Guest Wireless and URL re-direct failure

Hi,
We have a successful guest wireless service with authentication via a Cisco NAC server.  One MAC user is having difficulty accessing the authentication URL (https://1.1.1.1/login.html) - this is using either Safari, Firefox or Google Chrome browsers.  The browsers do not automatically re-direct and when I enter the authentication URL manually, if it does appear, when entering the username/password combination, the screen just returns to the authentication URL and does not display the successful authentication sub-window.
There are no proxy settings on the browser - does anybody have any suggestions?
Many thanks

When you say, "One MAC user" you mean every other client works except for this one MAC device?  If other MAC devices work, then it must be something on the client device that is having issues.  The only issue that I have ran into, is html code that might not be supported in certain browsers if you are runing a custom webauth page.

Similar Messages

  • Button Processing and url re-direction

    I am usign HTMLDb to run Oracle reports and can call reports via a submit button that uses a static substitution string to complete the URL, and this works.
    However I have created a plslq process to create a where clause parameter that I need to include in the URL and pass to Oracle Reports. When I change the button not to redirect to a url the plsql process runs but i am not sure how to then redirect to a url?
    If I change the buttone back to re-direct to a url then the plsql process does not run but the process is re-directed to a url.
    Question what is the easiest way to invoke some plsql when a button is pressed and then re-direct to a url?

    trap the back button
    its not at all clear...
    ur req is from screen 3 ->display document    then on back button
    screen 2 the list display...
    The report acts in the same way ....

  • Guest wireless and corporate wireless

    Hello,
    What would be the securest (and cheapest), way to setup a "Guest" WLAN simultaneously with the "Corporate" WLAN?
    In my own opinion, the securest way isn't the cheapest by far.  Because, in my own opinion, it would be best to segregate the WLAN's physically.  Meaning having the WLAN's on different WLAN Controllers as well as physically different WAP's.
    Any and all advice will be greatly appreciated.
    Thank you in Advance.
    Jay

    Thank you all for your input.
    I inherited this network, and there are a total of 6 WLAN's on our 5508 WLC.  5 of the WLAN's are WEP.  As I said, I have no idea why.  My supervisor seems to think we need to setup the 5 Guest  (yes I said 5 Guest), WLAN's as WEP.  All of the Guest WLAN's can only access the internet and none of our network resources.  The only WPA2 WLAN is integrated with our AD so those users can access the network resources.  I want to change them all to WPA2, but my supervisor seems to be not waning that done.  I explained to him and our manager how the network can be compromised by that kind of setup, but the only one that agrees with me is my manager.
    What I am concerned about is, even if I set them all to WPA2, can a vendor who has much Trojans and or other tools covertly installed on their device, would they be able to compromise the 5508?

  • E4200 guest wireless redirect failure in Bridged Mode: cause & solution.

    Background:
    I have two E4200 v1 routers, both running the 1.0.04 firmware, both running in Bridged Mode.
    On one, guest wireless redirect works perfectly: select the Network-guest SSID, open a browser and you get the Cisco login page, enter the passphrase and bingo, you're connected.
    On the other unit, the redirect seems to fail. You are never presented with the login page and so, you are never connected.
    After hours of mucking about, including some time on the phone with a very patient engineer, I believe I have stumbled on what's actually going on and possibly, what needs to be done to fix it.
    The Problem
    The firmware assumes that in Bridged Mode, DNS should come from the Gateway IP address.
    The Fix
    Linksys should include a field in Bridged Mode that allows you to specify an IP for the DNS server.
    Diagnostics
    To diagnose the problem, I used a Mac OS X machine.
    The network is set up like this:
    Router (not the E4200) is at 10.0.0.1
    DNS server is at 10.0.0.2
    E4200, Bridged Mode as a WAP, is at 10.0.0.253.
    E4200's network settings are:
    IP: 10.0.0.253
    Subnet: 255.255.255.0
    Gateway: 10.0.0.1
    The problem is that the Linksys firmware assumes that DNS and the gateway are at the same IP. You will note that there is no place in the Bridged Mode settings to specify a DNS server IP address.  You can prove this by doing the following:
    1. Connect to the guest wireless. 
    2. In a Terminal window, type cat /etc/resolv.conf and press Enter.  You'll see this:
    nameserver 10.0.0.1
    nameserver 192.168.33.1
    This tells us that when you're on the guest network, your machine is looking for DNS results from 10.0.0.1. Except that on many networks, the gateway does not supply DNS. You can prove that DNS is working by typing this into a Terminal window:
    dig yahoo.com
    You should see a result similar to this:
    ; <<>> DiG 9.6-ESV-R4-P3 <<>> yahoo.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45182
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 13
    ;; QUESTION SECTION:
    ;yahoo.com.            IN    A
    ;; ANSWER SECTION:
    yahoo.com.        3063    IN    A    209.191.122.70
    yahoo.com.        3063    IN    A    72.30.38.140
    yahoo.com.        3063    IN    A    98.139.183.24
    ;; AUTHORITY SECTION:
    .            24651    IN    NS    a.root-servers.net.
    .            24651    IN    NS    j.root-servers.net.
    .            24651    IN    NS    l.root-servers.net.
    .            24651    IN    NS    c.root-servers.net.
    .            24651    IN    NS    e.root-servers.net.
    .            24651    IN    NS    d.root-servers.net.
    .            24651    IN    NS    f.root-servers.net.
    .            24651    IN    NS    m.root-servers.net.
    .            24651    IN    NS    g.root-servers.net.
    .            24651    IN    NS    b.root-servers.net.
    .            24651    IN    NS    i.root-servers.net.
    .            24651    IN    NS    h.root-servers.net.
    .            24651    IN    NS    k.root-servers.net.
    ;; ADDITIONAL SECTION:
    a.root-servers.net.    24651    IN    A    198.41.0.4
    b.root-servers.net.    24651    IN    A    192.228.79.201
    c.root-servers.net.    24651    IN    A    192.33.4.12
    d.root-servers.net.    24651    IN    A    128.8.10.90
    e.root-servers.net.    24651    IN    A    192.203.230.10
    f.root-servers.net.    24651    IN    A    192.5.5.241
    g.root-servers.net.    24651    IN    A    192.112.36.4
    h. root-servers.net.    24651    IN    A    128.63.2.53
    i.root-servers.net.    24651    IN    A    192.36.148.17
    j.root-servers.net.    24651    IN    A    192.58.128.30
    k.root-servers.net.    24651    IN    A    193.0.14.129
    l.root-servers.net.    24651    IN    A    199.7.83.42
    m.root-servers.net.    24651    IN    A    202.12.27.33
    ;; Query time: 73 msec
    ;; SERVER: 10.0.0.1#53(10.0.0.1)
    ;; WHEN: Thu Apr  5 10:51:02 2012
    ;; MSG SIZE  rcvd: 494
    Note the section at the bottom that says ;; SERVER: 10.0.0.1#53(10.0.0.1). This tells you that the DNS query was answered by the DNS server at 10.0.0.1.
    But in fact, if DNS is NOT served by your Gateway, you'll see this:
    dig yahoo.com
    ; <<>> DiG 9.6-ESV-R4-P3 <<>> @10.0.0.1 yahoo.com
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    Lucky:~ aball$
    As a side note: the reason that the login page is never presented is most likely that the login page is only presented the first time that your Mac OS X machine connects to the network. Thereafter, the network is remembered and the WAP allows you access without a password. So, once you've connected a second time to the network, the WAP says "I know you" and lets you sail on through to wherever your browser is pointed, but then the browser, unable to find a DNS server, returns a blank page which appears to be a failure to present the login page but is, in fact, a DNS failure.
    Hope someone finds this useful. And here's hoping that Linksys fixes this obvious issue with the firmware.

    I do understand what you were trying to do here since you would like to have only 2 SSIDs (main & guest) for perhaps easy connectivity. The reason why you were not having problems getting online wirelessly when you were connected to the main network it’s because the computer was connected to only one DHCP server since the 2 bridge routers were just acting as a switch or a passthrough device. Now with guest network access it is a different scenario, a guest network is a virtual network meaning to say it’s like your having another router embedded on your router. Since it is a virtual network, then it does not follow the parameters of the main network, hence even if the router was set to bridge mode those routers will still have their own ip address of either 192.168.33.1 or 192.168.3.1.

  • URL Logging for Guest Traffic using Guest Anchor and ISE

    Hi there all,
    I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.
    I'm wondering if anyone has managed to do this using ISE?
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

    Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.
    I have tried your suggestion and I cannot get the same results as you.
    I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?
    i have this configuration...
    dACL
    3k-access#sh ip access-list int fa0/1
         permit udp host 10.1.10.103 any eq domain
         permit icmp host 10.1.10.103 any
         permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443
         permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input
         deny ip host 10.1.10.103 10.1.0.0 0.0.255.255
         permit ip host 10.1.10.103 any
    Logging config...
    logging esm config
    logging trap debugging
    logging origin-id ip
    logging host 10.1.100.21 transport udp port 20514
    with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.
    DO you know if this can be done? maybe I am looking at the wrong report? Can you help?
    Mario

  • Wireless and guest network and HREAP

    Hi,
    I have inherited a wireless infrastructure which comprises of a head office with WCS and WLC plus LWAPP access points.
    There is a sub office in another town who wishes to deploy a wireless infrastrucure and it struck me that as they only want to deploy a couple of AP's that HREAP would be good to use in this senario.
    However they want to also use the guest wireless network that we have in the head office but I dont want their guest traffic to come to our DSL modem that we have set up for the HO guest wireless. The two offices are connected via an MPLS link which doesnt need anymore traffic on it.
    Is there a way of configuring the HREAP and the WLC and WCS so that the sub office breaks out locally for guest and yet the lobby admin at HO can control the password?
    Many thanks,

    Hi Nell,
    the feature you are looking for is "H-REAP local switching".
    So you can set the remote AP to H-REAP mode (which optimizes it for "behind a WAN link") and from there you can set several ssids as "local switching".
    this means that everything about the authentication phase is handled by WLC but after authentication, the traffic is dropped locally at the AP and doesn't transit through the WLC.
    The guest SSID has to be enabled for local switching and then, on the H-REAP APs, go in the AP configuration (from WLC "wireless" tab, then click on ap) and in the hreap tab, you can configure the vlan where the guest traffic will be dropped on  the remote site. It must be a vlan that exists on the remote site and users will get a DHCP address on that vlan.
    Regards,
    Nicolas

  • Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

    I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
    WLC 2504
    1142 LAPs
    4510R+E
    ASA 5510
    Existing configuration as follows:
    WLC management interface and APs addressed on the 192.168.126.0 /25 network
    Internal WLAN mapped to the management interface
    Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
    WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
    4510 connected to ASA inside interface (security level 100)
    Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
    ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
    What is the best way to add guest wireless to our existing configuration?
    Note: I need the guest wireless to be filtered by Websense as our internal wireless is
    Any advice would be greatly appreciated!

    Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
    Any input would be greatly appreciated...
    JW

  • VLAN Configuration for Internal and Guest Wireless

    Hello,
    We are using the following hardware…
    SG300-52MP switch -- latest firmware
    ASA 5512-X firewall -- 9.1
    Aironet AP1131AG WAP
    We have the following networks…
    10.252.4.0/24 = Internal = ASA-01 interface = VLAN1
    10.252.6.0/24 = Guest = ASA-02 interface = VLAN6
    10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3
    The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.
    Relevant parts of the WAP configuration are…
    dot11 ssid GUEST
       vlan 6
    dot11 ssid SECURE
       vlan 1
    interface Dot11Radio0
    no ip address
    ssid GUEST
    ssid SECURE
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    interface Dot11Radio0.6
    encapsulation dot1Q 6
    no ip route-cache
    bridge-group 255
    interface Dot11Radio1
    no ip address
    no ip route-cache
    ssid GUEST
    ssid SECURE
    interface Dot11Radio1.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    interface Dot11Radio1.6
    encapsulation dot1Q 6
    no ip route-cache
    bridge-group 255
    interface FastEthernet0
    no ip address
    no ip route-cache
    interface FastEthernet0.1
    encapsulation dot1Q 1 native
    no ip route-cache
    bridge-group 1
    interface FastEthernet0.6
    encapsulation dot1Q 6
    no ip route-cache
    bridge-group 255
    interface BVI1
    ip address 10.252.4.4 255.255.255.0
    no ip route-cache
    ip default-gateway 10.252.4.1
    We can manage the WAP through it’s Internal IP address (10.252.4.4).
    And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02).  [Note:  the VOIP DHCP and network access also works correctly.]
    The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.
    [Note:  connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.] 
    While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.
    I have a feeling that I have configured the VLANs on the ports incorrectly.
    Relevant parts of the SG300 configuration are...
    v1.3.0.62 / R750_NIK_1_3_647_260
    vlan database
    vlan 3,6
    ip dhcp snooping
    ip dhcp relay address 10.252.4.1
    ip dhcp relay enable
    bonjour interface range vlan 1
    interface vlan 1
    ip address 10.252.4.2 255.255.255.0
    no ip address dhcp
    interface vlan 3
    name VOIP
    interface vlan 6
    name Guest
    interface gigabitethernet45 -- Access mode, Untagged VLAN6
    description ASA-Guest
    ip dhcp snooping trust
    switchport mode access
    switchport access vlan 6
    interface gigabitethernet46 -- Access mode, Untagged VLAN3
    description ASA-VOIP
    ip dhcp snooping trust
    switchport mode access
    switchport access vlan 3
    interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6
    description WAP1
    switchport trunk allowed vlan add 6
    interface gigabitethernet48 -- Trunk mode
    description ASA-Internal
    ip dhcp snooping trust
    ip dhcp relay enable
    Can someone who understands this switch better than I do please confirm the VLAN configuration?  THANK YOU!

    Welcome to the discussion area!
    +PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
    I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
    This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
    FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.

  • Multiple Airports with private and isolated guest wireless networks available from both

    Hi,
    I've been searching online for some equipment that can do what i want to do without going into the enterprise grade and spending $5000 on Cisco gear.
    Consider two locations approx 80m apart - Primary is a house, and secondary location is a garage. A Cat6 run exists between the two.
    The goal would be to have a wireless primary router in the house for wired and private wireless internet access, with an additional Guest wireless that is isolated from the private network that I can turn on and off if guests are coming over.
    In addition, the second location should also support both wired and wireless connections.
    It seems simple to me, one device in each location. The WAN port on the garage device would connect back to the house device. The two devices should be smart enough to know that one is extending the other. Someone on the guest wireless that is connected via the garage AP would not be able to see the wired devices even though it's traffic is going across the same wire back to the primary router.
    Can I do this without spending a fortune?
    Thanks

    Two Apple AirPorts would do most....but not all...of what you want.
    A few notes.....
    In order for the guest network feature to work correctly on an AirPort router, the "main" AirPort in the house must connect to a simple modem......not a modem/router or gateway device.  That is a deal killer for some users right there.
    When the guest network is activated in the garage, it must be activated for both AirPorts....house and garage.
    You could actiivate the guest network for the house and leave the guest network off in the garage if you wanted, no problem there.....but.....you could not activate the guest network in the garage without also activating it in the house first.
    "Guests" can only connect to the guest network using wireless. Up to you to decide if you want to leave the guest network open or use a password that would need to be used to connect to the network.
    But.....If "guests" had physical access to the AirPort in the garage....and they connected to one of the Ethernet ports on the AirPort in the garage, they would be connecting to your main or private network.
    So, if something like this was a concern, you would have to either hide the AirPort in the garage and trust that users would not find it....or....find some way to limit access to the back panel of the AirPort so that users could not connect to it using an Ethernet cable.
    If the features and installation limitations are acceptable, you could spend as little as $100 for each AirPort Express.
    If you wanted better performance from the AirPort in the house, you could use an AirPort Extreme there...about $200 and an AirPort Express in the garage.
    The deluxe option would be to use two AirPort Extremes.
    Finally, you would want to make sure that you understood the store's return policy before you buy.....in case something unexpected crops up, as can sometimes be the case.

  • Internal Corporate wireless and guest wireless network

    I need some technical information on hwo the wireless guest network is created on the Airport Extreme. We currently do not permit personal wireless devices to connect to our internal wireless network in order to protect out data. Several times users have presented us with justifiable business requests to have access to the wireless network from their own devices. We've been looking at using the Airport Extreme in order to do this, but we are bound by PCI (Payment Card Industry) requirements to keep our customer credit card data secure. PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?
    Two or three of these on each floor would fit our need for such access and keep out customer data secure.
    Thanks

    Welcome to the discussion area!
    +PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
    I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
    This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
    FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.

  • Setting up webauth for guest wireless access

    Hi there,
    I'm trying to set up guest wireless access.  having no experience with this at all, I'm beginning to struggle.
    Equipment:
    2x 3850 stacked and acting as one switch running 03.06.00E
    4x 1602E AP's registered to the WLC running on the 3850
    The infrastructure is sound and corporate wireless access works ok.
    I need a config that allows a guest user to connect to the guest SSID, DHCP an address, then when they open a browser, they are automatically redirected to a splash screen for them to log on. Once they log on with the supplied username and password they are then forwarded to whatever site it is they wish to go to;  So far my config looks like this (removed unnecessary parts for brevity);
    Building configuration...
    user-name test
     creation-time 1414684496
     privilege 0
     password 7 051F031C35
     type network-user description test guest-user lifetime year 0 month 0 day 0 hour 23 minute 59 second 4
    aaa new-model
    aaa authentication login aaa_guest_webauth local
    aaa authentication login local_login local
    aaa authorization exec local_authorise local
    aaa authorization network guest_authorisation local
    aaa authorization credential-download default local
    aaa session-id common
    switch 1 provision ws-c3850-24t
    switch 2 provision ws-c3850-24t
    service-template webauth-global-inactive
     inactivity-timer 3600
    service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
    service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     voice vlan
    spanning-tree mode pvst
    spanning-tree extend system-id
    hw-switch switch 1 logging onboard message level 3
    hw-switch switch 2 logging onboard message level 3
    parameter-map type webauth global
     virtual-ip ipv4 1.2.3.4
    parameter-map type webauth guest-webauth
     type webauth
     redirect on-success http://www.google.com
     banner text ^CC test text test ^C
     custom-page login device flash-1:login.html
     custom-page failure device flash-1:failed.html
    class-map match-any non-client-nrt-class
    policy-map port_child_policy
     class non-client-nrt-class
      bandwidth remaining ratio 10
    interface VlanXXX
     description "Guest-Access-VLAN"
     ip address 10.x.x.126 255.255.255.128
     ip helper-address x.x.x.x
     ip helper-address x.x.x.x
    line vty 0 4
     exec-timeout 7 0
     authorization exec local_authorise
     login authentication local_login
     transport input ssh
    line vty 5 15
     exec-timeout 7 0
     authorization exec local_authorise
     login authentication local_login
     transport input ssh
    wsma agent exec
     profile httplistener
     profile httpslistener
    wsma agent config
     profile httplistener
     profile httpslistener
    wsma agent filesys
     profile httplistener
     profile httpslistener
    wsma agent notify
     profile httplistener
     profile httpslistener
    wsma profile listener httplistener
     transport http
    wsma profile listener httpslistener
     transport https
    wireless mobility controller
    wlan Wireless-Guest-Access 24 wireless-guest
     client vlan Guest-Access-VLAN
     ip access-group GUEST-ACCESS
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security web-auth
     security web-auth authentication-list aaa_guest_webauth
     security web-auth parameter-map guest-webauth
     session-timeout 1800
     no shutdown
    ap country GB
    ap group default-group
    ap group BUS-AP-Group
     wlan Wireless-Corporate-Access
      vlan BUS-CORP-DATA-VLAN
     wlan Wireless-Guest-Access
      vlan Guest-Access-VLAN
    end
    I carried out a wireshark trace and can see the dhcp ok, then see DNS queries to the DNS name serever and the replies, followed by a TCP SYN to the resolved IP of the website requested - but that's it, there is no SYN ACK reply or redirect to the login page which i have placed on the flash and specified under 'custom-page login' 
    I am under the impression that the way this should work is as follows;
    1. Client connects to SSID and carries out DHCP DORA and is assigned an IP address
    2. open browser on client and carry out name resolution 
    3. once name is resolved, carry TCP three way handshake with requested site (e.g. google)
    4. once three way handshake is completed client carries out an HTTP GET request
    5. WLC holds the response and redirects to the login page
    6. on successful login, original requested page is forwarded to client.
    I can't seem to get a response - even if I remove the ACL.
    Am i heading in the right direction or am I trying to achieve something which is not possible with my setup?
    Cheers

    also, forgot to say, make sure your files are preceeded with webauth for your html and js and web_auth for image files
    38725  -rw-        4265   Nov 4 2014 12:21:28 +00:00  webauth_login.html
    38726  -rw-        6937   Nov 4 2014 12:11:03 +00:00  webauth_aup.html
    38727  -rw-        1356   Nov 4 2014 12:11:30 +00:00  webauth_logout.html
    38728  -rw-         662   Nov 4 2014 12:11:43 +00:00  webauth_failed.html
    38729  -rw-         318   Nov 4 2014 12:11:58 +00:00  webauth_loginscript.js
    38731  -rw-       82940   Nov 4 2014 12:12:28 +00:00  web_auth_image.jpg
    CORE-SW01#sho run | s param
    parameter-map type webauth global
     type webauth
     virtual-ip ipv4 1.1.1.1
     custom-page login device flash:webauth_login.html
     custom-page failure device flash:webauth_failed.html
    parameter-map type webauth guest-webauth
     type webauth
     custom-page login device flash:webauth_login.html
     custom-page failure device flash:webauth_failed.html
     security web-auth parameter-map guest-webauth
    CORE-SW01#

  • ISE Custom AUP for Guest Wireless

    Hi All,
    I am trying to setup Guest wireless using Cisco ISE for the first time.  Under Multi-Portal Configurations, i was hoping to be able to edit the DefaultGuestPortal profile so that I could change the wording of the AUP from Cisco's Blurb.  Can anyone point me in the direction where I can do this?  The only alternative I can see is to create a new portal from scratch.
    Cheers
    Brian

    MultiPortal Configurations
    Cisco ISE provides you with the ability to host multiple guest portals in the Cisco ISE server. The Guest user portal has a default Cisco look and feel. These pages are dynamically generated to offer portal features such as change password and self-registration in the Login Screen.
    You can use the Multi-portal configuration to upload set of GUI pages specific to your organization to handle the Login, AUP, Change Password and Self Registration. In order to access an uploaded client portal the guest portal URL must include the name of the portal specified during the upload.
    You can design and upload HTML pages to define new guest portals or replace the default guest portal. These pages must use plain HTML code and must contain form actions that point to the guest portal backend servlets. You must define separate HTML pages for login, acceptable use policy (AUP), the change-password function, and self-registration.
    For Complete Configuration Guide, Please click on below link
    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.pdf

  • WLC guest wireless proxy script for Apple iPhone

    I have guest wireless setup on a 4402 WLC. I am using a wpad.dat (proxy.pac) proxy auto-config script to ensure guest traffic passes through a proxy. After a few attempts at creating a working proxy.pac file, Cisco TAC provided one that worked successfully for IE and Firefox (I realise only IE is offically supported by the WLC however my issue is not with an issue of browser-WLC compatibility).
    I am after a proxy.pac proxy auto-config file that will work with Apple iPhone Safari browser (the script below does not). Manually specifying the proxy is not an option as Sarafi on the iPhone does not allow "proxy exceptions" to be specified.
    The script I use which works fine with IE and Firefox is below:
    function FindProxyForURL(url, host)
    // variable strings to return
    var proxy_yes = "PROXY 10.23.16.20:80";
    var proxy_no = "DIRECT";
    if (shExpMatch(url, "http://1.1.1.1*")) { return proxy_no; }
    if (shExpMatch(url, "https://1.1.1.1*")) { return proxy_no; }
    // Proxy anything else
    return proxy_yes;

    Here is the Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.0
    http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.0/GAccess.html#wp1167844

  • Wireless and network printing transcript for Meet the Experts

    On March 16th, HP hosted its first online chat event on wireless and network printing. Below is a transcript of that session.
    I am in the process of planning the next chat event. I would love to hear what topics would interest you, what day of the week and time is best for you, and if you think an hour is too long.
    So, if you get a minute, please let me know.
    Here's the transcript:
    SiobhanF-HP: Welcome! Cameron, Craig, David, and Jim are ready to tackle your questions.
    SiobhanF-HP: Just to remind you if you want to ask a question, you must be a member of the HP Support Forums. If you want to join, go here https://passport2.hp.com/hppcf/createuser.do
    nc256: Do I need a wireless router to hook up my wireless printer?
    CameronL-HP: No, but most people will want to do it this way. You can use a feature called an ad hoc connection to avoid using a router, but it is only covered under an older standard that is slower and less secure. Also, without something to route traffic between the local network and the internet, you cannot get an internet connection. Using a wireless router makes setting up a wireless network easier, and it will generally make the network work better too.
    jest1: I've seen some hardware in stores for a "print server" hardware device that attaches to a network. Is this something that I need in order to run a printer over a network?
    CraigB--HP: Not if you have a printer that has a network connection built in. Many models of HP computers are ready to be connected directly to your wired or wireless network.
    katiepage: How can I print when I am using a VPN?
    DavidH-HP: VPN connections generally hide the rest of your home network to increase the security of the VPN connection. A printer on the network isn’t a security threat but the VPN doesn’t know that. It just hides everything just to be sure. That means that when a VPN is active you need some way to connect to the printer other than your home network. Bluetooth, USB, and even printing to a thumb drive and plugging that into the printer are all ways of getting your print job to the printer that don’t go through your home network.
    SiobhanF-HP: If you have specific product questions, the more information you give us the better we will be able to help you. Getting your exact model number; any error messages; a description of your wireless network including what kind of security you have, what wireless-devices are connected to your network, and your IP address will go a long way to helping us answer your question.
    MelissaP: Why would I want a wireless printer?
    CraigB--HP: The main advantage of a wireless printer is the ability to place the printer somewhere in your home or office even if this is not near your router or computer.
    Deltan: What is the maximum distance I can have between my router and my printer?
    CameronL-HP: It does depend on your environment. Without interference about 25 feet. Walls and floors and other objects can reduce this. The types of walls are important. For example, mirrors and outdoor walls will greatly reduce the indoor range.
     jest1: Is there a preferred wireless router type or brand for wireless printing compatibility? We are using a Linksys 802.11g router in my home.
     JimB-HP: In general, any wireless-router from a name brand manufacturer that has been Wi-Fi certified is compatible with our printers (look for the Wi-Fi logo). We use Linksys in our lab with great success.
     nc256: Are there any digital cameras that can send directly to an HP wireless printer for photo printing?
     DavidH-HP: Many printers support a feature called Pictbridge. If the camera and printer both supports this feature, the camera can be plugged directly into the printer to print photos. Or are you asking about printing over a network connection?
     KevinW: I keep hearing that you shouldn’t use default settings for a network. Why?
     CraigB--HP: There are three reasons not use default settings: First, wireless-routers do not have any wireless security enabled by default. Second, you will be using a common network name in which case you may connect accidentally to your neighbor’s network. Third, your wireless-router is accessible by inadvertent guests who may change the configuration of your wireless-router without your knowledge or use your internet connection without your permission.
    Bodie08: I have an HP Lan attached printer and Windows XP on my home network. Is there a known setting (Firewall/port/other) or patch to address the issue of hpqtra08.exe hanging on Windows XP Shutdown? A number of us in the forum have identified this issue. Thanks!
    DavidH-HP: This problem has been seen in the past but there were attempts to address it. Have you checked to see if there is a later release of software available on the web? (hp.com)
    ZhuLee3: How old is wireless printing technology? I noticed all the experts have around 20 years of experience with it, was there wireless 20 years ago?
    JimB-HP: Wireless printing first appeared with the introduction of the 802.11 standard in late 1990's. HP has been making wireless printers since 2003.
    lpeterson123: What makes wireless so flaky at times?
    CameronL-HP: There are lots of reasons. Wireless signals are affected by distance, walls, metal objects, and other wireless devices like cordless phones. However, most of the problems seem to be from how the network or how security software is configured, and these can also cause things to fail only occasionally or in certain situations. Having a good wireless connection between a PC and printer involves several hardware devices and lots of software made by different companies that all have to work together; if something is not quite right in any of these things then the whole solution looks flaky.
    Bowman16: I use a Mac, are there any features that would not work if I was to set it up for wireless use
    DavidH-HP: All the features will work on a Mac if you install the full HP software solution.
    jest1: Thanks for the answer on the router question. The next question, then, is to ask what would be a recommended consumer-grade wireless-enabled printer (or series) just so I can start my research.
    JimB-HP: Any of our Photosmart or Officejet wireless printers will work with Wi-Fi certified wireless-routers. Our price points really have more to do with how much printing you do. In general, our more expensive printers cost less per page than our less expensive models.
    Bodie08: Why would I choose "spooling" on my PC over "direct connect”?
    CraigB--HP: In general, spooling allows you to use your program sooner than printing directly.
    ZhuLee3: Jim: What is it like to be an "HP Printing Expert"? What kind of stuff do you get to work on, on a day to day basis?
    JimB-HP: I really like my job -- I've always been a radio enthusiast so working on 802.11 technology is really a dream job for me. I'm also fortunate to work with a great team here in Vancouver, WA. More importantly, I like designing equipment that people use in their everyday lives.
    TEACHER1: Recently I changed routers, now I am unable to print wirelessly, even though the SES and wireless network light are steady on my Deskjet 6980 printer. What is the solution? Thanks.
    DavidH-HP: The wireless light indicates that the radio is on but does not indicate that the printer is connected to the network. First check that the printer is connected to the network by printing a network configuration page from the printer.
    AgentRed: I get my internet with a Verizon wireless broadband card. Someone told me that wouldn't work with a wireless printer. Is that true?
    CameronL-HP: Our wireless printers use the 802.11 b, g or n standard which is not compatible with the wireless cellular standard. It would be like trying to connect to a wireless network using Bluetooth. They are different wireless technologies.
    DavidH-HP: Regarding the Verizon card, it is true that you cannot connect the printer over the Verizon connection, but as long as your laptop has Wife you can print to the printer over WiFi at the same time that the Verizon connection is active. This should not be a problem.
    jest1: Is there a "minimum" internet connection that is recommended for wireless printing? We live a bit far from the DSL CO so our connection is sometimes flaky. I would guess that incoming speed shouldn't affect my local wireless LAN but I want to ask it anyway
    CameronL-HP: There are 2 parts to your home network. 1 is your wireless router which manages your local network equipment, then your network connection to the world wide web which your DSL provider gives you. The connection speed of your local network is not affected by your internet connection speed.
    Bowman16: Are any HP printers 802.11n? I do not want to add an 802.11b,g to my network and cause it to slow down.
    JimB-HP: Currently, our printers comply with the 802.11g standard. We are investigation the emerging 802.11n standard.
    ZhuLee3: Will there be a transcript of all the questions and answers from this chat available for viewing after the session? I think I missed some questions at the start.
    SiobhanF-HP: The chat event begins when you joined. Sorry that you can't see what was said before you joined. I hope to have transcript posted tomorrow or on Wednesday at the latest.
    nc256: Where is the future of printers headed? Does HP have any interesting plans with printing technology? And what’s your opinion on whether or not color laser printing will ever approachthe photo realism of ink jet color?
    JimB-HP: The future of HP printing will be characterized by wireless connectivity to not only computers but to mobile internet devices. In fact, as mobile devices become smaller (think phone or netbooks), the need to print from your mobile device might become more relevant.
    jest1: Am I able to print from my iphone to a wireless printer?
    CraigB--HP: You can print photos from your iPhone to HP wireless printers and it works great in my experience. Go to http://www.hp.com/go/iprintphoto to get the details.
    TEACHER1: Thank you. I printed a page. It shows that wireless is disconnected.
    DavidH-HP: Then you just need to input the wireless settings from your new router into the printer. If your printer does not let you input the settings from the front panel, you can use the CD that came with the printer or downloaded from hp.com to configure the printer again ( look for the option to "add a device" ).
    ZhuLee3: Question about security... if I get a wireless printer, what’s to prevent other people within range of my printer, from adding it and printing documents? How is this configured on the actual printer?
    JimB-HP: The simplest way to secure your printer is to enable WPA-PSK security for your wireless network and to use a security pass-phrase that is at least 12 characters long. This configuration is very safe from intruders for the foreseeable future.
    CameronL-HP: It' is also a good idea to use a unique network name, also called an SSID.
    carolj: I have a photosmart C7180 and I have it hooked up to my laptop (windows vista) when the setup completed the printer was put in networking instead of printers and I cannot access it or move it out of there. What do you suggest?
    CraigB--HP: You might need to uninstall and reinstall. Before doing this, make sure your get the latest driver from the HP support at: http://h10025.www1.hp.com/ewfrf/wc/softwareCategory?product=1153754&lc=en&cc=us&dlc=en&lang=en&cc=us This is also where you can get a copy of the instruction book.
    wizll: Hi, I haven't done much research in wireless printing, but I'm interested as I currently have my printer set up the old fashioned way where it's connected to a networked PC, but if the PC is off I can no longer print, which is obviously inconvenient. Do hp wireless printers have a web gui you can connect to once it's on the home network, or is it simply all done from the printer's interface. I've seen some old wired network printers that only use the printer's ui and that seems like a clunky use.
    DavidH-HP: Yes, the HP printers which have networking built-in have what we call an "embedded" web server which allow you to configure settings, check status, and have many other features; on some models you can even scan using the embedded web server.
    nc256: Jim: Will color laser printing ever reach ink jet quality for photos?
    JimB-HP: While never is a long time, inkjet printers will, for the near future, output higher quality photos.
    katiepage: If I'm at home, connected to my office network via VPN, can I access my office networked printers?
    CraigB--HP: Yes, when you are connected to the office VPN, you can print to your office printers. However, you will not be able to print to your home networked printers while you are connected to the VPN.
    jest1: If a friend comes over to my house with their laptop and needs to print something, are they able to do this just by authenticating with my wireless LAN (assuming I have a wireless printer set up)?
    CraigB--HP: In addition to authenticating to your network, you friend will also need to install the printer driver for your printer.
    jpszambelan: Is there a wireless USB device of some kind I can connect to my printer if there is no network connection already built in?
    JimB-HP: HP sells an accessory that adds Wi-Fi capability to your USB printer (see http://www.shopping.hp.com/product/printer/inkjet/wireless/4/accessories/Q6236A%2523A2L) Also, many higher-end wireless-routers allows USB printers to be connected to them to allow sharing of the printer from the network. Note that this solution often limits you to just printing and not scanning from the network.
    rockwoodchev: It seems that my computer can find my printer, but my printer can't find the computer, so that "Scan to computer" won't work. What do I need to do in order to fix that?
    DavidH-HP: This can be blocked by security software running on the PC (such as a personal firewall). Make sure that your firewall is configured to allow communication on your local network. You can also unblock specific ports, but the easiest way is often just to allow communication on the local home network. The specific setting varies from firewall to firewall.
    SiobhanF-HP: We are nearing the end of our chat session. We only have time for 3 more questions. If we did not get to your question, please post it on the Networking and Wireless board in the Printers and All-in-Ones forum. http://h30434.www3.hp.com/psg/board?board.id=Networking
    SSPatrick: Is it possible to print wirelessly to the same HP printer using both a PC and a Mac?
    JimB-HP: Yes -- I do this in my home. I have both Macs and PCs on my network without any trouble.
    Bowman16: Any plans to do this again?
    SiobhanF-HP: Yes we are.
    ZhuLee3: Do all of the experts hang out on the HP community? Will we see you posting there after this?
    DavidH-HP: Oh yes, whenever time permits. In addition to trying to help people, I learn things too.
    JimB-HP: I'm known as Wi-Fi-Guy on the support forums. I hang out there often helping where I can. It helps me be a better designer.
    CraigB--HP: I monitor the forums looking for problems to take back to the development lab for investigation. To date, I have only posted one reply.
    CameronL-HP: I haven't been involved in the past but expect to be more involved in the future.
    SiobhanF-HP: We only have time for one more question. If we did not get to your question, please post it on the Networking and Wireless board in the Printers and All-in-Ones forum. http://h30434.www3.hp.com/psg/board?board.id=Networking
    ZhuLee3: Thanks for setting this up!
    SiobhanF-HP: The transcript will be posted on http://h30434.www3.hp.com/psg/board?board.id=Networking
    TEACHER1: Thank you all for conducting this session !!!!
    jest1: Is there an OS limitation to print wirelessly?
    JimB-HP: All the OS versions supported by the printer as supported wirelessly. In general, we are compatible with Macs, Windows and Linux.
    SiobhanF-HP: We are ending the chat event. Thank you for coming. We hope you found it worthwhile. I will be posting a transcript of the event in the Networking and Wireless board in the Printers and All-in-Ones forum. We will be hosting future Meet the Experts chat sessions on a variety of topics, so please tell us what you thought of the event and how it could be improved. http://h30434.www3.hp.com/psg/board/message?board.id=Feedback&thread.id=525
    Live Forum Closed
    Message Edited by timhsu on 03-18-2009 05:39 PM
    Message Edited by timhsu on 03-18-2009 05:43 PM
    I work for HP, supporting the HP Experts who volunteer their time and technical knowledge to help others.

    I expected this to be released quite earlier. But now that it's in process, I'll wait patiently.
    Make it easier for other people to find solutions, by marking my answer with \'Accept as Solution\' if it solves your problem.
    Click on the BLUE KUDOS button on the left to say "Thanks"
    I am an ex-HP Employee.

  • Guest Wireless - procedures for support ??

    Hi
    We are just on the cusp of deploying Guest wireless for
    external non-employee visitors to our organisation, using WLC's and the lobby
    admin functionality. However the issue of support procedures for these guest
    devices is sticking.
    Our Desktop support dept will not support potential technically challenged
    guest user and his mis configured end device (for want of a better phrase......)
    Ourselves in networks by policy do not support end devices as such.
    We need a completely remote 'no-remote-human-presence' way to test a user
    attaching to a SSID, firing up a browser and authing thru the re-directed to
    web interface. Remoting to a PC attached to the remote secure wired network
    is NOT ideal as we will then be bridging secure wired corp and non-secure
    guest wireless (altho it may have to end up being a variation of that.)
    I would be interested to hear how people here troubleshoot their
    guest wireless service availability.
    thnks
    martyn

    We have no way of easily testing on-site availibility of our guest wireless network, but the guest wireless wlan is available in our office. So, if an issue arises, basic troubleshooting steps can be taken by trying to connect to the guest ssid from the office. Otherwise, you would have to get creative with something like you're talking about.

Maybe you are looking for