Guest access web authentication issue

Hello experts-
we have a problem concerning secure guest access. One controller 4402 is installed in DMZ and is working as guest anchor WLC. The guest user terminates as this anchor wlc. From this controller the client will get the ip address but when the user will open the browser and insert the url like www.cisco.com, there is no redirect to the web authentication page. If we try to reach the virtual IP via Web browser the authentication page will not be seen. Proxy setting in browser are deactivated. DNS works, if no authentication is configured Internet access is working well. But if we configure "Pass Thru", the client is in status "Authentication required" again.
Has anybody any ideas?
Thanks a lot, Martin

First of all, when you configure the wlan to open, do you see that device on the anchor controller or the foreign wlc? You should see the user authenticated on the anchor. If not, then your mobility between the foreign and anchor is not working. Mping and Eping between the foreign and anchor wlc. Verify that the ssid has mobility anchor configured. Also you must make sure that your ssid on the foreign and on the anchor wlc. The webauth page will need to be installed on the anchor wlc along with the 3rd party certificate if you use one.

Similar Messages

  • OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

    We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
    Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
    thanks - ciscosx

    Robert,
    Manual assignment has been made available in ISE 1.2 release.
    M.

  • Self Registration Guest Access

    This is a complete newbie question, but I can't seem to find the answer in any of the technical pages. We would like to set up a guest access point for visitors to our business, but we would like to require them to self register the first time they use the facility. I know that the WAP321 allows guest access and authenticated users, but can't discover if it will allow first time users to register for access.
    Can anyone advise? If not, can you suggest a product that does?
    Thanks
    Peter

    Hi Peter, thank you for using our forum, my name is Luis I am part of the Small business Support community. I am glad to assist you with your configuration, but I don't understand so well what do you mean “self-register the first time they use the facility”?
    Captive Portal allows you to block wireless clients from accessing the network until user verification has been established. You can configure CP verification to allow access for both guest and authenticated users. The database can be stored locally on the WAP device or on a RADIUS server. But this feature will always request the authentication, to provide access
    You could see more details about Captive Portal in the admin guide in page 143.
    Also here you will see some steps to configure it, if this feature works for you.
    Please let me know if you find this answer useful,
    Greetings,
    Luis Arias.
    Cisco Network Support Engineer.

  • WEB Authentication Certificate on WLC4400 - Guest Access

    I need to know if there is a debug command to trouble shoot Web Authentication Certificate Issue for Guest Access. I'm currently troubleshooting an issue to verify if our Anchor controller is passing redirects to our web Server. Any advise would be appreciated.
    This is on a WLC4404 Controller

    Is the redirect url configured with a name or IP address? If it is a name make sure there are no issues getting DNS resolution of the name.
    The best troubleshooting method I can recommend is using a sniffer to capture the traffic at the anchor controller towards the webserver to see if the traffic passes to the webserver.

  • Anchor Guest 3.2.171.6 Web Authentication page issue

    Hi folks,
    I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.

    you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
    HTH,
    Steve

  • External Web authentication server for Guest access

    I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
    Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
    I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
    Hotels do this type of web authentication for example.
    Any help would be great.

    Hi Patrick,
    I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
    thanks!
    Claudio

  • Guest Access - Layer 2 security WPA PSK - Layer 3 security web auth

    I am not able to test this.
    Has anybody configured the CUWN guest access with WPA PSK layer 2 and Web authentication layer 3
    If so are there any problems that I should expect
    Mark

    Mark,
    I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.
    Hope this helps.

  • ISE 1.2 Guest Access for EAP(Dot1x) Authentication

    Hi.
    I want to use encryption for guest access. 
    In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
    (Specification of the WLC) 
    When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
    (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
    If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
    (Because the account has been revoked) 
    I want to make even dot1x this environment. 
    However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
    In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
    (Status of the WLC remains "Auth Yes") 
    (Session of the ISE remains "Started") 
    Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
    Thank you.

    Note:
    Cisco ISE:Version1.2.0.899-8
    Cisco WLC(5508):Version 7.6.120

  • NAC GUEST SERVER CANNOT ACCESS WEB CONSOLE

    Hello,
    I have a NAC guest server. I can access CLI but cannot access web console. I used both the https:// ip address/admin and http://ip address/admin. Please what could be the solution of this issue?
    thank you and best regards.
    Edwin

    Edwin,
    Are the various necessary services running on that server? Post the output of following commands:
    ps auwwwx
    chkconfig --list
    service httpd status
    service postgresql status
    Faisal

  • WCS and Guest account / limited usage web authentication

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Here my problem I need to be able to limit my AD users to a 10min access to the WLAN.  I see you can do this for guest accounts, but you have to manually enter a username and password.  I would like the web authentication to use our ACS which is tied in to our AD.   Is there a way to do this? 

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Weterry,
    Here the whole story.  I have a bookstore that going to have “Demo” pc for students to buy.  The want to show the internet on these devices, but our security guy require all users to logon.  I was hoping to find a way to let user logon quickly to test these devices.
    I have already figure out the web auth and that great feature, but you have to manually enter each user.   If I could get that to use AD and limit each to 10min that would be great. I would like to setup a SSID for the demo devices and limit users to 10 min.
    I have 2 WiSM controllers running 6.0 also have WCS .
    Thanks
    Chappy

  • Just recently I am getting the following error message when trying to access web sites. I get a pop up window stating "Exc in ev handl: TypeError: c.location is null" then I have to click ok. It is an issue with some plug-in?

    Just recently I am getting the following error message when trying to access web sites. I am using Firefox browser version 10.0.2. I get a pop up window stating "Exc in ev handl: TypeError: c.location is null" as the web site page is being displayed in browser winder. Then I have to click ok. It doesn't matter what web link/site I go to it happens. It is an issue with some plug-in?

    I have advised McAfee's product team of the problem and this thread, and they're looking into it now.

  • How do I disable guest access in the advanced web controls? E2000

    Due to cisco connect not connecting and my rouer having some problems I have reset it and gone straight into the advanced web control panel. I have everything set up and running, but I see no way to turn off guest access. I do not want any "guests" to be able to access my  E2000 router, how do I disable that in the advanced web control panel?

    sabertooth is correct. The Guest network is managed by Cisco connect software only.
    You can reset the router and reconfigure it manually.
    Press and hold the reset button on the router for 30 seconds. Release the reset button and wait for 30 seconds. Power cycle the router and reconfigure it manually.

  • Wireless Client Authentication issues when roaming Access Points (Local)

    I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
    There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
    From Cisco ISE
    Event
    5400 Authentication failed
    Failure Reason
    11514 Unexpectedly received empty TLS message; treating as a rejection by the client
    Resolution
    Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
    Root cause
    While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
    I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
    Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
    I also had this from Splunk for the same client:
    Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
     FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
    Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
    Thanks

    Further detail From ISE for the failure:
    11001
    Received RADIUS Access-Request
    11017
    RADIUS created a new session
    15049
    Evaluating Policy Group
    15008
    Evaluating Service Selection Policy
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    15048
    Queried PIP
    15048
    Queried PIP
    15004
    Matched rule
    11507
    Extracted EAP-Response/Identity
    12500
    Prepared EAP-Request proposing EAP-TLS with challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12301
    Extracted EAP-Response/NAK requesting to use PEAP instead
    12300
    Prepared EAP-Request proposing PEAP with challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12302
    Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318
    Successfully negotiated PEAP version 0
    12800
    Extracted first TLS record; TLS handshake started
    12805
    Extracted TLS ClientHello message
    12806
    Prepared TLS ServerHello message
    12807
    Prepared TLS Certificate message
    12810
    Prepared TLS ServerDone message
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    12305
    Prepared EAP-Request with another PEAP challenge
    11006
    Returned RADIUS Access-Challenge
    11001
    Received RADIUS Access-Request
    11018
    RADIUS is re-using an existing session
    12304
    Extracted EAP-Response containing PEAP challenge-response
    11514
    Unexpectedly received empty TLS message; treating as a rejection by the client
    12512
    Treat the unexpected TLS acknowledge message as a rejection from the client
    11504
    Prepared EAP-Failure
    11003
    Returned RADIUS Access-Reject

  • 1801W wireless (guest access) config issues

    Trying to setup wireless on 1801w ISR.  Wired access to Internet and LAN works fine (Vlan1); however, wireless (Vlan2) does not.
    Trying to setup wireless "guest" access with Internet access only (no access to LAN).
    Wireless will not come up.  Dot11Radios show "reset/down".
    Below is the wireless config and a couple of troubleshooting commands as well:
    dot11 ssid open
       vlan 2
       authentication open
    ====================================================
    !(Sets up DHCP and excluded addresses.)
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.25.1 172.16.25.99
    ip dhcp excluded-address 172.16.25.116 172.16.25.255
    ip dhcp pool open
       import all
       network 172.16.25.0 255.255.255.0
       default-router 172.16.25.1
       dns-server 4.2.2.1 4.2.2.1
       lease 3
    ====================================================
    (Turned on integrated routing and bridging.)
    bridge irb
    ====================================================
    (Wireless radio interface config.)
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip virtual-reassembly
    ip route-cache flow
    encryption vlan 2 mode wep optional
    !---(SSID is given as "open")
    ssid open
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    station-role root
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Vlan1
    description LAN
    ip address 192.168.0.100 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Vlan2
    description Wireless VLAN
    no ip address
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 172.16.25.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    bridge 1 protocol ieee
    bridge 1 route ip
    ====================================================
    Verifying...
    RTR#sho dot11 associations
    802.11 Client Stations on Dot11Radio1:
    802.11 Client Stations on Dot11Radio0:
    SSID [open] : DISABLED, not associated with a configured VLAN
    ====================================================
    RTR#sho ip int brief
    Dot11Radio0                unassigned      YES NVRAM  reset                 down
    Dot11Radio0.1             unassigned      YES unset  reset                 down
    Dot11Radio1                unassigned      YES NVRAM  reset                 down

    Your ssid is configured in vlan 2.
    But you forgot to configure dot11radio0.2 with under it "encapsulation dot1q 2".
    That should allow the radio to broadcast ssid
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • Guest Anchor - Web Passthrough - Apple device web redirect issue

    Hi All,
    I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
    Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
    I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
    Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
    My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
    How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
    Thanks,
    CJ

    Hi All,
    The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
    Jagan

Maybe you are looking for