External Web Authentication - HTTP Redirect or Proxy?

I've been reading all of the information I can find about the use of authentication of guest users using an external web server, rather than the native portal provided by a WLC. I've looked at the configuration examples and configuiration guides.
My question is this: when the WLC redirects the client to the external web server, is it a true http redirect (i.e. a http redirect sent to the client) or does the WLC act as a proxy (via its virtual address  - usually 1.1.1.1), altering the http headers as it does when re-directing requests to its internal web portal ?
This is important as I need to understand if it is the client that has to be able to connect to the external web server, or whether it is the WLC that has to be able to connect to the external web server.
The WLC for the solution I am working on is in a highly secure DMZ area, so it is imprtant to know which devices need to talk to which.

So, to be clear, it is the WLC that needs connectivity to the external server or the client device?
Both devices need to communicate to the external web server.  The WLC will need to communicate with the external server since it will be expecting a return of information from that server to process the l3 authentication.  The client will need to reach it as the WLC is going to redirect it to that site (reason for pre-auth acl). 
Does the client communicate directly with the external web server, or will it direct its http requests to 1.1.1.1, which will then be proxied by the WLC to the external web server?
Again this is both; So the client will lookup/resolve a site and initiate some HTTP traffic, so it starts a TCP SYN for to the real web server it is trying to reach, the WLC will see this request; hijack the IP of the destination server and reply back to the client(pretending to be the "internet" server) The WLC redirects the client to it's virtual IP; whether using internal or external web auth.  So the client will arrive at the virtual IP of the WLC; which will then redirect the client to the external web server in your case.  When this happens the WLC has also inserted some information in to the redirect URL on the clients behalf so which the external server will use to send the information it collects (assuming you're using one of our standard external bundles).  The external server will process the client HTTP GET, so as far as "viewing and using" the external web server; the client will make that request directly to the external web server.  The external server, upon submittion of the form on the page, will send the information collected from the client back to the WLC server (which it learned it's IP from the redirect URL).  The authentication of the client will take place at the WLC.
So in this scenario you need a love triangle between the Client, WLC, and external server.  All will be talking to one another at some point.  Your client needs connectivity to the external server; and your WLC needs connectivity to the external server.
David W.

Similar Messages

  • Aironet 1140 FLEXCONNECT External Web Authentication and Apple Devices

    Hi!
    I'm having an issue with this Access Point.
    I've configured this access point with WLC in mode FlexConnect with web authentication.
    It's all right, i'm connecting with my PC in wireless, i open my web browser in windows, then the Access Point redirect me to External Web Authentication Page,
    i put my credentials, and  i'm redirected to my access point ( https:/1.1.1.1/login.html i accept the certificate) and then the Access Point redirect me to Internet.
    I do this with my android phone, it's all right again.
    I try to connect with iphone or ipad , i'm  redirected to External Web Authentication Page, i put my credentials, and i'm  redirected to https://1.1.1.1/login.html where the web browser don't ask me anything and i'm not redirected to Internet.
    Have you any idea?

    Thx you Scott, i understand what are you talking about, but my problem is different.
    I try to explain..
    I see the wireless network, i associate the iphone to this network, so i'm  redirected to Login page,
    as i use the "Apple Login" or i Open a Web Page .
    In this page , that i reach with all devices i put my credentials, then i will be redirected with all devices
    back to Access Point (https://1.1.1.1/login.html).
    In this page i should be   redirected to internet after Radius Authentication, but with Apple Devices this doesn't work.
    This is thw WEB AUTHENTICATION from Cisco Documents.
    The user associates to the web authentication SSID.
    The user opens their browser.
    The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
    The user authenticates on the portal.
    The guest portal redirects back to the WLC with the credentials entered.
    The WLC authenticates the guest user via RADIUS.
    The WLC redirects back to the original URL.

  • Controller 4402 web authentication http instead of https?

    Hello,
    Does somebody know if its possible to redirect to a http page instead of https when using web authentication? with WLC 4400 and AP 1000?
    Or how not to have the certificat message?
    thanks Gael

    Yes, I tried it. It does work, although there is a noticable time lag until the cert warning pops up. Also, the controllers, as of ver 3.2.78.x, had only 30k space for text & images thus limiting what can be displayed on the webauth page. It does allow for url redirects though, but I am not sure it can parse html or not.

  • External Web authentication server for Guest access

    I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
    Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
    I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
    Hotels do this type of web authentication for example.
    Any help would be great.

    Hi Patrick,
    I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
    thanks!
    Claudio

  • External Web Services as simple ABAP Proxy issue

    Hi,
    I'm a bit confused upon the subject. I'm testing a scenario where I want to call directly an external webservice from ABAP ( No XI in between for the moment : I'm using a client on the XI box that is set as 'Application system' . This is the only 6.4 client that has outbound HTTP access to the domains required )
    I have for 2 test web services a WDSL file . Via SE80, I've created ABAP proxies for them :
    For 1 of both ( requiring no authentication on the server side ),  this works ok ( and doesn't require any further related setup such as SLD etc...). This seems completely transparant for the Xi box : No messages in SXMB_MONI , as I was expecting
    For the other one ( requiring authentication on the server side but I don't know if related ), I'm getting a logon box to log on to integration server + subsequently 'Receiver could not be determined' error.
    I also have messages in the monitor.
    What could trigger this, unwanted,  XI flow ? How can it be different for the 2 webservices.
    I do have a 'half-working' integration scenario pending for the second service, with XI in between as this is my final goal , but I don't see how I can influence it :
    It uses other interfaces names etc..Only the target webservice URL also occurs somewhere on a communication channel  from this scenario,
    Any ideas ?

    OK, I found it : I forgot to create a logical port for the second webserivce !

  • SAP consume external web service - HTTP Code 200 : OK

    Hi
    We are integrating UPS Shipping Ground Web service with SAP system and we have the settings in place on our side and did a blank request test today and we are getting a " HTTP Code 200 : OK " error instead of a response.
    The SAP SOAManager shows the below detail for the error:
    A SOAP Runtime Core Exception occurred in method get_http_headers of class CL_SOAP_HTTP_TPBND_ROOT at position id 3 with internal error id 1007 and error text SRT: Unsupported xstream found: ("HTTP Code 200 : OK") (fault location is 1 ).
    One thing we noted but not sure about it is that the response content type is showing text/plain while the request shows content type accept text/xml in SOAManager trace functionality. (screen shot )
    I see several discussion on this but could not figure out what needs to be changed in SE80 consumer proxy or the SOAManager port level. Please advice.
    Regards,
    Prabaharan G

    hi Prabaharan! thanx for answer!
    i do integration with document scanning/recognitioning system (ABBYY FlexiCapture). It interact as SOAP services over MS IIS server in local network.
    what i`ve done:
    - drop everething at first.
    - create proxy in se80 using wsdl file. created ok.
    - create logical port in soamanager using "Create WSDL based configuration". created ok.
    - go to sm59. there are some connections but nothing like my connection. i have check all sections, not only type G(HTTP).
    AND HERE HAPPEN GREAT THING!
    Test "ping" fail but my test code start to work!
    All I have change is "url access path". So i think that was my problem. (I was confused by ping fail early and have trying to change all settings)
    you bring me luck - thank you very much!

  • Consume an external web service with an ABAP proxy

    Hello,
    I'm working on creating an ABAP Proxy to consume my first web service.  In searching SCN I haven't found a comprehensive list of steps to complete the process, but I have found information on generating a proxy from a WSDL and creating a logical port.
    My first issue arises when I go to SPROXY to generate a proxy from a WSDL, I see the message 'Local objects only (No Connection to ESR)', and I have no ability to 'create'.  The Enterprise Service Repository seems to be the new name for the Integration Repository, if that helps.  Do I need the ESR installed to create a proxy?
    A follow-on question, assuming I do need the ESR, would be what do I do with it?  It appears to serve the purpose of design for interfaces, messages, and mapping, but I thought that happened when I created a proxy in SPROXY.
    We're on ECC 6.0, with a 702 / 0007 basis release.  I appreciate and light you can shed on the topic.
    Thanks

    ESR is part of the PI system, and it is where all interfaces details are stored.You could create an ABAP Proxy from a pre-defined WDSL yet stored in PI as part of some communication, but you can also import directly a WSDL from a local file or even from a URL.
    ABAP proxy generates a proxy class and a set of abap structures , fields and data elements. Simply by filling the data and call a method in the proxy class (depends of syncrhonization a different method name) you can consume your service. No PI is needed if you use the local option.
    There is a very good Tutorial from Thomas Jung. I'll try to find it.
    http://scn.sap.com/people/thomas.jung/blog/2005/05/13/calling-webservices-from-abap-via-https
    Here you have a lot of tutorials
    Best regards

  • Cisco 5508 external web authentication

    Hi all,
    Firstly, I do apologise as this question has been posted in another forum, I believe it is the wrong one though hence me posting here.
    I am running with a pair of Cisco 5508 controllers with 7.4.121.0 installed. We offer a guest Internet service to our user base and guests. To access the guest service a user must first authenticate via an externally hosted server, I won't go into the specifics but it is a secure service will a valid, signed cert for the login page. The issue I am hitting is that when a user logs into the portal the controller cert is then displayed (2.2.2.2) which returns a cert error. It kind of makes the service look insecure when it isn't. I've read numerous articles about creating CSRs, etc and loading certificates on the controller, but the issue we have is that we use externally hosted DNS servers for the service and they are refusing to create a DNS record. We can't use internally hosted DNS servers as this breaks our security policy. Is there any other way around this or do I just have to have the user accept the cert error?
    Thanks

    I hear you and I was under the same impression. If I go through the steps I followed maybe it can be explained..
    Upgraded the primary controller from 6.0.x to 7.0.x a, APs upgraded. Upgraded FUS to 1.9. Upgraded controller to 7.4.121.0, upgraded APs. APs joined the controller. Disabled WebAuth Secure Web. Followed same steps for secondary controller. Shutdown primary controller to test failover to secondary. APs did not failover. Waited 15 mins, debugged CAPWAP and saw nothing coming in. Brought primary back online, waited 15 mins, debugged CAPWAP and saw nothing coming in. Waited a further 15 mins. Still no APs joining. Enabled WebAuth Secure on the primary, and boom, all the APs joined the primary. Not sure if this was just a coincidence, but this was the behaviour I witnessed. I'm running a pair of 5508's.
    I've not witnessed this before, but this is the first time I've disabled this setting. Understand it has nothing to do with APs joining and may just be a coincidence, but this is what I experienced. I ran out of time during the change window so couldn't test this further and try to simulate again, will try again when the next window becomes available.

  • Enable WebAuth on WLC to intercept https (or https redirection) for authentication

    Hi all
    My company is using WLC with Guest access feature, and use Layer 3 security authentication to permit only Guests who provided valid user/password to access.
    But we met a issue that, when guests connect to Guest SSID successful, on PC they have to open web browser and access to 1 website by http, after that WLC will intercept and redirect to authentication page.
    If customer access to https (as google, gmail, ...) WLC cannot intercept and redirect to authentication. Because almost customers access to https://google.com at first by their habit.
    On my firewall, I can do intercept by both http and https, so I wonder on WLC I can enable intercepting and redirecting to authentication of https also
    If possible, please advice us how to enable this feature.
    Regards
    Hai Dao Tuan

    Thanks all
    I also just found a link that mentions about this case clearly and commands to enable it
    https://supportforums.cisco.com/document/12398536/understanding-https-redirect-over-web-auth
    (WLC)> config wlan security web-auth enable <wlan-id>
    (WLC)> config network web-auth https-redirect enable

  • Redirect to web authentication not working on Cisco 5508 Wireless Controller

    Hi,
    I have a wlan with web authentication:
    http://i55.tinypic.com/w145zk.png
    and
    http://i51.tinypic.com/344sfm0.png
    When I connect to  the SSID (I get correct IP from the Cisco 5508 Controller) and try to  surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
    The virtual interface is 1.1.1.1.
    Here is a screenshot of interface and internal dhcp:
    http://i52.tinypic.com/2vkm1d2.png
    Any idea why clients are not redirecting?
    Thanks!

    Thanks for the reply dmantil!
    When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
    I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users.

  • ISE and central web authentication

    Hello all,
    I have followed the steps in this document in detail:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
    however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
    but then the "second" MAB authenticatino doesn't happen.
    In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
    this is a red line with the error message "11213 No response received from Network Access Device".
    (i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
    Any ideas ?
    regards,
    Geert

    By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
    I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

  • Help with Web Authentication

    Having a couple of issues with web authentication, and not getting much help from Cisco TAC. Basically, I'm trying to set up different login pages for each WLAN (so far I have two) with a 4402 controller running 5.1.151.
    For one WLAN, I'm using the internal (default) login page with the following modifications: Cisco Logo is hidden, custom Headline and custom Message. User authentication is done through RADIUS. This works great, but every time I reboot the controller, my custom Message disappears and I get the generic Cisco message, which I don't want. When I add the custom message, I make sure to click Apply and Save Configuration.. don't know if this is a bug or not, anyone else seeing this?
    For the second WLAN, because I need a different login page, I've tried using a customized downloaded login page and also an external web page.
    For the external web authentication, the documentation says you don't need a pre-authentication ACL and yet without this, the redirect doesn't work. Does anyone have this working without an ACL? Also, the sample login page provided by Cisco does not work and I have no clue what code is needed for the username and password credentials to be passed on to WLC for RADIUS authentication.
    As for the customized downloaded login page, I've gotten a sample page from Cisco which they've said they do not support and this page has several issues which I can't seem to get around: it redirects users to the generic welcome page (which we don't want), and does not prompt the user when they enter incorrect credentials (though I can tell the code for this is there).
    So, I'm wondering if anyone has either an external or internal login page that is working properly and is willing to point me in the right direction?
    Thanks.

    We have had some similar issues with the controllers not telling user they have used the right username/password, but have solved it. Whether it will help or not we can let you have a copy of our login.tar file if you want, just stick your email address in a reply.
    As far as I know, there is only one place to enter a re-direct page, which is in the config for the default web auth page and all web auth methods use this re-direct...that is our experience at least.

  • WLC (Foreign-Anchor), problem with the external web auth -- ISE

    hello guys
    I am currently designing a platform for a guest network, which must be isolated from the local network, the following equipment:
    ISE 1.2 (Cisco SNS- 3415-K9)
    WLC 7.0.230.0 (Cisco controller 5508)---> wlc Foreign
    WLC 7.0.230.0 (Cisco controller 5508)---> wlc Anchor.
    The EoIP tunnel between wlc is performed successfully.
    The wireless client gets IP address of the anchor wlc (DHCP server).
    Test 1:
    I configure the WLC ANCHOR with local web authentication (internal), the wireless client is authenticated by WLC and navigate successfully.
    Test 2:
    Configure the WLC to anchor external web authentication (ISE). configure a user in ISE guest portal.
    The wireless client gets IP address of the anchor wlc (DHCP server), attempting to navigate not display the guest portal.
    Debug a wireless client trying to connect to the guest network is attached.

    Thanks for your help Scott...
    Now I presents another problem with the guest portal page. The wireless client obtains IP address and managed to reach the guest portal page, then enter the username and password page tells me it was successful. When I try to browse again brings me to the portal visitor page and asks me to enter user name and password.
    test 1:
    the username and password created for away was verified.
    Scoot will have some implementation details with the same scenario I am developing? I think I'm missing some details in the ISE does not allow me to navigate the entrance for visitors to be successful.

  • Disabling Weblogic's http server port - Using an external web server

    Hi,
    We are using Weblogic 8.1 as application server and IWS as web server. We have
    siteminder web agent configured on the web server for implementing authentication
    and authorization.
    All our requests first go to the web server which redirects them to the application
    server.
    Since Weblogic itself has a http listen port, user can still send requests directly
    to the application server(which does not have any siteminder configuration on
    it). Is it possible to ensure that all http requests made directly to the application
    server are not processed so that the user is forced to hit the web server first.
    Thanks,
    Akash

    When you say redirect, do you mean you use an HTTP redirect to send it to your
    WLS servers URL? Or do you mean you proxy the requests from the webserver to
    the WLS instance? In the former case, you must expose WLS's HTTP server to the
    clients in order to redirect them to the address and you will not be able to
    stop them from going directly there. In the case of the latter, you can put
    your WLS instance behind the firewall so external users can't get to it. If you
    also need to protect it from internal users you should probably not use
    siteminder as your authentication mechanism. You may be able to configure
    siteminder so that it has to authenticate itself to send requests to weblogic
    and then protect all weblogic resources with that role requirement.
    Sam
    [email protected] wrote:
    Hi,
    We are using Weblogic 8.1 as application server and IWS as web server. We have
    siteminder web agent configured on the web server for implementing authentication
    and authorization.
    All our requests first go to the web server which redirects them to the application
    server.
    Since Weblogic itself has a http listen port, user can still send requests directly
    to the application server(which does not have any siteminder configuration on
    it). Is it possible to ensure that all http requests made directly to the application
    server are not processed so that the user is forced to hit the web server first.
    Thanks,
    Akash

  • Consuming an External Web Service using HTTPS and WS Security

    Hello everyone,
    I'm having a problem setting the security information in a SOAP header using a generated ABAP Client Proxy to consume an external web service that requires a User ID and Password in the Header section of the SOAP message.  I need to use HTTPS. I'm on a WAS 7.01 SP08 system so from my readings, SAP is supposed to be able to add the username and password into the header section of the message.  I can't seem to get SAP to add this information added to the header.
    Here are the steps that I have taken to set the security values.
    1) Created the client proxy from the WSDL in SE80.  Basic Authentication on the Configuration tab was turned on automatically.
           Note, Transport Security is set to None.  I cannot change it.
    2) Created an outbound set user name profile in transaction WSPROFILE with the appropriate username and password.
    3) Added the profile to the default port in transaction LPCONFIG as an outbound under the WS Security section of the screen.
    When I called the external Web Service, I got back the following error message:
    com.ibm.wsspi.wssecurity.SoapSecurityException: WSEC5509E: A security token whose type is [http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken] is required.
    So, after reading through this Forum, I saw that I needed to use the SOAMANAGER.  I set up a Proxy in the SOAMANAGER and manually created the Logical Port.  This was the only way I could figure out how to set the Authentication Settings in the Logical Port to "User ID / Password".  I then entered the User ID and Password.
    However, I am still getting the same error message.  I feel I am close but missing some small configuration to tell SAP to use WS Security with a Username token.
    I'm not sure what I'm doing wrong, so any help would be appreciated.
    Thanks,
    Stephen

    I had this error again so I thought I would post my solution:
    The issue is SAP needs to know the certificates being used by the web site being called.  These certificates are automatically installed in your browser but need to be manually installed in SAP.  This is what I did:
    How to find/install new certificates
    Make sure you run Internet Explorer as an Administrator so you can export the certificates
    Go to the web site that SAP is trying to call in Internet Explorer
    Double click on the lock in the address bar
    View certificates
    Find the certificates that are being used
    Tools --> Internet Options --> Content --> Certificates
    Click on the “Trusted Root Certification Authorities” tab
    Find the certificate identified in step iii
    Export as a CER certificate
    Click on the “Intermediate Certification Authorities” tab
    Find the certificate identified in step iii
    Export as a CER certificate
    Go to STRUST in SAP
    Import the Certificates in the “Anonymous” or “Standard” SSL client
    Save
    RESTART the ICM via t-code SMICM  <-- Critical!!!
    Test

Maybe you are looking for

  • How to edit a webpage

    One of my daily tasks is to change the press-page on my website. With Windows I used "sharepoint designer" to put in a new title of a press article, then link it to a web address or to a photo and upload the new file by Filezilla. example: http://www

  • What happened to my Divs?

    I was working on a new HTML page that had several nested divs, one was a div containing several lists, floated to the left of the page. The div ID had been styled (internal style) and the style was displayed properly in the "Design" window. I split t

  • Inspection lot status MCAN - Lot marked for cancellation

    Hi QM Team, Once we cancel lot through QA02 or if we cancel document then system cancell lot accordingly & put the lot status as "LTCA". But in my system I have seen couple of lot with status "MCAN - Lot marked for cancellation". Can you suggest me h

  • Sb live 5.1 driver and hardware iss

    hey i am having no luck installing this hardware with the unified driver package available on the site.... this card will install properly with the original cd that came with it but i no longer have it. i have seen several posts with the same issue a

  • Premiere Pro rendering problems

    I'm running CS4 Premiere Pro on an I-Mac using Snow Leopard, Intel 2.4 ghz.  I'm editing a seminar video that's about 75min long.  To start, I did some light color correcting and sharpened the picture.  Nothing much.  When I pressed "Render effects i