Enable WebAuth on WLC to intercept https (or https redirection) for authentication

Hi all
My company is using WLC with Guest access feature, and use Layer 3 security authentication to permit only Guests who provided valid user/password to access.
But we met a issue that, when guests connect to Guest SSID successful, on PC they have to open web browser and access to 1 website by http, after that WLC will intercept and redirect to authentication page.
If customer access to https (as google, gmail, ...) WLC cannot intercept and redirect to authentication. Because almost customers access to https://google.com at first by their habit.
On my firewall, I can do intercept by both http and https, so I wonder on WLC I can enable intercepting and redirecting to authentication of https also
If possible, please advice us how to enable this feature.
Regards
Hai Dao Tuan

Thanks all
I also just found a link that mentions about this case clearly and commands to enable it
https://supportforums.cisco.com/document/12398536/understanding-https-redirect-over-web-auth
(WLC)> config wlan security web-auth enable <wlan-id>
(WLC)> config network web-auth https-redirect enable

Similar Messages

Renewed Cert, now http redirect for OWA no longer works

From this previouse thread, where I was discussing cert issues, I renewed my cert (to expire in a few days) from my third party (GoDaddy). I installed the new Cert via teh GoDaddy instructions:
http://support.godaddy.com/help/article/4877/installing-an-ssl-certificate-in-microsoft-exchange-server-2007
now, when attempting to connect to http://mail.MyDomain.com, I get the dreaded "403: Forbidden: Access is denied" message
If I put in https://mail.MyDomian.com, it opens OWA normally. I do have (and have had) redirect of http enabled as shown in this Miscrosoft Article:
http://technet.microsoft.com/en-us/library/aa998359(EXCHG.80).aspx, so that's not hte issue.
Any ideas please...
James

Well, solved it myself. Not sure what was differnt before now however, I went to this document from Microsoft (note: this says for Exchange 2010, but also applies to 2007, which is what I am running):
http://technet.microsoft.com/en-us/library/aa998359.aspx
And there at the yellow box, it says:
In the Default Web Site Home pane, click SSL Settings.
In SSL Settings, clear Require SSL.
If you don’t clear Require SSL, users won’t be redirected when they enter an unsecured URL. Instead, they’ll get an access denied error.
After that, if someone goes to http://mail.MyDomain.com it redirects to
https://mail.MyDomain.com as needed. Why did the cert update bring this problem to the surface, not sure.
Thanks,
James

Https redirect for SGD 4.4

Hello,
I am attempting to set up the apache webserver to redirect http traffic to https.
I originally was able to achieve this in SGD 4.3 by using the RewriteEngine in the httpd.conf file to simply rewrite all requests to https, but this appears to no longer work for SGD 4.4.
I have properly configured SSL support, and going to https://<servername> works just fine, I'd just like to able to force traffic over https for convenience and security for my users.
Any help would be greatly appreciated.
Adam

Hello,
That worked, and I was redirected to an https connection until I attempted to log in. The following error was returned:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Any suggestions?
UPDATE: A google search suggested that this may be a result of my using a selfsigned cert for testing purposes. See:
http://dreamingthings.blogspot.com/2006/12/no-more-unable-to-find-valid.html
I'll try using the InstallCert.java and see if it works.
Adam
Edited by: adamallred on Mar 6, 2008 3:02 PM

Lighttpd https redirect for only certain directories

This works great for redirecting all traffic to https on my home server:
# Redirect all http requests to https
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ "(.*)" {
url.redirect = ( "^/(.*)" => "https://%1/$1" )
However, I'm trying to exclude one directory from this (other people using it, self-signed ssl messages...you get the idea ) and I can't quite wrap my brain around it. Server Fault and Stackoverflow had some examples that were close, but I couldn't manipulate them into doing what I wanted. A gentle shove in the right direction would be much appreciated.
Very simple layout: /srv/http/<dir1> /srv/http/<dir2> /srv/http<dir3> etc. Call it 'foo-dir' that I want to exclude. The server sits behind a consumer router with all port 80 and 443 traffic directed to the server's static IP. External IP via dyndns.
Thanks!
Scott

SFTP is a subset of SSH. Currently Apple uses OpenSSH which does not have any kind of chroot jail for SFTP as it does for FTP. If you want to have an SFTP chroot jail, you will need to do some alterations. Currently there are two methods which are documented here:
http://www.schwie.com/brad/macosxsftpchroot/
Mac OS X (10.4.4)

HTTP redirects

Hi,
I want to configure http to https redirects on CCS 11501. Could someone guide me on how to implemet HTTPS redirect for a sub-directory.
Say I have www.xyz.com by default it goes to http, which is fine. But if someone types in http://www.xyz.com/login or http://www.xyz.com/login/secure/index.html then it should be redirected to httpS://www.xyz.com/login or http://www.xyz.com/login/secure/index.html. Basically anything in and under login directory should be HTTPS.
I have setup following but I am getting redirect loop
content DEFAULT
vip address 10.1.1.1
protocol tcp
port 80
url "/*"
add service Server1
add service Server2
advanced-balance arrowpoint-cookie
active
content SSL_RULE
protocol tcp
vip address 10.1.1.1
port 443
add service SSL_SERVICE
active
content LOGIN
vip address 10.1.1.1
protocol tcp
port 80
url "//www.xyz.com/login/*"
add service LOGIN_RD
active
==========================
service LOGIN_RD
ip address 2.2.2.2
keepalive type none
type redirect
domain https://www.xyz.com
active
service SSL_SERVICE
type ssl-accel
slot 2
add ssl-proxy-list SSL_LIST1
keepalive type none
active
I would greatly appreciate any help.

Your getting a redirect loop because you do not have an alternate port were the redirected traffic can be processed. The inbound request that contains "/login" will get redirected to the HTTPS equivalent however with your current configuration the connection will simply fall under the same redirect content rule and you will never resolve content correctly(redirect loop).
The following configuration will work:
content DEFAULT
vip address 10.1.1.1
protocol tcp
port 80
url "/*"
add service Server1
add service Server2
advanced-balance arrowpoint-cookie
active
content DEFAULT
vip address 10.1.1.1
protocol tcp
port 81
url "/*"
add service Server1
add service Server2
advanced-balance arrowpoint-cookie
active
content SSL_RULE
protocol tcp
vip address 10.1.1.1
port 443
add service SSL_SERVICE
active
content LOGIN
vip address 10.1.1.1
protocol tcp
port 80
url "/login*"
add service LOGIN_RD
active
==========================
service LOGIN_RD
type redirect
no prepend-http
keepalive type none
domain https://www.xyz.com
active
service SSL_SERVICE
type ssl-accel
slot 2
add ssl-proxy-list SSL_LIST1
keepalive type none
active
Update the ssl-proxy-list with an alternate port to send the decrypted traffic too.
ssl-server 1 cipher all-cipher-suites 10.1.1.1 81
I chose port 81 as the alternate decrypted port, however you can choose any other port. Please be sure that your servers are setup to accept traffic on that alternate port as well. If not, you can simply setup a NAT rule and hardset the destination port on the services to port 80. This will allow the CSS to re-write the destination port to port 80 when the decrypted traffic gets sent to the alternate port 81 content rule.
Hope this info helps.
- Jason

WLC 7.2 - Custom WebAuth using waep Template w/ HTTP Only

We are trying to get the waep template (default no changes) from the Cisco WebAuth bundle to work on a 5508 controller.
We've setup the controller to use the custom login.tar that comes with the waep template folder in the bundle.
We setup the WLAN to work off the global template and we used the config network web-auth secureweb disable command to allow only http rather than https (which is supposed to work in 7.2 code)
When we test with the custom bundle, we get no answer from the controller, just a url of
http://1.1.1.1/fs/customwebauth/login.html?switch_url=http://1.1.1.1/login.html&ap_mac=c3:12:30:01:a4:d0&client_mac=01:21:ca:b3:13:12&wlan=Guest&redirect=www.google.com/
If we turn custom off, and use internal everything works...
Just to be clear.. we aren't looking for authentication (user and pass) we are trying to do the enter your email and click accept to the aup method.
Thanks for any help!

No changes to the tar file that comes as part of the bundle..
Downloaded the bundle, unziped all folders locally.. then uploaded the login.tar from the waep folder right to the controller.
Changed webauth to use custom, and applied.
Tested multliple times with the same results.

ISE device registration webauth with wlc 7.0 lwa

Is it possible to use the DRW feature with WLCs running 7.0 code? All configuration examples refer to 7.2 code. Its only for guest user device registration. No profiling / provisioning.
Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
Thanks.

Hi,
The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
For your reference here is the item in the New Features section of the 7.2 WLC release notes:
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
thanks,
Tarik Admani
*Please rate helpful posts*

How to intercept Http requests by writing an App Server plugin?

Hi all,
My requirement of "Application Server plugin/filter" is to intercept all Httprequests coming to an
Application Server instance (and not webserver), get the related information from the request, do whatever
i want to do and then forward the request based on the info available in the request header to any
webapplication or EAR deployed in the application server.
I do not want to implement as a Servlet filter in a webapp. which is intrusive to the webapp.
as we are aware, Servlet Filters can be attached to resources in a Web application and are configured in the
web.xml file.
I have tried out my requirements in Tomcat as follows, it works:
In Tomcat, Valves are attached to a Tomcat container and are configured using a <Valve> element in the
server.xml file.
We have modified RequestDumperValve Filter ( source available) class extending Valve to intercept Http
requests.
I perform whatever i want to do in this custom Filter and then able to forward to the next valve in the valve
chain of Tomcat container. I have Configured this valve in server.xml and it works fine.
My queries are:
1. Can i do it the same thing in WebLogic application server or other IBM Websphere application server ?
2. Do the commercial appservers expose their APIs ( e.g. like Valve or Filter in Tomcat ) such that i can
implement an application server plugin ?
i.e. Are there any such Filter classes available which will intercept the Http request processing pipleine
in application server ( precisely, its web container )
If so, can you pls provide pointers for WebLogic application server and IBM Webpshere application server
3. Is this against J2ee specs ?
Appreciate if you can provide me any clues, tips, solutions, pointers regarding this problem.
thanks and regards
rajesh

Try proxyHandler property and implement a custom ProxyHandler.
ex:
<property name="authPassthroughEnabled" value="true"/>
<property name="proxyHandler" value="com.sun.enterprise.web.ProxyHandlerImpl"/>
null

How to Intercept Http requests by Application Server plugin ?

Hi all,
My requirement of "Application Server plugin/filter" is to intercept all Httprequests coming to an
Application Server instance (and not webserver), get the related information from the request, do whatever
i want to do and then forward the request based on the info available in the request header to any webapplication or EAR deployed in the application server.
I do not want to implement as a Servlet filter in a webapp. which is intrusive to the webapp.
as we are aware, Servlet Filters can be attached to resources in a Web application and are configured in the web.xml file.
I have tried out my requirements in Tomcat as follows, it works:
In Tomcat, Valves are attached to a Tomcat container and are configured using a <Valve> element in the server.xml file.
We have modified RequestDumperValve Filter ( source available) class extending Valve to intercept Http requests.
I perform whatever i want to do in this custom Filter and then able to forward to the next valve in the valve chain of Tomcat container. I have Configured this valve in server.xml and it works fine.
My queries are:
1. Can i do it the same thing in SunONe application server or other IBM Websphere application server ?
2. Do the commercial appservers expose their APIs ( e.g. like Valve in Tomcat ) such that i can implement an application server plugin ?
i.e. Are there any such Filter classes available which will intercept the Http request processing pipleine
in application server ( precisely, its web container )
If so, can you pls provide pointers for SunONE application server and IBM Webpshere application server
3. Is this against J2ee specs ?
Appreciate if you can provide me any clues, tips, solutions, pointers regarding this problem.
thanks and regards
rajesh

Thanks for the info, vbk.
Actually we are looking filers not at the servlet level in a web application.
We are looking ways for the filter to work at web container level across different web applications... That is whatever comes to the application server, should hit at this filter ,then we perform some processing, analysis and then continue for the correspnding web application
thanks
rajesh

Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
Jochen

Hi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen

WLC: which software-version support SHA2 certificates for Web Authentification and Web Management ?

Hello,
I tried to install new SHA2 3th-Party certificates on our WLCs. There are old WiSM1-Boards and 2504 to support our old 1230 Access Points, running 7.0.251.2, which didn't install it, although the config manual for 7.6 and 8.0 say that SHA2 certificates are supported since 7.0.250.0. When I tried to install the SHA2-certificates I get the message "File transfer failed" an the log says:
*TransferTask: Dec 12 13:22:14.394: #UPDATE-3-CERT_INST_FAIL: updcode.c:1869 Failed to install Webauth certificate. rc = 1
*TransferTask: Dec 12 13:22:14.394: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4085 Cannot PEM decode private key
I tried to install the same certificates on our WiSM2-Boards, running 7.4.121.0 and I failed too. The same certificates could be installed on a 2504 running 8.0.100 without any problems.
In all 3 cases I tried to install unchained certificates for web management and Level 3 chained certificates for web authentication. I used the following guides to get the certificates (e.g. taken from the config manual 8.0.100):
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.pdf
Which software versions support SHA2 certificates and which didn't ? Is the a list for it ?
Regards

Hello,
I solved the problem. First I used a Debian Linux system with Openssl 1.0.1. After I searched the internet using one of the log messages above I found sites which mentioned to use Openssl 0.9.x. So I tried a productive and security fixes Debian Linux System running Openssl 0.9.8 and I succeeded. The wlcs accepted the certificate files and used it after a reboot. The Web GUI still shows a SHA1 Fingerprint, but the certificate signature Algorithm is SHA2:
Signature Algorithm: sha256WithRSAEncryption
When you check the openssl.org homepage Openssl 0.9.8 is still one of the actual version of openssl and is still available and fixed. But the Openssl Roadmap says:
"We don't want to have to maintain too many branches. This is likely to include a timescale for the EOL of version 0.9.8"
I don't know the differences between certificates made with openssl 0.9.8 and 1.0.1. Is there anybody who can explain it to me ?
Regards

HT4436 I am using IOS 4.1 in Ipod touch. I would like to take my data back using icloud. I am not able to enable icloud in to my ipod touch. please help me for the same.

I am using IOS 4.1 in Ipod touch. I would like to take my data back using icloud. I am not able to enable icloud in to my ipod touch. please help me for the same. Basically I am trying to take back to upgrade my ios to 5 or 6 version.

You can't back up to iCloud until you update to iOS 5 or higher. You will have to back up your iPod on your computer using iTunes. Update iTunes on your computer to the latest version, then connect your iPod to your computer, open iTunes, if iTunes give you a pop-up asking if you want to update your iPod, decline. Then click on the name of your iPod in iTunes, go to File>Devices>Transfer Purchases to transfer any purchased media to your iTunes library. Next, go to the Summary tab of your iTunes sync settings and click on Back Up Now to back up your iPod on your computer.
When it's done backing up, click on Check for Update (or Update) on the Summary tab of your iTunes sync settings. Allow your iPod to update, and leave it connected to your computer. At the end, it will restart and give you the option to restore to the iTunes backup you made earlier. Choose this option to restore your backup and sync your apps and other iTuens media to your phone.
This process is outlined in this article: http://support.apple.com/kb/HT4972, under "If you are attempting to update using a Mac or PC with which you normally sync".

HTTPs without client authentication, error while posting through Altova

Hi Experts
I am doing a SOAP- XI-Proxy synchronous scenario where i have to use HTTPs without client authentication for the first time in my system.
I have made the scenario and WSDL out of it.
When i am trying to test it through Altova, i am getting the following error:
<?xml version="1.0"?>

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP:Body>
        <SOAP:Fault>
            <faultcode>SOAP:Server</faultcode>
            <faultstring>Server Error</faultstring>
            <detail>
                <s:SystemError xmlns:s="http://sap.com/xi/WebService/xi2.0">
                    <context>XIAdapter</context>
                    <code>ADAPTER.JAVA_EXCEPTION</code>
                    <text><![CDATA[
java.security.AccessControlException: https scheme required
    at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:918)
    at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3.process(ModuleLocalLocalObjectImpl0_3.java:103)
    at com.sap.aii.af.mp.ejb.ModuleProcessorBean.process(ModuleProcessorBean.java:296)
    at com.sap.aii.af.mp.processor.ModuleProcessorLocalLocalObjectImpl0_0.process(ModuleProcessorLocalLocalObjectImpl0_0.java:103)
    at com.sap.aii.af.mp.soap.web.MessageServlet.callModuleProcessor(MessageServlet.java:187)
    at com.sap.aii.af.mp.soap.web.MessageServlet.doPost(MessageServlet.java:496)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1060)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
          ]]></text>
                </s:SystemError>
            </detail>
        </SOAP:Fault>
    </SOAP:Body>
</SOAP:Envelope>
i saw a few discussion on web but nowhere the solution was provided.
the url is
http://abc.sap.point:1234/XISOAPAdapter/MessageServlet?channel=:system:communicationchannel&version=3.0&Sender.Service=x&Interface=x%5Ex
i changed it to https also but in that case it was not even posting the request.
i have set the sender adapter like this
is there any setting that i am missing.
What is the setting the i need to do in SM59.
Please help me getting through this.
Your help is highly appreciated. Thanks in advance.
Neha

HI Neha,
1. Enable the https service in the ICM: you can follow the way to do it like is pointed out in the page 4 of this document (PI 7.1 and PI 7.0 has the same smicm abap transaction) http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60ff2883-70c5-2c10-f090-a744def2ba66?overridelayout=t…
2. Generate the certificate. Use the STRUST transaction. Chech this document SSL Configuration in SAP ABAP AS and JAVA AS – Step-by-step procedure
Hope this helps.
Regards.

Https redirection issue for Wireless Guest CWA - ISE 1.3

Our Setup is
ISE 1.3 (Patch level 2) running on ACS 1121
2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
Configured SSID Guest for Centralized web authentication with ISE.
We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
Please advice.

Hi Neno
They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

HTTPS with Client Authentication not available in EHP1?

Hi Guys,
I am not seeing this option in PI 7.1 EHP1.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
any help would be appreciated
Thanks,
Srini

Hi Srinivas,
I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
But you have an option sender agreeement for security. Please see this help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
Regards,
---Satish

Enable WebAuth on WLC to intercept https (or https redirection) for authentication

Similar Messages

Maybe you are looking for