    Hi All,
    I have a strange issue I'm hoping someone can shed some light on.
    I have a CT2504 at a customer site which does not load the captive portal page correctly nor will it load via HTTP as opposed to HTTPS.
    So for starters I did what I do with all my CT2504's (which work fine), I configured my Guest network to authenticate via the default captive portal. I then disabled HTTPS and SSH and enabled HTTP managment followed by rebooting the controller.
    On boot, logging into the WLC management GUI is automatically presented via HTTP as expected.
    However when clients access the Guest network they are redirected to the Web Authorisation via HTTPS instead of HTTP, any ideas?
    In addtion to the above the captive portal page does not display correctly.
    The preview via the controller works fine, but the client is presented with a page with broken links to the images i.e. the blue strip at the top and the Cisco logo on the right, any clue what's happening here?
    Any help would be greatly appreciated.
    Thanks,
    Gary

    Thanks Gray. I am glad it worked.
    Rating useful replies is more useful than saying "Thank you"

Maybe you are looking for

  • Adobe Creative Cloud Crashing on Windows 8

    I have two programs that continue to crash/not respond. Premier Pro and Audition.   Several questions have been asked here:Re: Adobe audition CC keeps crashing  with no answers. I have uninstalled both programs and reinstalled-updated with no luck.  

  • How do I transfer music from my iPod to my MacPro?

    How can I transfer music from my iPod Classic to my current MacPro laptop? I thought I could "Match" them but from what I am reading in this process it seems to want to delete the music in my  iPod during the process and then upload music from my Mac

  • Hard drive failing showing the blue screen

    Dear Toshiba technical support,  I have a Toshiba notebook Satellite L305-S5875 for few months, and  it's still in warranty. It shutted down suddenly showing the blue screen saying "physical memory dump...". I tried to restart me computer, but it doe

  • Problem with compiling a class with a package

    Hello, I am trying to implement the package example from the SUN Tutorial. It can be found on the page: http://java.sun.com/docs/books/tutorial/java/interpack/QandE/packages-questions.html I think I am doing like described but it doesn�t work. The fi

  • PO value should be zero

    Hello Gurus How can we make the price of the PO as zero i need to see that as there is no charge to the PO Regards Madhuri