Cisco WLC and Unsecured WLAN with redirect

Hi Folks,
Can someone point me in the right direction heer.
I have a WLS box - i want to create a WLAN which will
          1.)     allow anyone to connect to without authentication.
          2.)     once connected they need to be redirected to a web server for further instructions.
Any suggestions greatly appreciated.
Cheers

Hi George,
I have downloaded those files and will have a look now.
I have a couple of other questions in relation to this.
When users connect to this SSID and fire up their browser, they are redirected to a https page - https://1.1.1.1/login.html?redirect
Obviously the end users will receive a warning as they will not trust the certificate. The SAN on the certificate URL=https://1.1.1.1, IP Addresss=1.1.1.1
This 1.1.1.1 address maps to a virtual interface on both controllers that we have.
Why does it go to this page?
Also how do i go about getting a public cert so end users dont get a cert warning. Their are obviously dns issues.
Cheers

Similar Messages

  • Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

    Hello folks,
    I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
    The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
    Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
    Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
    1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
    2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
    I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
    Best Regards
    Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

    On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
    But you will need to configure AES on the client as well to support N rates.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Mobility between Cisco WLC and Meraki(other vendor)

    Is it possible that users can roam between Cisco WLC and other vendor wireless gear? Meraki keeps saying it is possible.
    They keep saying it is a IEEE feature and everone should support but I do not understand how?

    While theoretically possible with the adoption of capwap, it would require all the manufacturers to follow the specs exactly the same. Kind of like hearding cats, not impossible, but highly unlikely.. That's just my opinion
    Sent from Cisco Technical Support iPad App

  • Cisco wlc and steel belted radius

    we have cisco wlc controller  that have  two ssid  one for user and one for guest
    we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
    please send to me any integrated guide between cisco wlc and steel belted radius
    regards

    Hi                                                      Mohammad,
    I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
    Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
    You may wish to contact your RADIUS vendor for additional configuration steps on the server.
    Best,
    Drew

  • Certificate based authentication with Cisco WLC and Juniper IC

    Hi
    I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
    I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
    My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
    i have also looked at this article :
    http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
    What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
    All your help is appreciated.

    Hi,
    Since you use an external radius server you don't have to worry for this.
    The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
    The doc you refer is only for Local Radius on WLC.
    Hope this helps
    Regards,
    Christos

  • Cisco wlc ios 7.2 with clients windows 8 can not authenticate with 802.1x

    Hello my name is Ivan:
    I have a solution a unified solution wireless with a cisco wlc 7.2 and ap cisco. My issue is the follow:
    My users are using laptops with OS windows 8, and they can not access to the network wireless because they authenticate in to the network using 802.1x wpa/wpa2 with tkip or aes.
    I find a bug in the ios of the wlc. The number is CSCua29504. I would not to change the drivers in the laptop to join the users in to the solution.
    Please is possible to find any software to do the upgrade in the wlc? Or perhaps we need to do an upgrade in to cisco lightweight access point?
    Please help me in this issue.
    Regards
    Ivan

    Bug ID CSCua29504 has been fixed in WLC firmware 7.0.235.3, 7.3.101.X or 7.4.100.X.
    So if you are NOT running any one of these codes, then yes.  Upgrade your firmware is your solution.
    Fixed in:  (12)
    7.4(100.0),7.4(1.20),7.3(112.0),7.3(101.0),7.3(1.67)
    7.2(111.3),7.2(111.1),7.2(110.4),7.0(236.0),7.0(235.3)

  • Cisco WLC and Microsoft NAP

    Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
    Thanks

    follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

  • Cisco WLC and Airtight SS-300AT-C-60

    Hello Guys, I have some AirTight APs, SS-300AT-C-60, which are working standalone as WIPS. Those devices can work as AP too but
    I was wondering if a Cisco WLC can support it. I mean, is there any way to manage these AirTight devices via CAPWAP using a Cisco Controller ??

    Why not?  Because AirTight ain't owned by Cisco.  And if they are, Cisco's customer base and AirTight's customer base are two different and distinct group.

  • Cisco Switches and HP Interoperability with Spanning-Tree (RSTP)

    Hello All.
    I read a lot of information from this forum about Spaning-Tree interoperability between HP Switches and Cisco Switches.
    Rather than having questions I would like to post that I manage to configure successfully HP and Cisco using RSTP (802.1w).
    SWPADRAO]display stp root
    MSTID  Root Bridge ID        ExtPathCost IntPathCost Root Port
      0    32768.cc3e-5f3a-2939  0           0
    [SWPADRAO]display stp brief
    MSTID      Port                         Role  STP State     Protection
      0        GigabitEthernet1/0/47        DESI  FORWARDING    NONE
      0        GigabitEthernet1/0/48        DESI  FORWARDING    NONE
    [SWPADRAO]display stp instance 0
    -------[CIST Global Info][Mode RSTP]-------
    CIST Bridge         :32768.cc3e-5f3a-2939
    Bridge Times        :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
    CIST Root/ERPC      :32768.cc3e-5f3a-2939 / 0
    CIST RegRoot/IRPC   :32768.cc3e-5f3a-2939 / 0
    CIST RootPortId     :0.0
    BPDU-Protection     :enabled
    Bridge Config-
    Digest-Snooping     :disabled
    TC or TCN received  :17
    Time since last TC  :0 days 0h:1m:52s
    SWNHAM17#show spanning-tree VLAN0001
     Spanning tree enabled protocol rstp
     Root ID    Priority    32768
                Address     cc3e.5f3a.2939
                Cost        4
                Port        26 (GigabitEthernet0/2)
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec  Bridge ID  Priority    61441  (priority 61440 sys-id-ext 1)
                Address     001b.54db.7200
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
                Aging Time 300 Interface        Role Sts Cost      Prio.Nbr Type
    Gi0/1            Altn BLK 4         128.25   P2p
    Gi0/2            Root FWD 4         128.26   P2p
    SWNHAM18#show spanning-tree VLAN0001
     Spanning tree enabled protocol rstp
     Root ID    Priority    32768
                Address     cc3e.5f3a.2939
                Cost        4
                Port        26 (GigabitEthernet0/2)
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec  Bridge ID  Priority    61441  (priority 61440 sys-id-ext 1)
                Address     001b.0cbc.4300
                Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
                Aging Time 300 Interface        Role Sts Cost      Prio.Nbr Type
    Gi0/1            Desg FWD 4         128.25   P2p
    Gi0/2            Root FWD 4         128.26   P2p

    Hello, David.
    Your command doesn't work because it's made only for tha ports that has command "spanning-tree portfast" in them. Try change spanning tree mode at the HP switch to MSTP if this is possible.

  • Configure cisco wlc for rsa authentication

                       Hi,
    I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
    Do we require a cisco ACS device to make this work. Please advise.
    Thanks

    Yes it is possible.  The below is the list of items which you require to configure RSA authentication on WLC
    •1.       RSA Authentication Manager 6.1
    •2.       RSA Authentication Agent 6.1 for Microsoft Windows
    •3.       Cisco Secure ACS 4.0(1) Build 27
        Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
    •4.       Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
    For more information you can go through this link:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml

  • CISCO WLC How to Block a Client

    Hi,
    We are using CISCO WLC and broadcasting a number of SSIDs.
    What we want to do is to block some spesific users to a spesific SSIDs while letting to connct to another SSID.
    Dows anyone have any idea?

    You can use radius 802.1x authentication or you can setup Mac filtering on the WLC and specify what WLAN's they can connect to. They will only be able to connect to one SSID though.
    This setup you have is not normal as you want to have a device only connect to one ssid for simplicity and for user experience. Having the be able to connect to multiple
    SSID's can lead to connectivity issues on the client side, since the device might switch back and fourth to the different SSID's. Also the more SSID's you have the more noise in the environment. Typically 3-4 max SSID's is suggested.
    Sent from Cisco Technical Support iPhone App

  • WLC and LWAP Registration Log Question

    We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs.  I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs.  We have a AP that has unregistered and we can't seem to find what switchport it was attached to.  It would be helpful to know the IP address and ideally any CDP information it had.  Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not.  Any help would be appreciated.

    You will not be able to find that info unless you still see the information on the log about the AP. You would have to either review the switch cdp info as long as the AP is still functioning or else you will just need to physically track it down. If you have WCS or NCS, you should be able to review the past history and the maps would show you where that AP was located if the ap were positioned correctly.
    Thanks,
    Scott Fella
    Sent from my iPhone

  • Cisco WLC AP count over SNMP

    Hi,
    Is it possible to monitore a quantity of AP on Cisco WLC and quantity of wireless clients?
    I was found only list of AP names over snmp...
    Thanks in advance

    Hi, Ralf
    If not late
    I use script directly in monitoring system
    main ()
    VALUE=`snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
    echo "Message: Warning! Number of registed APs decriased."
    echo "Data:Count"
    echo "Count\t$VALUE"
    exit 0
    main $*
    This is shell. but you can use simple only one line
    `snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
    (from linux)

  • Cisco WLC

    Hi,
     why should have to choose cisco WLC and why can not go other vendor(Aruba).

    why should have to choose cisco WLC and why can not go other vendor(Aruba).
    I don't get the question.  You want us to provide you a reason?
    Before I start giving you a few, what are you trying to achieve and what is the state of the budget to do what you are doing?  These two questions are the lynch-pin to your question.

  • BILLING SETUP WITH NOMADIX AND CISCO WLC

    Hai I need to implement cisco wireless controller along with nomadix box for bandwidth control and billing in a hotel . anybody implemented same ?.
    how the topology in this case ?.nessary config on wlc

    Refer the post: https://supportforums.cisco.com/discussion/11431756/wlc-and-nomadix
    https://supportforums.cisco.com/discussion/11601111/guest-ssid-redirect-nomadix-box

Maybe you are looking for

  • Voice over on an ipad

    I cannot activate voice over on an ipad 1. Is there a tutorial on it? I'm trying to set it up for a visually impaired person.

  • New User - Wireless Internet Problem

    Hello all. I'm a brand new Mac user but I am becoming extremely frustrated with connecting my Mac Mini to my existing wireless network. I have WEP enabled and I know for a fact that I'm using the correct password. Just to be sure, I disabled the pass

  • Using a different email in a form  ( without Business Catalyst )

    Hi guys, I am new to muse and I am trying to figure out where I can edit the script to allow me to host my own site, but recieve emails from my muse form. I have already built the site at test.jdotf.com The form in the footer and on the work page is

  • How to truncate the first character of a field

    Hi Experts,          I have a field say X which is having 3 characters say '123'. Now i have to pass only the last 2 values of X to another field Y. that is Y should contain only '23'. Can you please suggest the method to do it. Regards, Buvana

  • Standby Database (Archive Log Mode)

    I'm going to be setting up a standby database. I understand that the primary database must be in archive log mode. Is there any reason for the standby database to be in archivelog mode?