Guest Anchor with web auth using ISE guest portal

Similar Messages

• Web Auth using 5760 Guest Anchor and ISE

  I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
  When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
  As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
  Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

  I hope this may help you
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
  HTH
  Rasika
  *** Pls rate all useful responses ****

• WLC 4402 - only present guest with web auth page once every (x) days

  Hi all,
  I am looking to migrate our guest wireless from a third-party system to the WLC.  Currently, we change our guest password (WPA2 PSK) every (x) days.  Each time the guest password is changed and connections are made with the new PSK, guests are redirected to a terms and conditions page which they must accept.  The MAC address is then cached and the page is not displayed again until we clear the MAC cache and change the PSK.
  I can almost replicate this with web auth in passthrough mode on the WLC, but it presents the guest with the terms and conditions page each time they reconnect to the WLAN, whether it be from roaming offsite or turning the wireless radio off then on.
  Is there any way to have the WLC replicate our current system, where a MAC is cached and the page is not displayed until some other event takes place (changing the PSK or clearing the cache?)
  Thanks!
  -P

  Wait ... Shaoqin, will the 7.5 code be released for the 4400 series controllers?  The current release is 7.0.240.0 - I see releases up to 7.4 on the 5500 series controllers
  Thanks
  -P

• How to use ISE Guest Portal for AD users

  Hi there,
  As  subject explains all, I want to use ISE Guest Portal for my domain  users. I have tried many different ways to authenticate users and  finally I came to the conclusion that ISE CWA works pretty well and is  very stable. WLC Webauth sucks alot, does not redirect to the login page  always.
  Can  you please share what other ways are stable ways to authenticate AD  users? I know about WPA 802.1x authentication but that requires a CA in  the network which is not available at the moment. So can you please  Suggect?
  Otherwise,  I want to use ISE Guest Portal for my AD users as well. AD is already  integrated to ISE, the issue happens when I attempt to athenticate using  AD user account, the user gets authenticated but the Guest Portal  redirects me to Device Provissioning page and there it shows an error  saying "there is not policy to register the device, contact system  admin"
  Am I missing something??
  I am running WLC 5760 with ISE 1.2
  Thanks in advance..

  Hi,
  Can you post a screenshot of your current policies? Also for 802.1x authentication although it is best practices you do not have to have an internal CA to make this solution work. You can disable the option to "validate server certificate" or you can use a trusted CA to sign the certificate for the eap interface.
  In most cases 802.1x is the method to go because it provides dynamic authentication without forcing users to redirected to a web page multiple times throughout the day, scenarios such as computers that sleep or users that are mobile will not have connectivity until they redirect to the portal if one of the scenarios exist. You also gain WPA encryption on your WLAN, if you are using strictly layer 3 web auth you run into issues where encryption is not used and rely on encryption from the application as your method of data integrity and security.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• Radius server web authentication using ISE

  Hi,
  Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
  I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
  The following link explains "Radius Server Web Authentication" using ACS.  I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html  
  Thanks,

  Hi,
  Please check these:
  Central Web Authentication on the WLC and ISE Configuration Example
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Regards
  Dont forget to rate helpful posts

• Hi everyone, to use the portal with many users using the same portal user?

  I have an another question is possible to use the portal with many users using the same portal user with diferent roles in the same time?
  thanks

  Hi Israel,
  It is possible to have same user logged in through differnt terminals or browser windows. However if there are say 10 roles assigned to that user, all 10 will be visible in all the windows. However you may open and work on different roles.. in the different windows.
  Note that the real time collaboration features shall not be available if the same user logs in multiple times.
  Hope this is useful.
  Regards,
  Anagha

• Guest Wireless with Web Portal

  I have my guest wireless accepting terms through a web portal, but it seems they have to accept these terms about every 30 minutes to an hour to get access to the internet again. They are not idle, their session just stops working, and when they open a new browser it redirects them to the web portal. Is there a timer for this somewhere that I am missing?                   

  I installed v7.5 configured the sleeping client feature and I'm not getting the desired result.   My test device (Ipod model MD067LL/A) isn't being added to the sleeping clients list.  I saw the following in the configuration guide.
  The authentication of sleepling clients feature is not supported with Layer 2 security and web authentication enabled.
  I don't think that applies to my situation.
  The WLANs configuration is below.
  WLAN Identifier.................................. 4
  Profile Name..................................... xxxxxxxxxx
  Network Name (SSID).............................. xxxxxxxxxx
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  Client Profiling Status
      Radius Profiling ............................ Disabled
       DHCP ....................................... Disabled
       HTTP ....................................... Disabled
      Local Profiling ............................. Disabled
       DHCP ....................................... Disabled
       HTTP ....................................... Disabled
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Maximum number of Clients per AP Radio........... 200
  Number of Active Clients......................... 0
  Exclusionlist.................................... Disabled
  Session Timeout.................................. 36000 seconds
  User Idle Timeout................................ 300 seconds
  Sleep Client..................................... enable
  Sleep Client Timeout............................. 8 hours
  User Idle Threshold.............................. 0 Bytes
  NAS-identifier................................... xxxxxxxxxxxxxxx
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ xxxxxxxxxx
  Multicast Interface.............................. Not Configured
  WLAN IPv4 ACL.................................... unconfigured
  WLAN IPv6 ACL.................................... unconfigured
  WLAN Layer2 ACL.................................. unconfigured
  mDNS Status...................................... Disabled
  mDNS Profile Name................................ unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  PMIPv6 Mobility Type............................. none
      PMIPv6 MAG Profile........................... Unconfigured
      PMIPv6 Default Realm......................... Unconfigured
      PMIPv6 NAI Type.............................. Hexadecimal
  Quality of Service............................... Silver
  Per-SSID Rate Limits............................. Upstream      Downstream
  Average Data Rate................................   0             0
  Average Realtime Data Rate.......................   0             0
  Burst Data Rate..................................   0             0
  Burst Realtime Data Rate.........................   0             0
  Per-Client Rate Limits........................... Upstream      Downstream
  Average Data Rate................................   0             0
  Average Realtime Data Rate.......................   0             0
  Burst Data Rate..................................   0             0
  Burst Realtime Data Rate.........................   0             0
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Global Servers
     Accounting.................................... Global Servers
        Interim Update............................. Disabled
        Framed IPv6 Acct AVP ...................... Prefix
     Dynamic Interface............................. Disabled
     Dynamic Interface Priority.................... wlan
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     FT Support.................................... Disabled
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Enabled
        WPA (SSN IE)............................... Disabled
        WPA2 (RSN IE).............................. Enabled
           TKIP Cipher............................. Disabled
           AES Cipher.............................. Enabled
                                                                 Auth Key Management
           802.1x.................................. Disabled
           PSK..................................... Enabled
           CCKM.................................... Disabled
           FT-1X(802.11r).......................... Disabled
           FT-PSK(802.11r)......................... Disabled
           PMF-1X(802.11w)......................... Disabled
           PMF-PSK(802.11w)........................ Disabled
        FT Reassociation Timeout................... 20
        FT Over-The-DS mode........................ Disabled
        GTK Randomization.......................... Disabled
        SKC Cache Support.......................... Disabled
        CCKM TSF Tolerance......................... 1000
     WAPI.......................................... Disabled
     Wi-Fi Direct policy configured................ Disabled
     EAP-Passthrough............................... Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Disabled
     Web-Passthrough............................... Enabled
          IPv4 ACL........................................ Unconfigured
          IPv6 ACL........................................ Unconfigured
          Web-Auth Flex ACL............................... Unconfigured
          Email Input..................................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     FlexConnect Local Switching................... Enabled
     flexconnect Central Dhcp Flag................. Disabled
     flexconnect nat-pat Flag...................... Disabled
     flexconnect Dns Override Flag................. Disabled
     flexconnect PPPoE pass-through................ Disabled
     flexconnect local-switching IP-source-guar.... Disabled
     FlexConnect Vlan based Central Switching ..... Disabled
     FlexConnect Local Authentication.............. Disabled
     FlexConnect Learn IP Address.................. Disabled
     Client MFP.................................... Disabled
     PMF........................................... Disabled
     PMF Association Comeback Time................. 1
     PMF SA Query RetryTimeout..................... 200
     Tkip MIC Countermeasure Hold-down Timer....... 60

• Web Auth FAIL on guest wlan

  We have a 2100 Wlan controller set up with multiple wlans.
  We are having problems on the Guest VLAN in that everytime a user tries to authenticate via Web Auth, they fail and are redirected to the username/password page.
  Local accounts have been added and the WLAN has been set up to use web auth but each time a user tries to authenticate the following message is in the log:-
  NOV 21 09:47:21.852 pem_api.c:4513 PEM-1-WEBAUTHFAIL : Web Authentication Failure for station aa:bb:cc:dd:ee:ff
  If the box is rebooted it works for around an hour, then begins to fail again.
  Any ideas?

  Here is the configuration guide for the Webauthentication for WLC with example it may help you to troubleshoot and configuration
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

• Using ISE guest store via RADIUS

  I have a question concerning the guest store on the ISE.
  I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
  On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
  Has anyone already implemented a similar solution or any idea how to access the guest store?
  Thanks
  Thomas

  I just created a simple setup and tested the login.
  It doesn't work with a user created as a guest account.
  If I create the user in the normal internal identity store I works fine.
  Might there be a difference between ISE Versions?
  We are currently using Version 1.1.0.665 on a VM for testing purpose.
  This is what the details show:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24206  User disabled
  22057  The advanced option that is configured for a failed authentication request is used
  22061  The 'Reject' advanced option is configured in case of a failed authentication request
  11003  Returned RADIUS Access-Reject
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24212  Found User in Internal Users IDStore
  22037  Authentication Passed
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - Guest
  11022  Added the dACL specified in the Authorization Profile
  11002  Returned RADIUS Access-Accept

• Auto login with web auth?

  I have a guest WLAN on a mobility anchor that uses web auth for access. There is a small set of local users, but the majority of the auth comes from a Radius server. Question is, can I setup some type of policy that will auto login users based on MAC address so they don't have to web authenticate?
  Thanks!
  Edit: I have seen where you can enable mac filtering on the WLAN and specify individual mac addresses to permit. This would work, but I still want web auth for the majority of users. Only a few users should be automatically connected. The rest should still authenticate via web auth.

  Well I have some fantastic news.... and then some horrible news at the same time...
  In 7.0.116.0 a new feature was introduced called web auth on mac-filter failure.  Basically it does exactly what I think you are asking. Right?   You mac filter your wlan, and then if anyone fails the mac filter, they can web authenticate. 
  Unfortunately, it doesn't work in an Anchored scenario  as the Mac filter is L2 performed on the Foreign WLC, and the Anchor does L3 with no knowledge the Foreign was good to bypass webauth....   CSCts54424 is tracking this behavior for Anchor scenario, but I don't think it is planned to go into 7.0......

• Anchor WLC web-auth secure web issue

  Hi all,
  I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue...Has anyone ran into this before and any idea how to fix it?
  Thanks in advanced for your input!
  Robin

  The custome page might be from Cisco web auth page sample by the look of the webpage. I don't know how to verify whether or not it was hard coded for HTTPS...
  Do I also need to diable the web-auth secure web on the main controller?
  This anchor is running in production and has to reboot after hour, will do the test and let you know how it goes.
  Thanks!
  Robin

• Windows 7 Clients Not Working With Web-Auth

  I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
  The login page is customised showing T's & C's with two buttons Except or Reject.
  Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
  Thanks in advance for any replies.
  Jay

  Nicolas,
  Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
  After doing a quick search on the net I found this.
  NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
  NCSI does this whether you are logged on or not.
  Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
  Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
  1.       Permit DNS resolution (UDP/53) to 213.199.181.90
  2.       Permit TCP port 80 to 131.107.255.255
  Jay

• Problem with Web Auth

  hi
  i have two wireless networks,one for the guests and the other one extends the corporate network.i created two vlan on my 6509 swicth and mapped the vlns to to the wlans.All is working fine but when i enable web auth for guest i can no longer ping my gateway or browse and even web auth is not authenticating against the internal users configured on the WLC...web auth just wont work.
  what could be wrong..i really need to authenticate using web auth.

  ok, SO this is what i need
  send me show custom-web details
  S if you open the page do you get the default cisco webauth redirected page ; are you able to put the user name and password ?
  can you send me the screen shot of events
  Regards
  Seema

• HREAP with web-auth (internal)

  I have a lwap at a remote site that is configured as HREAP so that it can continuously provide connectivity when the WLC is un-reachable.  I have two vlans on the lwap.  One is locally authenticated and locally switched for intranet connectivity.  The other is for internet connectivity and I wanted that one to be locally switched, but authenticate at the WLC.  When I configure the WLAN as HREAP - locally switched, it doesn't work.  If I configure the WLAN as non-HREAP it works.  Anyone know what the trick is to get this thing to work?  I want my internet wlan at that site to be locally switched but centraly authenticated.  My WLC only seems to have a selection for HREAP - Local switching, it doesn't have anything you would check to specify central authentication.
  My WLC (2106)  is version 6.0.182.0 and my lwap is an 1142n.
  Thanks!

  In the first document:
  Q. Can I do web authentication with Local switching?
  Yes, you can have an SSID with web−authentication enabled and drop the traffic locally after
  web−authentication. Web−authentication with Local switching works fine.
  1.  WLAN, (wlan you want to local switch), Advanced tab, click the "H-REAP Local Switching" checkbox.
  2.  Wireless, (click the h-reap modify), H-REAP tab, click "Vlan Support", Vlan Mappings button, then map the wlan to vlan you want to drop traffic onto.
  Also, for wan up/local switched wlans authentication still happens on the controller until the h-reap goes into wan down.  WLANs default to central switching, you have to define the ones which need to be locally switched as described above.