Guest access web authentication issue
Hello experts-
we have a problem concerning secure guest access. One controller 4402 is installed in DMZ and is working as guest anchor WLC. The guest user terminates as this anchor wlc. From this controller the client will get the ip address but when the user will open the browser and insert the url like www.cisco.com, there is no redirect to the web authentication page. If we try to reach the virtual IP via Web browser the authentication page will not be seen. Proxy setting in browser are deactivated. DNS works, if no authentication is configured Internet access is working well. But if we configure "Pass Thru", the client is in status "Authentication required" again.
Has anybody any ideas?
Thanks a lot, Martin
First of all, when you configure the wlan to open, do you see that device on the anchor controller or the foreign wlc? You should see the user authenticated on the anchor. If not, then your mobility between the foreign and anchor is not working. Mping and Eping between the foreign and anchor wlc. Verify that the ssid has mobility anchor configured. Also you must make sure that your ssid on the foreign and on the anchor wlc. The webauth page will need to be installed on the anchor wlc along with the 3rd party certificate if you use one.
Similar Messages
-
We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
thanks - ciscosxRobert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Self Registration Guest Access
This is a complete newbie question, but I can't seem to find the answer in any of the technical pages. We would like to set up a guest access point for visitors to our business, but we would like to require them to self register the first time they use the facility. I know that the WAP321 allows guest access and authenticated users, but can't discover if it will allow first time users to register for access.
Can anyone advise? If not, can you suggest a product that does?
Thanks
PeterHi Peter, thank you for using our forum, my name is Luis I am part of the Small business Support community. I am glad to assist you with your configuration, but I don't understand so well what do you mean “self-register the first time they use the facility”?
Captive Portal allows you to block wireless clients from accessing the network until user verification has been established. You can configure CP verification to allow access for both guest and authenticated users. The database can be stored locally on the WAP device or on a RADIUS server. But this feature will always request the authentication, to provide access
You could see more details about Captive Portal in the admin guide in page 143.
Also here you will see some steps to configure it, if this feature works for you.
Please let me know if you find this answer useful,
Greetings,
Luis Arias.
Cisco Network Support Engineer. -
WEB Authentication Certificate on WLC4400 - Guest Access
I need to know if there is a debug command to trouble shoot Web Authentication Certificate Issue for Guest Access. I'm currently troubleshooting an issue to verify if our Anchor controller is passing redirects to our web Server. Any advise would be appreciated.
This is on a WLC4404 ControllerIs the redirect url configured with a name or IP address? If it is a name make sure there are no issues getting DNS resolution of the name.
The best troubleshooting method I can recommend is using a sniffer to capture the traffic at the anchor controller towards the webserver to see if the traffic passes to the webserver. -
Anchor Guest 3.2.171.6 Web Authentication page issue
Hi folks,
I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
HTH,
Steve -
External Web authentication server for Guest access
I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
Hotels do this type of web authentication for example.
Any help would be great.Hi Patrick,
I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
thanks!
Claudio -
Guest Access - Layer 2 security WPA PSK - Layer 3 security web auth
I am not able to test this.
Has anybody configured the CUWN guest access with WPA PSK layer 2 and Web authentication layer 3
If so are there any problems that I should expect
MarkMark,
I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.
Hope this helps. -
ISE 1.2 Guest Access for EAP(Dot1x) Authentication
Hi.
I want to use encryption for guest access.
In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1".
(Specification of the WLC)
When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio.
(Attribute is the same value as the (ISE TimeProfile) time the guest user can use)
If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login.
(Because the account has been revoked)
I want to make even dot1x this environment.
However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut.
In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication.
(Status of the WLC remains "Auth Yes")
(Session of the ISE remains "Started")
Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing?
Thank you.Note:
Cisco ISE:Version1.2.0.899-8
Cisco WLC(5508):Version 7.6.120 -
NAC GUEST SERVER CANNOT ACCESS WEB CONSOLE
Hello,
I have a NAC guest server. I can access CLI but cannot access web console. I used both the https:// ip address/admin and http://ip address/admin. Please what could be the solution of this issue?
thank you and best regards.
EdwinEdwin,
Are the various necessary services running on that server? Post the output of following commands:
ps auwwwx
chkconfig --list
service httpd status
service postgresql status
Faisal -
WCS and Guest account / limited usage web authentication
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Here my problem I need to be able to limit my AD users to a 10min access to the WLAN. I see you can do this for guest accounts, but you have to manually enter a username and password. I would like the web authentication to use our ACS which is tied in to our AD. Is there a way to do this?/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Weterry,
Here the whole story. I have a bookstore that going to have “Demo” pc for students to buy. The want to show the internet on these devices, but our security guy require all users to logon. I was hoping to find a way to let user logon quickly to test these devices.
I have already figure out the web auth and that great feature, but you have to manually enter each user. If I could get that to use AD and limit each to 10min that would be great. I would like to setup a SSID for the demo devices and limit users to 10 min.
I have 2 WiSM controllers running 6.0 also have WCS .
Thanks
Chappy -
Just recently I am getting the following error message when trying to access web sites. I am using Firefox browser version 10.0.2. I get a pop up window stating "Exc in ev handl: TypeError: c.location is null" as the web site page is being displayed in browser winder. Then I have to click ok. It doesn't matter what web link/site I go to it happens. It is an issue with some plug-in?
I have advised McAfee's product team of the problem and this thread, and they're looking into it now.
-
How do I disable guest access in the advanced web controls? E2000
Due to cisco connect not connecting and my rouer having some problems I have reset it and gone straight into the advanced web control panel. I have everything set up and running, but I see no way to turn off guest access. I do not want any "guests" to be able to access my E2000 router, how do I disable that in the advanced web control panel?
sabertooth is correct. The Guest network is managed by Cisco connect software only.
You can reset the router and reconfigure it manually.
Press and hold the reset button on the router for 30 seconds. Release the reset button and wait for 30 seconds. Power cycle the router and reconfigure it manually. -
Wireless Client Authentication issues when roaming Access Points (Local)
I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
From Cisco ISE
Event
5400 Authentication failed
Failure Reason
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Resolution
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause
While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
I also had this from Splunk for the same client:
Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
ThanksFurther detail From ISE for the failure:
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11514
Unexpectedly received empty TLS message; treating as a rejection by the client
12512
Treat the unexpected TLS acknowledge message as a rejection from the client
11504
Prepared EAP-Failure
11003
Returned RADIUS Access-Reject -
1801W wireless (guest access) config issues
Trying to setup wireless on 1801w ISR. Wired access to Internet and LAN works fine (Vlan1); however, wireless (Vlan2) does not.
Trying to setup wireless "guest" access with Internet access only (no access to LAN).
Wireless will not come up. Dot11Radios show "reset/down".
Below is the wireless config and a couple of troubleshooting commands as well:
dot11 ssid open
vlan 2
authentication open
====================================================
!(Sets up DHCP and excluded addresses.)
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.25.1 172.16.25.99
ip dhcp excluded-address 172.16.25.116 172.16.25.255
ip dhcp pool open
import all
network 172.16.25.0 255.255.255.0
default-router 172.16.25.1
dns-server 4.2.2.1 4.2.2.1
lease 3
====================================================
(Turned on integrated routing and bridging.)
bridge irb
====================================================
(Wireless radio interface config.)
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
encryption vlan 2 mode wep optional
!---(SSID is given as "open")
ssid open
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
description LAN
ip address 192.168.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan2
description Wireless VLAN
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.25.1 255.255.255.0
ip nat inside
ip virtual-reassembly
bridge 1 protocol ieee
bridge 1 route ip
====================================================
Verifying...
RTR#sho dot11 associations
802.11 Client Stations on Dot11Radio1:
802.11 Client Stations on Dot11Radio0:
SSID [open] : DISABLED, not associated with a configured VLAN
====================================================
RTR#sho ip int brief
Dot11Radio0 unassigned YES NVRAM reset down
Dot11Radio0.1 unassigned YES unset reset down
Dot11Radio1 unassigned YES NVRAM reset downYour ssid is configured in vlan 2.
But you forgot to configure dot11radio0.2 with under it "encapsulation dot1q 2".
That should allow the radio to broadcast ssid
Nicolas
===
Don't forget to rate answers that you find useful -
Guest Anchor - Web Passthrough - Apple device web redirect issue
Hi All,
I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
Thanks,
CJHi All,
The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
Jagan
Maybe you are looking for
-
Export small flex project to mobile?
Hi everyone! I am just learning Flex and have stumbled upon a problem... I have created a small Flex project in Flash Builder 4 and it works very well on desktop and in a browser. However I need it to run on mobile phone with only Flash Lite support.
-
How ou where install third party vst plug
Hello, does somebody know how or where install third parti vst plug ins? thank you
-
Hi, I want to log TestStand data into an existing SQL database. The step ID in my database is an integer (Integer data van -2^31 (-2.147.483.648) tot 2^31-1 (2.147.483.647)), so a GUID id does not fit in this field. Is it possible to change the GUID
-
Problem when communicating with postgres
Hi everyone, i have got a problem when i am trying to communicate with postgres. i am calling a bean in which i have methods for insertion. for ur convinience i here provide the class. package Harish; import java.sql.*; import java.util.*; import jav
-
HT3529 Where is the microphone icon?
I have no microphone icon beside the space bar on my new iphone 5. Why is this? Thank!