Flexconnect localauth and centralized auth on same SSID

Similar Messages

• Cisco ISE 1.2 AD Auth and Internal Auth on Same SSID?

  Hello everyone... I'm fairly new to Cisco ISE 1.2 and am looking to try and setup a certain configuration.  I'm trying to figure out how to create what amounts to a BYOD dmz'd wireless network that is PEAP based (or tls) but authenticates known users (employees from AD groups) but for users not found in those AD groups uses the internal user database and/or Web Auth?  Make sense?
  So, I of course can get the Authentication/Authorization policies configured for PEAPTLS  and make to AD based on group and provide a VLAN number.  No problem... I'm having trouble wrapping my head around how to combine the internal users or web auth users in this mix on the same ssid?  I know by reading the ISE statement that the authentication policy if PEAP/TLS, ect is used, then a user not found is rejected and does not continue...  Can someone provide an example as to how to accomplish this?  
  As a side note in 1.2, is there the ability to limit the number of consective logins as in ACS, outside of guess access only? What about in 1.3, which makes me nervous to upgrade in reading the instructions and the 'newness' of it.
  Thank you for any help, it's greatly appreciated.

  I'd like to confirm if the required changes in the VM server were
  made, as there are a few changes in the ISE OS. The changes required are
  listed in the release notes, under "VMware Operating System to be
  Changed to RHEL 5 (64-bit)". Here's a direct link to the relevant section:
  http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp384531
  Other causes can be :-
  certificate issue on ISE or not enough disk space.

• Flexconnect, branch and central site have same VLAN's

  Is anyone familiar with a flexconnect deployment where on the central and branch site the same VLAN's are in use?
  On both sites the following VLAN's are in place:
  VLAN 32 = BYOD
  VLAN 31 = USER
  VLAN 40 = VOICE
  On the branch site I want to deploy Flexconnect. When creating the VLAN mapping in the AP configuration all the VLAN's are instantly assigned. For local branch DHCP ip-helper addresses are configured on the branch switch. When a client connects to the Flexconnect AP it doesn't get an IP address. Suggestions?

  Hi Thomas,
  On the WLC location, your clients get IP? How did you setup the DHCP Server: on interface level or DHCP Override?
  For the FlexConnect sites:
   - enable Vlan Support?
   - specify Native Vlan for the AP mgmt Vlan
   - add Vlan Mapping: Wlan to sites's Vlan
   - finally: configure accordingly the switchport:
   switchport mode trunk
   switchport trunk native vlan ...
   switchport trunk allowed vlan all

• Multiple Cisco Aironet 1131AG access points and same SSID?

  We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560)  who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11).  They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.
  So my question is this: How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)? Can one of the ap's be WDS and in the same time local radius server with users without Cisco Secure ACS or similar controller or I didn't understand this quite well :-). I followed guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32roamg.html for WDS where the part abou Cisco ACS is a problem, so I can use same ap as Local Authenticator as in guide  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html#wp1035723.
  Many thanks...

  Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection.  You say you're not planning to use security, so this isn't necessary.  However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers.  If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.
  As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname.  Configure your static IP addresses on the AP's BVI1 interface.  Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.
  And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface.  I hope this helps!  Let me know if you need help configuring any of this.
  Merry Christmas!
  Jeff

• Centrally Switched and Flex Local Switched WLAN - same SSID

  Hi All
  I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
  We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
  My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
  *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
  My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
  If someone can verify the above I'd be very grateful.
  Many thanks in advance
  Mark

  Hi Mark
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
  Pls do not forget to rate our responses if that is useful to you
  HTH
  Rasika

• Same SSID both on Local and FlexConnect sites

  Hi guys,
  I need to deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.
  First question would be: if I enable FlexConnect Local Switching on an "in production" SSID used on Local-mode APs would this generate any issues?
  Based on the answer receive what are your recommendations to accommodate this request: deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.

  When creating a WLAN with the same SSID,
  follow these guidelines and requirements:
  You must create a unique profile name for each WLAN.
  When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a
  unique Layer 2 security policy so that clients can safely select between them.
  WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a
  WLAN selection based on information advertised in
  beacon and probe responses. The available Layer 2
  security policies are as follows:
  None (open WLAN)
  Static WEP or 802.1X
  Note
  Because static WEP and 802.1X are both advertised by the same bit in beacon and probe
  responses, they cannot be differ
  entiated by clients. Therefore,
  they cannot both be used by
  multiple WLANs with the same SSID.
  CKIP
  WPA/WPA2
  Note
  Although WPA and WPA2 cannot be used by mul
  tiple WLANs with the same SSID, you can
  configure two WLANs with the same SSID with WPA/TKIP with PSK and WPA (Wi-Fi
  Protected Access) /TKIP (Temporal Key Integrity Protocol) with 802.1X, respectively, or
  with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.

• Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

  Hello Experts
  We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
  My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
  Questions:
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Thanks.

  Hi
  The LAN subnet is same for both Buildings connected via a dark fiber.
  If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
  Anyway if you want to do this & here is the answer for your specific queries.
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
  This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
  BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Same wlan both locally switched and centrally switched

  Scenario:
  1 virtual wireless controller
  50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
  Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
  I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
  I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
  Regards,
  Massimo. 

  Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
  I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
  Regards
  Rasika
  **** Pls rate all useful responses ****

• I want to use the same SSID in two sites (central y remote)

  I have several AP in H-REAP mode, one of them is in a remote location anthe other are in the central location. I want to use the same SSID in both locations with differents VLANS.
  In the central site, i have 3 WLANS (SSID) whit 3 different VLAN  eachother. I put the local swicthing in one SSID that I want to use in the remote site. In the remote location the users can authenticate and everything works fine but in the central location that SSID doesnt work, the user in the central location can not authenticate.
  It seems that i can not use the same WLAN (SSID) and use it en both locations checking the local switching.
  What can i do?
  Many thanks for your help

  Look I have 2 two VLANs Interfaces (vlan 252 & Vlan253) created on WLC, beside the management VLAN (ID 254), and there are 8 AP´s installed at the central location, each AP has been connected to my CORE Switch through switch ports mode Access vlan 254.
  th aeuthentitcation i have been used is "LOCAL: WPA-WPA2-PSK" in both locations (Central and remote). In the remote sites, tha AP is connected to a cisco switch through switch port mode trunk, and I use VLAN 251. When the local switching  feature is activeted on WLC, I can map the VLAN 251 (in te remote site) to the SSID I am using inthe central site and everything works fine but in the central locations the user can associste to he AP but they can not receive IP from the appropiate VLAN.
  I don t know what parameter have to change....
  Can you helpme?

• Is there any way I can control which specific access point I connect (and stay connected) to from amongst a set of access points with the same SSID?

  I'm working from a boat in a harbor in which the ISP has deployed numerous access points around the periphery.  All the access points share the same SSID and each is configured to use either channel 1, 6 or 11.   From my location, there are over a dozen of these access points "visible" (based on the the output of WiFi Scanner) with a range of RSSI and S/N values that vary over time.
  The ISP has told me that the quality of my connection should be "perfectly fine" for any access point with an RSSI value better than -75, but I know from experience that my connection quality is miserable (i.e. < 50Kbps download) for almost all of these, including those with RSSI values better than -75.  There is at least one exception, however, which gives me on the order of 2Mbps download, which is "great" in this context.
  I've tried using a more powerful USB antenna plugged into my MacBook Air (mid 2011), but as far as I can tell, it really doesn't make much difference.  Neither does my location within the boat.   The overriding factor seems to be which access point I happen to connect up to.
  I should point out that the closest access points are about 75 yards away, with many of them being several hundred yards away or more.  I'm guessing that even though the signal strength of some of the distant access points is causing them to get "chosen" some times, the results are unacceptable due to the distance.
  I'm hoping that I can determine, through experimentation, which access point(s) provide(s) acceptable performance and then configure my Mac to limit my connection to those points through whatever mechanism I need to use (e.g. channel, MAC id, etc.).

  Establishing a wireless connection with a client computer is left to the access point for various reasons. One reason that your Mac may not connect to the strongest access point is that it may have reached a limit of the number of clients it can serve, leaving it unable to accept a connection with another. The limit may not be very large.
  Suppose that happens, and your Mac establishes a connection with a more distant access point having a weaker signal. Then, suppose a client drops off the network. Doesn't this mean your Mac will switch to the stronger access point? Not necessarily. The throughput delivered to and from your Mac would have to drop below a threshold specified in the AP for it to drop the client, leaving your Mac free to connect with another one. The reason for this is to prevent rapid switching from one AP to another in an area in which two signals are of approximately equal quality. If that were to occur the frequent and repetitive handshaking between the two devices would slow throughput to zero.
  In an environment in which several access points are broadcasting the same SSID, Apple provides no insight as to how it determines which access point to choose. This is the reason I suspect this "choice" is a function of the router, or access point. The connection originates with it, not the Mac.
  Now, what would solve your dilemma would be to determine a way to control the access point with which your Mac connects, by specifying the access point's unique MAC address for example. In this happy circumstance, you could maintain an editable "whitelist" or "blacklist" of the harbor's access points and be able to choose which among them you prefer.
  I do not believe OS X maintains such a record of MAC addresses though, only those of the routers it uses. If I am correct about that, such a solution is unlikely to exist. Don't let that discourage you from searching for one though... I would concentrate on something like "selecting access point by specific MAC address".
  I did find this patent application though:
  Roaming Network Stations Using A Mac Address Identifier To Select New Access Point
  Perhaps it's a start

• The same SSID used at 3 sites and the same vlan for client IP assignment?

  we are deploying 5508 controller and LW APs for wireless IP phone 7925G
  Controller is installed at site A and there are APs and wireless phones at site B and C as well.
  1. can I use the same SSID for all three sites for wireless phones? or have to use 3 distinct SSIDs?
  2. If I can use the same SSID, can I associate one subnet e.g 10.10.131.0/24 for wireless IP phones at 3 sites? (our Cisco UCM is fine with this)
  3. if I have use 3 distinct SSIDs, do I have to assign three subnets for IP phones at three sites?
  thanks for the help!
  Eric

  yes.. this is done by HREAP mode.. the below link will help you out!!
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
  That is, by default the WLAN will get pushed to all APs.. so if you have a single wlan then this will broadcast the SSID and the remotre site clients will connect to it..
  Lemme know if this answered your question!!
  Regards
  Surendra

• Central NetWeaver Installation and DB Instance on same host?

  HI all,
  Would like to ask a question about NetWeaver installation.
  If I choose central installation, means Central Service Instance, DB Instance and Central Instance will be on the same host, but can my DB, say SQL Server reside on separate host?
  If not, is it correct that I have to choose distributed installation? So if distributed installation, can I install Central Service instance and Central intance on one host, and DB instance and SQL Server on another host?
  Thanks,
  Kelvin

  Hi KL:
  You can get this answer directly from the Installation Guides.
  You can download the installation guides for NetWeaver under: https://service.sap.com/instguides
  Hope this helps!
  Regards,
  Federico G. Babelis
  NetWeaver Certified Consultant
  http://www.gazum.com

• AP groups with same vlans , same ssid but different subnet.

  Hi Members,
  I have a Cisco Flex 7500 in my datacenter and I need to connect 100 sites , each site with 2-3 APs , each side has its own network and is independent of other sites , the site only need to comunity locally and do not need to access any centralized applications.
  I am trying to achieve this by Creating 100  different AP groups and assiging 2-3 AP in each groups for each branch, I will achieve WAN failover resiliency by creating flexconnect groug , the issue I am facing are as below .
  1.Since all the sites has same setup , the AP and clients on all sites are in vlan 2 , so when I try to create 2 or more AP group with same vlan, it restricts me of doing so , I cannot create diffrent AP groups mapped to same Vlan .
  2.If I keep the APs and Clients in the same subnet , I dont think it should be a problem , but I need your second opinion.
  to give you an even better picture , look at the topology enclosed , and my question is if both STAFF and STUDENT APs are in same vlan but in 2 different broadcast domain , how would I create the AP groups.
  Thank you

  Thanks for the reply Jenn , here is my situation.
  I have 2 sites lets day , site A in virginia ,  site B in Maryland.
  SiteA - 10.1.1.0/24 - vlan 2
             10.1.2.0/24 - vlan 3
             10.1.3.0/30 - WAN to central site where controller sits.
  SiteB - 10.2.1.0/24 - vlan 2
             10.2.2.0/24 - vlan 3
             10.2.3.0/30 - WAN to central site where controller sits.
  both the sites will have a single ssid "XYZ" and will switch locally only.
  howin my understanding the way I will deploy this is as below
  1.I will create WLAN with ssid "XYZ".
  2.I will create 2 AP groups lets say "Site-A" and "Site-B"
  3.I will map the APs in site A to AP group "Site-A" and APs in Site B to "Site-B"
  4.I will create 2 dynamic interfaces one for each AP group , now this is where I am facing problem , when I am creating dynamin interfaces , I need to specify the subnet and vlans when creating dynamic interfaces , since the vlans used is same on both sites , its not letting me create 2 interfaces with same vlan id.
  in my understanding HREAP is only majorly used for WAN failover and local authentication so I am not concerned about that right not , my prime work is to udnerstand the AP group and working.
  if you still need print shot let me know I will have to go at site.
  also validate if my thinking is right on the 4 steps I have mentioned above , I am new to wireless and whatever I have learned I have learned in last 10 days .
  Appreciate your help.
  Thank you

• No access with SP Designer 2010 after change to FBA and Windows at the same time - Does this work with SP 2013

  Hi All,
       It seems you can't use SharePoint Designer 2010 to open a site if you have both forms and Windows Auth selected.
  Is there any way around this if i want to use the 2 at the same time?
  How does this work with SharePoint 2013 as i would be doing some migrations?
  Cheers in Advance

  Hi,
  As I understand, you encountered the issue after you selected both FBA and Windows Authentication at the same time.
  As I test, I can open the SharePoint 2010 site using FBA and Windows Authentication by SharePoint designer 2010. When you open the site first,
  you will get a dropdown menu where you can choose between the 2 authentication mechanisms.
  After you choose one of them, you can open the site.
  https://onedrive.live.com/redir?resid=40B702A9FB117DD!136&authkey=!ABtMg5n3OtPakCg&v=3&ithint=photo%2cPNG
  When I open the SharePoint 2013 site using FBA and Windows Authentication by SharePoint designer 2013, I also get
  a dropdown menu where I can choose between the 2 authentication mechanisms. I can open the site after I choose one of them.
  So I think there are some other reasons to cause the issue.  
  Check these things below:
  1. Check if you have the permission to open the site in SharePoint designer (Site Permission > Permission Level in ribbon > Click the permission you belongs to > Ensure Use Remote Interfaces is selected).
  2. Check if you have enabled the SharePoint designer to open the SharePoint site. (Select the web application hosting the site collection using the FBA and windows authentication >Central Administration website > General Application
  Settings > SharePoint Designer > ensure Enable SharePoint Designer
   is selected).
  3. Is there any error when you open the site in SharePoint Designer? If there are any errors, could you please provide it here for further research?
  More references:
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/2a3c022c-f924-4b38-be02-5c5ac7a2927e/cannot-open-sharepoint-site-using-sharepoint-designer-2010-get-a-popup-with-4-possible-causes?forum=sharepointgeneralprevious
  https://social.msdn.microsoft.com/Forums/office/en-US/19628c53-fde2-44b0-806c-64f67263c931/cant-open-sharepoint-site-with-sharepoint-designer-2010?forum=sharepointcustomizationprevious
  Best regards
  Sara Fan
  TechNet Community Support

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet