Client Excluded ReasonCode on WLC for Web Auth

Hi.
I wonder if you can point me at a table that defines the Reason Code(s) for Client Exclusion Failure? See the example event log entry below from a Guest Controller for Web Authentication failure (that was resolved - Internet router down) but I was wondering if the Reason Codes would be useful in troubleshooting. Many thanks in advance.
Tue Aug 28 10:45:31 2007 Client Excluded: MACAddress:00:16:6f:b3:20:0a Base Radio MAC :00:00:00:00:00:00 Slot: 0 Reason:Web Authentication failed 3 times. ReasonCode: 4

I haven't tried it recently. But I'm afraid of this one :
CSCsy88149 Chained certificate can not have Wildcard * character in hostname
Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.
again, I didn't verify it mysefl

Similar Messages

  • 5508 loading cert for web auth

    I have web auth enabled on the WLC so when clients connec they get a cert error because it is using the self signed cert.  I was reading up on getting a third part cert and it explains about getting openssl and then generating the cert and sending it to a third party CA etc.
    Any links you can share would be very helpful explaining best practices and method to load a third party cert on the WLC 5508 for web authentication.
    Why can't I just get a cert from them for our domain and simply load it on the WLC?

    Hi Mohammed,
    Here are the two links which are like bible to generate certs..
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    Depends on whether you are using Chained or Un chained certs.. Following the above link will help you in getting the issue resolved!!
    Lemme know if this answered ur question!!
    Regards
    Surendra

  • WLC 5508 Web Auth and EAP / PEAP

       Morning all, I'm looking for some clarification.
    Current setup:
    I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
    This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
    Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
    Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
    In line with child protection policies I need an 'auditable' trail when students access wireless resources.
    Planned setup:
    I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
    There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
    Clarification:
    With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
    Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
    Many thanks.

    If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
    But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
    or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
    Check the following link which contain couple of EAP config examples:
    http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
    Please make sure to rate correct answers

  • WLC 5508 Web Auth Splash Page: Is it possible to place a download?

    Hi,
    I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
    Thanks
    Michael

    It could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe).  This shouldn't be a problem considering a .doc size, but I have to ask the same question.   Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html?  Maybe there is a good reason, but I can't really think of any scenario.  Feel free to elaborate.

  • How to generate CSR on switches for web auth with NGS

    Hello
    I am doing a dot1x solution with web auth on cisco 3750 switches.
    Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
    I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
    Is there any way to solve this?
    Greetings
    Steven

    Hi Steven,
    The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
    Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
    Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
    This document goes into a little more detail on all the indivual commands and what they do:
    http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
    Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
    Thanks,
    Nate

  • WLC 4402 web auth Internal login page

    Hi,
    We recently upgraded our code on our wlc and now our internal web auth page has a nice teal colored L shaped bar in the right upper part of the screen.
    Is there a way to edit the internal web auth page other than just uploaded a new bundle to the box?
    When I view the source of the preview page I can see the exact coding that is causing the issue.
    Thanks for any ideas.
    Code 4.1.185.0
    Craig

    The only way is to customized the code and then upload it to the wlc as a tar file. Of course, you will have to set the wlc to custom webauth and not internal webauth.

  • Browser Requirements for Web Auth

    My configuration is 2 4404 WLCs, version 4.2.130.0, with WCS version 4.2.97.0. We have a guest WLAN set up to do Web Auth to a TACACS server and the local WCS database. I am trying to find a document for this version of WCS that gives minimum browser versions for IE, firefox, netscape, safari, etc. If anyone can point me to this information I would appreciate it.
    Thanks,
    Deanna

    I found my own answer.
    Internet Explorer 6.0 SP1 or higher is the only browser supported for accessing the controller GUI and for using web authentication.

  • WLC Custom Web Auth Bundle sample .tar file is not on WCS

    The WLC documentation would make it appear (or maybe previously) you should download a sample web auth bundle code from the WCS Templates. I was never able to find a sample .tar file on the WCS 7.0.172.0 templates.
    However I found on Cisco.com under Support > Downloads > Products >Wireless> Wireless LAN Controller Standalone Controllers> Cisco 5500 Series Wireless Controllers > Cisco 5508 Wireless Controller > Wireless Lan Controller Web Authentication Bundle-1.0.2  > webauth_bundle-1.0.2.zip
    It was updated in June 2011, some pretty good sample html code.
    The readme.html in the sample webauth_bundle-1.0.2.zip file has been very helpful , almost as good as the suppport community web page on custom web auth.
    https://supportforums.cisco.com/docs/DOC-13954

    WCS config guide 7.0.172 is correct
    http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/temp.html#wp1129979
    The bundle in WCS is downloaded through :
    configure->controller
    "select a command"-> download customized webauth bundle.
    Just tested it and it was there.
    The one on cisco.com is better though

  • WLC Customized Web Auth

    can i have a customized web auth portal loaded into the WLC? or i need to have an external server and load the customized web auth.                  

    Here is a link
    http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest

  • "Auth type not supported by External DB" error for web-auth SSIDs

    Hello
    We're having a problem with web-authentication on our 4404/WisM controllers since we moved to software rev 5.x (currently running 5.1.151.0).
    With software rev 4.x our web-auth SSIDs would send the authentication requests to a Cisco ACS4.0 which would then authenticate the users against MS Active directory.
    Now (with rev 5.x) the same SSIDs cannot authenticate users against AD, the error in the ACS is:
    Auth type not supported by External DB
    Found the following Cisco Doc regarding the problem: Cisco Secure ACS and Windows AD EAP/802.1x port authentication fails with the Auth type not supported by External DB error message - Case Number K24308566. Done a packet capture on ACS to see authentications coming in and the ones that fail with above error are using CHAP - from the Cisco documentation, MS AD doesn't support CHAP.
    Any ideas on how I can get the web-auth working again with software rev 5.x ?
    Thanks
    Andy

    my apologies - theres a setting under Controller - General for Web Radius Authentication. changed this from CHAP to PAP and its now working ok.

  • Disable EAP Authentication for Web-Auth on WLC

    Hello Everyone
    We Use a Special Radius Server who is implemented according to RFC 2865.  But now we get Errors that the Radius Server cant handle the Attribut Typ 80.
    For that i now this Attribut has to do with EAP Authentication, which is a newer addition according to RFC 2869.
    How can i configure the WLC to disable EAP Authentication?
    Thank you in advance
    Chris Kaiser

    EAP authentication is defined on the SSID... So if your using radius to authenticate WebAuth users, then you need to make sure that you use open authentication with WebAuth. Don't specify any layer 2 encryption methods and the WLC will not send EAP request to the radius server.
    Sent from Cisco Technical Support iPhone App

  • PALM with WLC 4400 (Web Auth Portal)

    We cannot get the Web Portal splash page to display on wireless Palm units....the site simply hangs. Is there any fixes out there for this problem. Thanks for all replies!!

    Has anyone else seen this Palm/WebAuth issue or found a fix? I am seeing this on our Palm devices too. Running 4.x code with internal guest auth, laptops work just fine with the https://1.1.1.1 redirect, but the Palm just hangs. Could it be the certificate is not valid and the Palm has no way to prompt for that message like a laptop. Any ideas?

  • WLC 4400 web auth issues

    Hello,
    I am experiencing an issue with my model 4404 Wireless controllers that has plagued me for some time now. I have two controllers with 106 AP's split evenly between the two controllers. One of my SSID's is setup with web authentication.  I have one Radius server (Cisco ACS v 4.1). The problem only exists for the SSID that uses web authentication. Reports begin to come in that students cannot login to the wireless using the student SSID that uses web authentication. The student can get to the web authentication page, but when they put in their username and password both fields go blank. You can do this over and over with no errors, and the logs in the controller show nothing to indicate any issues (you don't even see the attempted login). I obtain one of the student logins for testing and here is what I have found. I attempt to login to the student wireless with this account and recieve the same results as the student. I have an AP in my office that I use for testing so I force it on to the other controller. At that point the account in question works. I can login without any issues. I force the AP back to the initial controller and experience the same issue, I cannot login. No error of bad username and password, just login fields that go blank. More reports come in that students cannot login and I find that all issues are related to this controller. The next morning I reboot the controller and everything works for a week or more and then it all starts over again. The next time it may be the other controller that is experienceing this issue. A reboot of the controller always fixes the issue for the short term. The issue appears to be controller related but I cannot pin it down.  I recently upgraded my controller code from 4.2.61.0 to 6.0.188.0 at Cisco's recommendation. Unfortunately the issue still exists. Scouring the forums produces a few other people encountering the same issue but none seem to have found a fix. Does anyone know if this is a known issue with this model controller?
    Thanks much for any help.

    Thank you for your response Dennis, it is greatly appreciated. I do not find any mount errors in the crash log. However I did finally find something in the message logs that I was unable to find before. I did not copy this message so it is not verbatim. The error message states that the user cannot be logged in possibly due to being logged in somewhere else. At that point I pour over every client on the controller even filtering by mac address. I see no evidence of the client being associated or authenticated. On a side note I can see the client as associated if the wireless card is enabled. Checking the ACS does not show a failed authentication. Again, rebooting the controller seems to clear some sort of radius accounting on the controller that I am unable to clear manually without a reboot. Thanks again for your response.

  • 7.5 web-auth client sleep timer feature

                       The 7.5 release advertises the ability to configure a timeout value so that guest clients which go to sleep are not re-prompted for web-auth.  Does anyone know if 7.5 would only be required on the anchor WLC or must it also be on the foreign?  We utilize web-auth for a guest WLAN and anchor it to a WLC in the DMZ.  Preference would be to NOT load 7.5 on every WLC we have and only upgrade our guest anchor.
    Thanks!
    Anthony

    Hi Scott ( and all ),
    I was making some tests with sleeping client with a infrastructure like this:
    - 2 foreign ( 5508 ) with the APs and client association
    - 2 anchor ( 4402 ) on the DMZ
    - radius for client auth
    From my understand the :
    - clients are associated to the foreign but
    - the authentication is forwarded to the anchor
    ( I can see the request on the radius with the anchor NAS IP address and, before the client is authenticated, i get the status as REQ_D state on the anchor )
    So I suppose the sleeping client feature should be on the anchor ( or on both wontroller ) and not only on the foreign. I'm wrong ?
    If You've some Idea to let it works with only sleeping config on the foreign i will solve one big issue because my anchors are 4402 without sleeping feature available.
    All is working fine on the foreign if I remove the anchor configuration ( by the way, like this isn't anymore a foreign )

  • Caching for Web Portal Authenticated clients

    Reading CUWN documentation, Sticky Key Caching works only on WPA2-enabled WLANs.   Is it possible to enable a caching to help Web Portal Authenticated clients perform intra-controller roaming faster?

    Ok, so here's how it works:
    When the client gets on the network, the controller contacts the DHCP server and hands the client back its IP (as with any helper address).
    In order for web auth to work, you need to open a browser on the client.
    When you go to a page (say www.google.com) your browser does a DNS query for the IP address of the site (www.google.com), the controller intercepts the query.
    Since you have not been authenticated yet, the controller does not allow the query directly, but it proxies the query to the DNS server you were trying to resolve against. It sources this query from its interface that is on the VLAN the SSID your client is on maps to.
    That reply is proxied back to your computer, and then your browser does its normal request to Google?s IP.
    The controller then intercepts that request, and sends a reply back redirecting the browser to the controller login page (usually https://1.1.1.1).
    Once you log into the web page, you will be redirected back to your original page (www.google.com).
    I hope I explained it well. If I wasn't clear, please let me know.
    -Eric

Maybe you are looking for