Guest Anchor with web auth using ISE guest portal
Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.
Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS
Similar Messages
-
Web Auth using 5760 Guest Anchor and ISE
I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor. ISE is being used as the guest auth server.
When no auth requirements are set on the guest wlan, everything works fine. I get an IP address and can get to the internet, VPN, etc. As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state. When I check the client on the controller, it is in a Policy Manager State of START.
As soon as I remove the security web-auth commamd from the wlan, I connect right up. It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
Any thoughts on what I am missing on my guest anchor, or MA config? Do I need to make any changes to the wlan on the MC? Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.I hope this may help you
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
HTH
Rasika
*** Pls rate all useful responses **** -
WLC 4402 - only present guest with web auth page once every (x) days
Hi all,
I am looking to migrate our guest wireless from a third-party system to the WLC. Currently, we change our guest password (WPA2 PSK) every (x) days. Each time the guest password is changed and connections are made with the new PSK, guests are redirected to a terms and conditions page which they must accept. The MAC address is then cached and the page is not displayed again until we clear the MAC cache and change the PSK.
I can almost replicate this with web auth in passthrough mode on the WLC, but it presents the guest with the terms and conditions page each time they reconnect to the WLAN, whether it be from roaming offsite or turning the wireless radio off then on.
Is there any way to have the WLC replicate our current system, where a MAC is cached and the page is not displayed until some other event takes place (changing the PSK or clearing the cache?)
Thanks!
-PWait ... Shaoqin, will the 7.5 code be released for the 4400 series controllers? The current release is 7.0.240.0 - I see releases up to 7.4 on the 5500 series controllers
Thanks
-P -
How to use ISE Guest Portal for AD users
Hi there,
As subject explains all, I want to use ISE Guest Portal for my domain users. I have tried many different ways to authenticate users and finally I came to the conclusion that ISE CWA works pretty well and is very stable. WLC Webauth sucks alot, does not redirect to the login page always.
Can you please share what other ways are stable ways to authenticate AD users? I know about WPA 802.1x authentication but that requires a CA in the network which is not available at the moment. So can you please Suggect?
Otherwise, I want to use ISE Guest Portal for my AD users as well. AD is already integrated to ISE, the issue happens when I attempt to athenticate using AD user account, the user gets authenticated but the Guest Portal redirects me to Device Provissioning page and there it shows an error saying "there is not policy to register the device, contact system admin"
Am I missing something??
I am running WLC 5760 with ISE 1.2
Thanks in advance..Hi,
Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Guest WLAN and Web Auth?
Hi Guys,
Maybe someone can help me out?
I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
"Cisco Wireless Controller" with the exception of having 2 ports. Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN. When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page.
What I tried so far is..
add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
I've attached some screenshots of our configuration.Troubleshooting Web Authentication
After you configure web authentication, if the feature does not work as expected, complete these
troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck
DHCP Required
on the WLAN and
give the wireless client a static IP address. This assumes association with the access point. Refer to
the
IP addressing issues
section of
Troubleshooting Client Issues in the Cisco Unified Wireless
Network for troubleshooting DHCP related issues
1.
On WLC versions earlier than 3.2.150.10, you must manually enter
https://1.1.1.1/login.html
in
order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
connects to a WLAN configured for web authentication, the client obtains an IP address from the
DHCP server. The user opens a web browser and enters a website address. The client then performs
the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
authentication login page.
2.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
Windows, choose
Start > Run
, enter
CMD
in order to open a command window, and do a nslookup
www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a nslookup www.cisco.com" and see if the IP
address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is
http://198.133.219.25)
♦
Try to directly reach the controller's webauth page with
https:///login.html. Typically this is http://1.1.1.1/login.html.
♦
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
be a certificate problem. The controller, by default, uses a self−signed certificate and most web
browsers warn against using them.
3.
For web authentication using customized web page, ensure that the HTML code for the customized
web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For
example, for the 4400 controllers, choose
Products > Wireless > Wireless LAN Controller >
Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
Bundle−1.0.1
and download the
webauth_bundle.zip
file.
These parameters are added to the URL when the user's Internet browser is redirected to the
customized login page:
4.
ap_mac The MAC address of the access point to which the wireless user is associated.
♦
switch_url The URL of the controller to which the user credentials should be posted.
♦
redirect The URL to which the user is redirected after authentication is successful.
♦
statusCode The status code returned from the controller's web authentication server.
♦
wlan The WLAN SSID to which the wireless user is associated.
♦
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
♦
Status Code 2: "You are not configured to authenticate against web portal. No further action
is required on your part."
♦
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
already logged into the system?"
♦
Status Code 4: "You have been excluded."
♦
Status Code 5: "The User Name and Password combination you have entered is invalid.
Please try again."
♦
All the files and pictures that need to appear on the Customized web page should be bundled into a
.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
Authentication Configuration Example for more information on how to create a customized web
authentication window.
Note:
Files that are large and files that have long names will result in an extraction error. It is
recommended that pictures are in .jpg format.
5.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
Other browsers may or may not work.
6.
Ensure that the
Scripting
option is not blocked on the client browser as the customized web page on
the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
7.
Note:
The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
messages for the user.
Note:
If you browse to an
https
site, redirection does not work. Refer to Cisco bug ID CSCar04580
(registered customers only) for more information.
If you have a
host name
configured for the
virtual interface
of the WLC, make sure that the DNS
resolution is available for the host name of the virtual interface.
Note:
Navigate to the
Controller > Interfaces
menu from the WLC GUI in order to assign a
DNS
hostname
to the virtual interface.
8.
Sometimes the firewall installed on the client computer blocks the web authentication login page.
Disable the firewall before you try to access the login page. The firewall can be enabled again once
the web authentication is completed.
9.
Topology/solution firewall can be placed between the client and web−auth server, which depends on
the network. As for each network design/solution implemented, the end user should make sure these
ports are allowed on the network firewall.
Protocol
Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic
(before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non
secured) UDP port 16667
(secured IPSEC tunnel)
10.
For web authentication to occur, the client should first associate to the appropriate WLAN on the
WLC. Navigate to the
Monitor > Clients
menu on the WLC GUI in order to see if the client is
associated to the WLC. Check if the client has a valid IP address.
11.
Disable the Proxy Settings on the client browser until web authentication is completed.
12.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
RADIUS server for this to work. In order to check the status of client authentication, check the
debugs and log messages from the RADIUS server. You can use the
debug aaa all
command on the
WLC to view the debugs from the RADIUS server.
13.
Update the hardware driver on the computer to the latest code from manufacturer's website.
14.
Verify settings in the supplicant (program on laptop).
15.
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
♦
Run debugs on supplicant.
♦
16.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
> Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
will be located in C:\Windows\tracing.
17.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
18.
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh−appgw enable
debug pm ssh−tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh−engine enable packet -
Radius server web authentication using ISE
Hi,
Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
The following link explains "Radius Server Web Authentication" using ACS. I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
Thanks,Hi,
Please check these:
Central Web Authentication on the WLC and ISE Configuration Example
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
Regards
Dont forget to rate helpful posts -
Hi everyone, to use the portal with many users using the same portal user?
I have an another question is possible to use the portal with many users using the same portal user with diferent roles in the same time?
thanksHi Israel,
It is possible to have same user logged in through differnt terminals or browser windows. However if there are say 10 roles assigned to that user, all 10 will be visible in all the windows. However you may open and work on different roles.. in the different windows.
Note that the real time collaboration features shall not be available if the same user logs in multiple times.
Hope this is useful.
Regards,
Anagha -
Guest Wireless with Web Portal
I have my guest wireless accepting terms through a web portal, but it seems they have to accept these terms about every 30 minutes to an hour to get access to the internet again. They are not idle, their session just stops working, and when they open a new browser it redirects them to the web portal. Is there a timer for this somewhere that I am missing?
I installed v7.5 configured the sleeping client feature and I'm not getting the desired result. My test device (Ipod model MD067LL/A) isn't being added to the sleeping clients list. I saw the following in the configuration guide.
The authentication of sleepling clients feature is not supported with Layer 2 security and web authentication enabled.
I don't think that applies to my situation.
The WLANs configuration is below.
WLAN Identifier.................................. 4
Profile Name..................................... xxxxxxxxxx
Network Name (SSID).............................. xxxxxxxxxx
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
Radius Profiling ............................ Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Local Profiling ............................. Disabled
DHCP ....................................... Disabled
HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 0
Exclusionlist.................................... Disabled
Session Timeout.................................. 36000 seconds
User Idle Timeout................................ 300 seconds
Sleep Client..................................... enable
Sleep Client Timeout............................. 8 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... xxxxxxxxxxxxxxx
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ xxxxxxxxxx
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
PMIPv6 MAG Profile........................... Unconfigured
PMIPv6 Default Realm......................... Unconfigured
PMIPv6 NAI Type.............................. Hexadecimal
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Interim Update............................. Disabled
Framed IPv6 Acct AVP ...................... Prefix
Dynamic Interface............................. Disabled
Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Enabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
CCKM TSF Tolerance......................... 1000
WAPI.......................................... Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Enabled
IPv4 ACL........................................ Unconfigured
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Email Input..................................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching................... Enabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
flexconnect PPPoE pass-through................ Disabled
flexconnect local-switching IP-source-guar.... Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Disabled
Client MFP.................................... Disabled
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60 -
We have a 2100 Wlan controller set up with multiple wlans.
We are having problems on the Guest VLAN in that everytime a user tries to authenticate via Web Auth, they fail and are redirected to the username/password page.
Local accounts have been added and the WLAN has been set up to use web auth but each time a user tries to authenticate the following message is in the log:-
NOV 21 09:47:21.852 pem_api.c:4513 PEM-1-WEBAUTHFAIL : Web Authentication Failure for station aa:bb:cc:dd:ee:ff
If the box is rebooted it works for around an hour, then begins to fail again.
Any ideas?Here is the configuration guide for the Webauthentication for WLC with example it may help you to troubleshoot and configuration
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml -
Using ISE guest store via RADIUS
I have a question concerning the guest store on the ISE.
I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?
Thanks
ThomasI just created a simple setup and tested the login.
It doesn't work with a user created as a guest account.
If I create the user in the normal internal identity store I works fine.
Might there be a difference between ISE Versions?
We are currently using Version 1.1.0.665 on a VM for testing purpose.
This is what the details show:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Guest
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept -
Auto login with web auth?
I have a guest WLAN on a mobility anchor that uses web auth for access. There is a small set of local users, but the majority of the auth comes from a Radius server. Question is, can I setup some type of policy that will auto login users based on MAC address so they don't have to web authenticate?
Thanks!
Edit: I have seen where you can enable mac filtering on the WLAN and specify individual mac addresses to permit. This would work, but I still want web auth for the majority of users. Only a few users should be automatically connected. The rest should still authenticate via web auth.Well I have some fantastic news.... and then some horrible news at the same time...
In 7.0.116.0 a new feature was introduced called web auth on mac-filter failure. Basically it does exactly what I think you are asking. Right? You mac filter your wlan, and then if anyone fails the mac filter, they can web authenticate.
Unfortunately, it doesn't work in an Anchored scenario as the Mac filter is L2 performed on the Foreign WLC, and the Anchor does L3 with no knowledge the Foreign was good to bypass webauth.... CSCts54424 is tracking this behavior for Anchor scenario, but I don't think it is planned to go into 7.0...... -
Anchor WLC web-auth secure web issue
Hi all,
I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue...Has anyone ran into this before and any idea how to fix it?
Thanks in advanced for your input!
RobinThe custome page might be from Cisco web auth page sample by the look of the webpage. I don't know how to verify whether or not it was hard coded for HTTPS...
Do I also need to diable the web-auth secure web on the main controller?
This anchor is running in production and has to reboot after hour, will do the test and let you know how it goes.
Thanks!
Robin -
Windows 7 Clients Not Working With Web-Auth
I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
The login page is customised showing T's & C's with two buttons Except or Reject.
Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
Thanks in advance for any replies.
JayNicolas,
Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
After doing a quick search on the net I found this.
NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
NCSI does this whether you are logged on or not.
Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
1. Permit DNS resolution (UDP/53) to 213.199.181.90
2. Permit TCP port 80 to 131.107.255.255
Jay -
hi
i have two wireless networks,one for the guests and the other one extends the corporate network.i created two vlan on my 6509 swicth and mapped the vlns to to the wlans.All is working fine but when i enable web auth for guest i can no longer ping my gateway or browse and even web auth is not authenticating against the internal users configured on the WLC...web auth just wont work.
what could be wrong..i really need to authenticate using web auth.ok, SO this is what i need
send me show custom-web details
S if you open the page do you get the default cisco webauth redirected page ; are you able to put the user name and password ?
can you send me the screen shot of events
Regards
Seema -
HREAP with web-auth (internal)
I have a lwap at a remote site that is configured as HREAP so that it can continuously provide connectivity when the WLC is un-reachable. I have two vlans on the lwap. One is locally authenticated and locally switched for intranet connectivity. The other is for internet connectivity and I wanted that one to be locally switched, but authenticate at the WLC. When I configure the WLAN as HREAP - locally switched, it doesn't work. If I configure the WLAN as non-HREAP it works. Anyone know what the trick is to get this thing to work? I want my internet wlan at that site to be locally switched but centraly authenticated. My WLC only seems to have a selection for HREAP - Local switching, it doesn't have anything you would check to specify central authentication.
My WLC (2106) is version 6.0.182.0 and my lwap is an 1142n.
Thanks!In the first document:
Q. Can I do web authentication with Local switching?
Yes, you can have an SSID with web−authentication enabled and drop the traffic locally after
web−authentication. Web−authentication with Local switching works fine.
1. WLAN, (wlan you want to local switch), Advanced tab, click the "H-REAP Local Switching" checkbox.
2. Wireless, (click the h-reap modify), H-REAP tab, click "Vlan Support", Vlan Mappings button, then map the wlan to vlan you want to drop traffic onto.
Also, for wan up/local switched wlans authentication still happens on the controller until the h-reap goes into wan down. WLANs default to central switching, you have to define the ones which need to be locally switched as described above.
Maybe you are looking for
-
"0x80004005: Unspecified error" when renaming folders in Windows 7 32-bit
I just installed a new internal SSD drive. After a while, i began to get an error message whenever i try to rename a folder. "An unexpected error is keeping you from renaming the folder. If you continue to receive this error, you can use the error co
-
Separate CSS for IE and Firefox
Hi all, older versions of Robohelp generated to separate CSS files in the Wephelp for IE and Firefox. Evidently this feature was dropped somewhen. However I need it now to resolve some specific Firefox problems in a project. I thought I could add the
-
Use the command "Properties" in Windows Explorer to unlock the file
I'm getting this error where, when I start Photoshop, I get a popup saying "Cannot load Photoshop because the file is locked or you don't have the needed privileges.. Use the command "Properties" in Windows Explorer to unlock the file". I unlocked it
-
Using the built-in Mac keyboard for Perkins-type input
How could I use the built-in keyboard of a Mac for typing in Braille? Is it possible to create e.g. a script that would allow me to switch to use the built-in keyboard occasionally like a Perkins-type device? E.g. start with (FDS = 123 | JKL = 456).
-
How to change the color of the data in a advanceddatagrid based on the its value
Hi All, I'm loading the data into AdvanceddataGrid from XML. My requirement is like; if the value of the loaded data is lower than 5, then it should be shown Green in color. Or else if it is greater than 5 it should be shown in Red color. I