Flexconnect localauth and centralized auth on same SSID
Hi,
We try to setup remote APs in FlexConnect mode and wants it set for local auth, while the main site (where the WLC resides) uses central authentication.
The SSID has is the same at both site so is the L2 security policy.
thanks,
Alex
Central vs Local authentication is a "per WLAN" configuration, so a single WLAN cannot have APs doing both central and local "authentication". You can keep the auth Central, and if you're FlexConnect groups are configured properly, your "remote" APs can always "failover/fallback" to using LocalAuth in the event of connectivity loss to the WLC (APs transition to standalone), but you can't explicitly force one or the other on the same WLAN.
Similar Messages
-
Cisco ISE 1.2 AD Auth and Internal Auth on Same SSID?
Hello everyone... I'm fairly new to Cisco ISE 1.2 and am looking to try and setup a certain configuration. I'm trying to figure out how to create what amounts to a BYOD dmz'd wireless network that is PEAP based (or tls) but authenticates known users (employees from AD groups) but for users not found in those AD groups uses the internal user database and/or Web Auth? Make sense?
So, I of course can get the Authentication/Authorization policies configured for PEAPTLS and make to AD based on group and provide a VLAN number. No problem... I'm having trouble wrapping my head around how to combine the internal users or web auth users in this mix on the same ssid? I know by reading the ISE statement that the authentication policy if PEAP/TLS, ect is used, then a user not found is rejected and does not continue... Can someone provide an example as to how to accomplish this?
As a side note in 1.2, is there the ability to limit the number of consective logins as in ACS, outside of guess access only? What about in 1.3, which makes me nervous to upgrade in reading the instructions and the 'newness' of it.
Thank you for any help, it's greatly appreciated.I'd like to confirm if the required changes in the VM server were
made, as there are a few changes in the ISE OS. The changes required are
listed in the release notes, under "VMware Operating System to be
Changed to RHEL 5 (64-bit)". Here's a direct link to the relevant section:
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp384531
Other causes can be :-
certificate issue on ISE or not enough disk space. -
Flexconnect, branch and central site have same VLAN's
Is anyone familiar with a flexconnect deployment where on the central and branch site the same VLAN's are in use?
On both sites the following VLAN's are in place:
VLAN 32 = BYOD
VLAN 31 = USER
VLAN 40 = VOICE
On the branch site I want to deploy Flexconnect. When creating the VLAN mapping in the AP configuration all the VLAN's are instantly assigned. For local branch DHCP ip-helper addresses are configured on the branch switch. When a client connects to the Flexconnect AP it doesn't get an IP address. Suggestions?Hi Thomas,
On the WLC location, your clients get IP? How did you setup the DHCP Server: on interface level or DHCP Override?
For the FlexConnect sites:
- enable Vlan Support?
- specify Native Vlan for the AP mgmt Vlan
- add Vlan Mapping: Wlan to sites's Vlan
- finally: configure accordingly the switchport:
switchport mode trunk
switchport trunk native vlan ...
switchport trunk allowed vlan all -
Multiple Cisco Aironet 1131AG access points and same SSID?
We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560) who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11). They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.
So my question is this: How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)? Can one of the ap's be WDS and in the same time local radius server with users without Cisco Secure ACS or similar controller or I didn't understand this quite well :-). I followed guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32roamg.html for WDS where the part abou Cisco ACS is a problem, so I can use same ap as Local Authenticator as in guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html#wp1035723.
Many thanks...Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection. You say you're not planning to use security, so this isn't necessary. However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers. If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.
As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname. Configure your static IP addresses on the AP's BVI1 interface. Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.
And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface. I hope this helps! Let me know if you need help configuring any of this.
Merry Christmas!
Jeff -
Centrally Switched and Flex Local Switched WLAN - same SSID
Hi All
I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching. AP and Flex groups have been configured for the HQ and branch sites. There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
My original plan was to do this with one WLAN Profile per SSID, configured to locally switch. The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch. The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs into the relevant local VLAN.
My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
*apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
If someone can verify the above I'd be very grateful.
Many thanks in advance
MarkHi Mark
My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
Pls do not forget to rate our responses if that is useful to you
HTH
Rasika -
Same SSID both on Local and FlexConnect sites
Hi guys,
I need to deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.
First question would be: if I enable FlexConnect Local Switching on an "in production" SSID used on Local-mode APs would this generate any issues?
Based on the answer receive what are your recommendations to accommodate this request: deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.When creating a WLAN with the same SSID,
follow these guidelines and requirements:
You must create a unique profile name for each WLAN.
When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a
unique Layer 2 security policy so that clients can safely select between them.
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a
WLAN selection based on information advertised in
beacon and probe responses. The available Layer 2
security policies are as follows:
None (open WLAN)
Static WEP or 802.1X
Note
Because static WEP and 802.1X are both advertised by the same bit in beacon and probe
responses, they cannot be differ
entiated by clients. Therefore,
they cannot both be used by
multiple WLANs with the same SSID.
CKIP
WPA/WPA2
Note
Although WPA and WPA2 cannot be used by mul
tiple WLANs with the same SSID, you can
configure two WLANs with the same SSID with WPA/TKIP with PSK and WPA (Wi-Fi
Protected Access) /TKIP (Temporal Key Integrity Protocol) with 802.1X, respectively, or
with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively. -
Hello Experts
We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
Questions:
1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
Thanks.Hi
The LAN subnet is same for both Buildings connected via a dark fiber.
If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
Anyway if you want to do this & here is the answer for your specific queries.
1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
HTH
Rasika
**** Pls rate all useful responses **** -
Same wlan both locally switched and centrally switched
Scenario:
1 virtual wireless controller
50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
Regards,
Massimo.Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
Regards
Rasika
**** Pls rate all useful responses **** -
I want to use the same SSID in two sites (central y remote)
I have several AP in H-REAP mode, one of them is in a remote location anthe other are in the central location. I want to use the same SSID in both locations with differents VLANS.
In the central site, i have 3 WLANS (SSID) whit 3 different VLAN eachother. I put the local swicthing in one SSID that I want to use in the remote site. In the remote location the users can authenticate and everything works fine but in the central location that SSID doesnt work, the user in the central location can not authenticate.
It seems that i can not use the same WLAN (SSID) and use it en both locations checking the local switching.
What can i do?
Many thanks for your helpLook I have 2 two VLANs Interfaces (vlan 252 & Vlan253) created on WLC, beside the management VLAN (ID 254), and there are 8 AP´s installed at the central location, each AP has been connected to my CORE Switch through switch ports mode Access vlan 254.
th aeuthentitcation i have been used is "LOCAL: WPA-WPA2-PSK" in both locations (Central and remote). In the remote sites, tha AP is connected to a cisco switch through switch port mode trunk, and I use VLAN 251. When the local switching feature is activeted on WLC, I can map the VLAN 251 (in te remote site) to the SSID I am using inthe central site and everything works fine but in the central locations the user can associste to he AP but they can not receive IP from the appropiate VLAN.
I don t know what parameter have to change....
Can you helpme? -
I'm working from a boat in a harbor in which the ISP has deployed numerous access points around the periphery. All the access points share the same SSID and each is configured to use either channel 1, 6 or 11. From my location, there are over a dozen of these access points "visible" (based on the the output of WiFi Scanner) with a range of RSSI and S/N values that vary over time.
The ISP has told me that the quality of my connection should be "perfectly fine" for any access point with an RSSI value better than -75, but I know from experience that my connection quality is miserable (i.e. < 50Kbps download) for almost all of these, including those with RSSI values better than -75. There is at least one exception, however, which gives me on the order of 2Mbps download, which is "great" in this context.
I've tried using a more powerful USB antenna plugged into my MacBook Air (mid 2011), but as far as I can tell, it really doesn't make much difference. Neither does my location within the boat. The overriding factor seems to be which access point I happen to connect up to.
I should point out that the closest access points are about 75 yards away, with many of them being several hundred yards away or more. I'm guessing that even though the signal strength of some of the distant access points is causing them to get "chosen" some times, the results are unacceptable due to the distance.
I'm hoping that I can determine, through experimentation, which access point(s) provide(s) acceptable performance and then configure my Mac to limit my connection to those points through whatever mechanism I need to use (e.g. channel, MAC id, etc.).Establishing a wireless connection with a client computer is left to the access point for various reasons. One reason that your Mac may not connect to the strongest access point is that it may have reached a limit of the number of clients it can serve, leaving it unable to accept a connection with another. The limit may not be very large.
Suppose that happens, and your Mac establishes a connection with a more distant access point having a weaker signal. Then, suppose a client drops off the network. Doesn't this mean your Mac will switch to the stronger access point? Not necessarily. The throughput delivered to and from your Mac would have to drop below a threshold specified in the AP for it to drop the client, leaving your Mac free to connect with another one. The reason for this is to prevent rapid switching from one AP to another in an area in which two signals are of approximately equal quality. If that were to occur the frequent and repetitive handshaking between the two devices would slow throughput to zero.
In an environment in which several access points are broadcasting the same SSID, Apple provides no insight as to how it determines which access point to choose. This is the reason I suspect this "choice" is a function of the router, or access point. The connection originates with it, not the Mac.
Now, what would solve your dilemma would be to determine a way to control the access point with which your Mac connects, by specifying the access point's unique MAC address for example. In this happy circumstance, you could maintain an editable "whitelist" or "blacklist" of the harbor's access points and be able to choose which among them you prefer.
I do not believe OS X maintains such a record of MAC addresses though, only those of the routers it uses. If I am correct about that, such a solution is unlikely to exist. Don't let that discourage you from searching for one though... I would concentrate on something like "selecting access point by specific MAC address".
I did find this patent application though:
Roaming Network Stations Using A Mac Address Identifier To Select New Access Point
Perhaps it's a start -
The same SSID used at 3 sites and the same vlan for client IP assignment?
we are deploying 5508 controller and LW APs for wireless IP phone 7925G
Controller is installed at site A and there are APs and wireless phones at site B and C as well.
1. can I use the same SSID for all three sites for wireless phones? or have to use 3 distinct SSIDs?
2. If I can use the same SSID, can I associate one subnet e.g 10.10.131.0/24 for wireless IP phones at 3 sites? (our Cisco UCM is fine with this)
3. if I have use 3 distinct SSIDs, do I have to assign three subnets for IP phones at three sites?
thanks for the help!
Ericyes.. this is done by HREAP mode.. the below link will help you out!!
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
That is, by default the WLAN will get pushed to all APs.. so if you have a single wlan then this will broadcast the SSID and the remotre site clients will connect to it..
Lemme know if this answered your question!!
Regards
Surendra -
Central NetWeaver Installation and DB Instance on same host?
HI all,
Would like to ask a question about NetWeaver installation.
If I choose central installation, means Central Service Instance, DB Instance and Central Instance will be on the same host, but can my DB, say SQL Server reside on separate host?
If not, is it correct that I have to choose distributed installation? So if distributed installation, can I install Central Service instance and Central intance on one host, and DB instance and SQL Server on another host?
Thanks,
KelvinHi KL:
You can get this answer directly from the Installation Guides.
You can download the installation guides for NetWeaver under: https://service.sap.com/instguides
Hope this helps!
Regards,
Federico G. Babelis
NetWeaver Certified Consultant
http://www.gazum.com -
AP groups with same vlans , same ssid but different subnet.
Hi Members,
I have a Cisco Flex 7500 in my datacenter and I need to connect 100 sites , each site with 2-3 APs , each side has its own network and is independent of other sites , the site only need to comunity locally and do not need to access any centralized applications.
I am trying to achieve this by Creating 100 different AP groups and assiging 2-3 AP in each groups for each branch, I will achieve WAN failover resiliency by creating flexconnect groug , the issue I am facing are as below .
1.Since all the sites has same setup , the AP and clients on all sites are in vlan 2 , so when I try to create 2 or more AP group with same vlan, it restricts me of doing so , I cannot create diffrent AP groups mapped to same Vlan .
2.If I keep the APs and Clients in the same subnet , I dont think it should be a problem , but I need your second opinion.
to give you an even better picture , look at the topology enclosed , and my question is if both STAFF and STUDENT APs are in same vlan but in 2 different broadcast domain , how would I create the AP groups.
Thank youThanks for the reply Jenn , here is my situation.
I have 2 sites lets day , site A in virginia , site B in Maryland.
SiteA - 10.1.1.0/24 - vlan 2
10.1.2.0/24 - vlan 3
10.1.3.0/30 - WAN to central site where controller sits.
SiteB - 10.2.1.0/24 - vlan 2
10.2.2.0/24 - vlan 3
10.2.3.0/30 - WAN to central site where controller sits.
both the sites will have a single ssid "XYZ" and will switch locally only.
howin my understanding the way I will deploy this is as below
1.I will create WLAN with ssid "XYZ".
2.I will create 2 AP groups lets say "Site-A" and "Site-B"
3.I will map the APs in site A to AP group "Site-A" and APs in Site B to "Site-B"
4.I will create 2 dynamic interfaces one for each AP group , now this is where I am facing problem , when I am creating dynamin interfaces , I need to specify the subnet and vlans when creating dynamic interfaces , since the vlans used is same on both sites , its not letting me create 2 interfaces with same vlan id.
in my understanding HREAP is only majorly used for WAN failover and local authentication so I am not concerned about that right not , my prime work is to udnerstand the AP group and working.
if you still need print shot let me know I will have to go at site.
also validate if my thinking is right on the 4 steps I have mentioned above , I am new to wireless and whatever I have learned I have learned in last 10 days .
Appreciate your help.
Thank you -
Hi All,
It seems you can't use SharePoint Designer 2010 to open a site if you have both forms and Windows Auth selected.
Is there any way around this if i want to use the 2 at the same time?
How does this work with SharePoint 2013 as i would be doing some migrations?
Cheers in AdvanceHi,
As I understand, you encountered the issue after you selected both FBA and Windows Authentication at the same time.
As I test, I can open the SharePoint 2010 site using FBA and Windows Authentication by SharePoint designer 2010. When you open the site first,
you will get a dropdown menu where you can choose between the 2 authentication mechanisms.
After you choose one of them, you can open the site.
https://onedrive.live.com/redir?resid=40B702A9FB117DD!136&authkey=!ABtMg5n3OtPakCg&v=3&ithint=photo%2cPNG
When I open the SharePoint 2013 site using FBA and Windows Authentication by SharePoint designer 2013, I also get
a dropdown menu where I can choose between the 2 authentication mechanisms. I can open the site after I choose one of them.
So I think there are some other reasons to cause the issue.
Check these things below:
1. Check if you have the permission to open the site in SharePoint designer (Site Permission > Permission Level in ribbon > Click the permission you belongs to > Ensure Use Remote Interfaces is selected).
2. Check if you have enabled the SharePoint designer to open the SharePoint site. (Select the web application hosting the site collection using the FBA and windows authentication >Central Administration website > General Application
Settings > SharePoint Designer > ensure Enable SharePoint Designer
is selected).
3. Is there any error when you open the site in SharePoint Designer? If there are any errors, could you please provide it here for further research?
More references:
https://social.technet.microsoft.com/Forums/sharepoint/en-US/2a3c022c-f924-4b38-be02-5c5ac7a2927e/cannot-open-sharepoint-site-using-sharepoint-designer-2010-get-a-popup-with-4-possible-causes?forum=sharepointgeneralprevious
https://social.msdn.microsoft.com/Forums/office/en-US/19628c53-fde2-44b0-806c-64f67263c931/cant-open-sharepoint-site-with-sharepoint-designer-2010?forum=sharepointcustomizationprevious
Best regards
Sara Fan
TechNet Community Support -
Guest WLAN and Web Auth?
Hi Guys,
Maybe someone can help me out?
I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
"Cisco Wireless Controller" with the exception of having 2 ports. Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN. When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page.
What I tried so far is..
add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
I've attached some screenshots of our configuration.Troubleshooting Web Authentication
After you configure web authentication, if the feature does not work as expected, complete these
troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck
DHCP Required
on the WLAN and
give the wireless client a static IP address. This assumes association with the access point. Refer to
the
IP addressing issues
section of
Troubleshooting Client Issues in the Cisco Unified Wireless
Network for troubleshooting DHCP related issues
1.
On WLC versions earlier than 3.2.150.10, you must manually enter
https://1.1.1.1/login.html
in
order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
connects to a WLAN configured for web authentication, the client obtains an IP address from the
DHCP server. The user opens a web browser and enters a website address. The client then performs
the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
authentication login page.
2.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
Windows, choose
Start > Run
, enter
CMD
in order to open a command window, and do a nslookup
www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a nslookup www.cisco.com" and see if the IP
address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is
http://198.133.219.25)
♦
Try to directly reach the controller's webauth page with
https:///login.html. Typically this is http://1.1.1.1/login.html.
♦
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
be a certificate problem. The controller, by default, uses a self−signed certificate and most web
browsers warn against using them.
3.
For web authentication using customized web page, ensure that the HTML code for the customized
web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For
example, for the 4400 controllers, choose
Products > Wireless > Wireless LAN Controller >
Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
Bundle−1.0.1
and download the
webauth_bundle.zip
file.
These parameters are added to the URL when the user's Internet browser is redirected to the
customized login page:
4.
ap_mac The MAC address of the access point to which the wireless user is associated.
♦
switch_url The URL of the controller to which the user credentials should be posted.
♦
redirect The URL to which the user is redirected after authentication is successful.
♦
statusCode The status code returned from the controller's web authentication server.
♦
wlan The WLAN SSID to which the wireless user is associated.
♦
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
♦
Status Code 2: "You are not configured to authenticate against web portal. No further action
is required on your part."
♦
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
already logged into the system?"
♦
Status Code 4: "You have been excluded."
♦
Status Code 5: "The User Name and Password combination you have entered is invalid.
Please try again."
♦
All the files and pictures that need to appear on the Customized web page should be bundled into a
.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
Authentication Configuration Example for more information on how to create a customized web
authentication window.
Note:
Files that are large and files that have long names will result in an extraction error. It is
recommended that pictures are in .jpg format.
5.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
Other browsers may or may not work.
6.
Ensure that the
Scripting
option is not blocked on the client browser as the customized web page on
the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
7.
Note:
The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
messages for the user.
Note:
If you browse to an
https
site, redirection does not work. Refer to Cisco bug ID CSCar04580
(registered customers only) for more information.
If you have a
host name
configured for the
virtual interface
of the WLC, make sure that the DNS
resolution is available for the host name of the virtual interface.
Note:
Navigate to the
Controller > Interfaces
menu from the WLC GUI in order to assign a
DNS
hostname
to the virtual interface.
8.
Sometimes the firewall installed on the client computer blocks the web authentication login page.
Disable the firewall before you try to access the login page. The firewall can be enabled again once
the web authentication is completed.
9.
Topology/solution firewall can be placed between the client and web−auth server, which depends on
the network. As for each network design/solution implemented, the end user should make sure these
ports are allowed on the network firewall.
Protocol
Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic
(before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non
secured) UDP port 16667
(secured IPSEC tunnel)
10.
For web authentication to occur, the client should first associate to the appropriate WLAN on the
WLC. Navigate to the
Monitor > Clients
menu on the WLC GUI in order to see if the client is
associated to the WLC. Check if the client has a valid IP address.
11.
Disable the Proxy Settings on the client browser until web authentication is completed.
12.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
RADIUS server for this to work. In order to check the status of client authentication, check the
debugs and log messages from the RADIUS server. You can use the
debug aaa all
command on the
WLC to view the debugs from the RADIUS server.
13.
Update the hardware driver on the computer to the latest code from manufacturer's website.
14.
Verify settings in the supplicant (program on laptop).
15.
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
♦
Run debugs on supplicant.
♦
16.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
> Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
will be located in C:\Windows\tracing.
17.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
18.
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh−appgw enable
debug pm ssh−tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh−engine enable packet
Maybe you are looking for
-
Template for additional language not working, always displays English templ
Hello, We have an Oracle implementation in Spain. I already have BI Publisher setup for printing a pdf for a report in English and I added an additional rtf template in the BI Publisher Administration responsibility and set the language to Spanish/Sp
-
How do I "locate" my CD in itunes? Can I get the old itunes menu back?
I burned a CD using itunes. But it automatically used Windows Media to play back and changed the sequece to alphatical order. I changed the setting to have itunes as the "preferred" player but still won't work. The CD doesn't even show up on the it
-
Some users have field fixed vendor in Preq grayed out
hello some of our users, who have the same roles as the rest for purchasing, have the field FLIEF (fixed vendor) in Preq grey: not for input and they cannot fill the fixed vendor. any idea why?
-
LOST ALL KEYCHAIN INFO! HELP
Went to delete one keychain item and lost all keychain info. Please help, is there anyway to retrieve all my passcodes?????
-
Hi guys, I hope you can help me with my question. I want to upgrade the SSD unit that came inside mi Lenovo Ideapad U510. But when searching, I found a big variety of these units from different brands and prices. My question is if any SSD unit of 2.5