Guest WLAN and Web Auth?
Hi Guys,
Maybe someone can help me out?
I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
"Cisco Wireless Controller" with the exception of having 2 ports. Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN. When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page.
What I tried so far is..
add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
I've attached some screenshots of our configuration.
Troubleshooting Web Authentication
After you configure web authentication, if the feature does not work as expected, complete these
troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck
DHCP Required
on the WLAN and
give the wireless client a static IP address. This assumes association with the access point. Refer to
the
IP addressing issues
section of
Troubleshooting Client Issues in the Cisco Unified Wireless
Network for troubleshooting DHCP related issues
1.
On WLC versions earlier than 3.2.150.10, you must manually enter
https://1.1.1.1/login.html
in
order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
connects to a WLAN configured for web authentication, the client obtains an IP address from the
DHCP server. The user opens a web browser and enters a website address. The client then performs
the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
authentication login page.
2.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
Windows, choose
Start > Run
, enter
CMD
in order to open a command window, and do a nslookup
www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a nslookup www.cisco.com" and see if the IP
address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is
http://198.133.219.25)
♦
Try to directly reach the controller's webauth page with
https:///login.html. Typically this is http://1.1.1.1/login.html.
♦
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
be a certificate problem. The controller, by default, uses a self−signed certificate and most web
browsers warn against using them.
3.
For web authentication using customized web page, ensure that the HTML code for the customized
web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For
example, for the 4400 controllers, choose
Products > Wireless > Wireless LAN Controller >
Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
Bundle−1.0.1
and download the
webauth_bundle.zip
file.
These parameters are added to the URL when the user's Internet browser is redirected to the
customized login page:
4.
ap_mac The MAC address of the access point to which the wireless user is associated.
♦
switch_url The URL of the controller to which the user credentials should be posted.
♦
redirect The URL to which the user is redirected after authentication is successful.
♦
statusCode The status code returned from the controller's web authentication server.
♦
wlan The WLAN SSID to which the wireless user is associated.
♦
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
♦
Status Code 2: "You are not configured to authenticate against web portal. No further action
is required on your part."
♦
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
already logged into the system?"
♦
Status Code 4: "You have been excluded."
♦
Status Code 5: "The User Name and Password combination you have entered is invalid.
Please try again."
♦
All the files and pictures that need to appear on the Customized web page should be bundled into a
.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
Authentication Configuration Example for more information on how to create a customized web
authentication window.
Note:
Files that are large and files that have long names will result in an extraction error. It is
recommended that pictures are in .jpg format.
5.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
Other browsers may or may not work.
6.
Ensure that the
Scripting
option is not blocked on the client browser as the customized web page on
the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
7.
Note:
The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
messages for the user.
Note:
If you browse to an
https
site, redirection does not work. Refer to Cisco bug ID CSCar04580
(registered customers only) for more information.
If you have a
host name
configured for the
virtual interface
of the WLC, make sure that the DNS
resolution is available for the host name of the virtual interface.
Note:
Navigate to the
Controller > Interfaces
menu from the WLC GUI in order to assign a
DNS
hostname
to the virtual interface.
8.
Sometimes the firewall installed on the client computer blocks the web authentication login page.
Disable the firewall before you try to access the login page. The firewall can be enabled again once
the web authentication is completed.
9.
Topology/solution firewall can be placed between the client and web−auth server, which depends on
the network. As for each network design/solution implemented, the end user should make sure these
ports are allowed on the network firewall.
Protocol
Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic
(before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non
secured) UDP port 16667
(secured IPSEC tunnel)
10.
For web authentication to occur, the client should first associate to the appropriate WLAN on the
WLC. Navigate to the
Monitor > Clients
menu on the WLC GUI in order to see if the client is
associated to the WLC. Check if the client has a valid IP address.
11.
Disable the Proxy Settings on the client browser until web authentication is completed.
12.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
RADIUS server for this to work. In order to check the status of client authentication, check the
debugs and log messages from the RADIUS server. You can use the
debug aaa all
command on the
WLC to view the debugs from the RADIUS server.
13.
Update the hardware driver on the computer to the latest code from manufacturer's website.
14.
Verify settings in the supplicant (program on laptop).
15.
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
♦
Run debugs on supplicant.
♦
16.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
> Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
will be located in C:\Windows\tracing.
17.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
18.
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh−appgw enable
debug pm ssh−tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh−engine enable packet
Similar Messages
-
Guest WLAN and DNS tunneling (IP over DNS with iodine, NSTX, etc)
Hello,
I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
Any ideas or advices?Hello,
I'm trying to implement guest WLAN with web authentication on the WLC 2504. L3 for guests WLAN is terminated on ASA 5510 (as subinterface).
All works pretty fine. Guests clients are prompted to enter login/password, guests are authenticated against ACS and so on.
But I have a strange idea. How can I prevent unauthorised DNS tunneling from the guest network?
I think that DNS tunneling can be prevented with dns-guard on ASA and dns inspections, e.g. drop dns packets larger then 512 bytes and perform deep inspection againd packets.
Any ideas or advices? -
Guest WLAN and a Office WLAN on 1242AG
Hi All,
I have managed to add two WLANS, one for the Office Wireless clients(Staff laptops) and another one for Guests. I have bassicaly created two SSIDs, one broadcasting, other one not(Staff one).
The AP is a 1242AG and is going to connect to a Catalyst 3750 48T, which is connected to Cisco 877. How can I make the DHCP assignments to both Guest WLAN and Staff WLAN and also do I have to create trunk port in the Switch ( I am thinking like this as I got Two VLANs.)
Does anyone know or got a sample running config ( in a Switch and in a similar AP)...really appriciate it. Time is running out for me!!!
Reg
NDHi,
here is a config example for exactly you are looking for:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
HTH,
Tiago -
Guest Anchor with web auth using ISE guest portal
Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS -
Guest WLAN and IP Address Exhaustion
Does anybody know of a way to stop a DHCP Server from doling out IP addresses (and subsequently exhausting the DHCP Scope) prior to performing L3 Web Auth to the WLC?
The problem arises when Students come into School with their iPhones and such like with the WLAN turned on which exhausts the current Guest WLAN DHCP Scope. Subsequently when a valid Guest User comes along they are unable to obtain an IP.
Many ThanksHi,
This is the challenge that we have with the Guest wireless access!! However, we can use WPA/WPA2-PSK along with the WEB-AUTH, SO that thew clients who provide the right PSK will only be able to grab the IP..
Regards
Surendra -
Wireless 3850 and Web-Auth for Wireless clients
Hi
I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
Internet is all tested and there is full IP connectivity.
Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
I am using local authentication for the guest users.
When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
Config below
interface Vlan302
description **** Wireless Guest ****
ip address 10.145.224.161 255.255.255.224
ip helper-address 10.144.214.134
ip helper-address 172.17.2.56
ip http server
ip http secure server
ip dhcp snooping
wlan XXXXX 2 XXXXXX
aaa-override
accounting-list default
client vlan 302
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list WEB_AUTH
security ft
security web-auth
security web-auth authentication-list WEB_AUTH
security web-auth parameter-map vit_web
no shutdown
parameter-map type webauth vit_web
type webauth
security web-auth parameter-map vit_web
user-name Guest1
creation-time 1390837878
privilege 15
password 7 022D0156060F1B351D
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
user-name Guest2
creation-time 1390838016
privilege 15
password 7 0724244143000D1145
type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
aaa new-model
aaa authentication login WEB_AUTH local
aaa authorization network WEB_AUTH localHey Greg,
Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
parameter-map type webauth global
type webauth
virtual-ip ipv4 x.x.x.x wlc.whatever.org
max-http-conns 50
Also I had to enable http server in addition to secure server
ip http server
ip http secure-server
Are you using a self signed cert?
I saw windows clients take a long time to load the page when using a self signed cert.
MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE but I still have the problem.
-Kyle -
WLC 5508, 7.4.100.0, dot1x and web auth
Release notes for 7.4.100.0 states;
"Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
Anybody know anything about this and how-to's?
EirikI know what it is. :-)
Want to test to use web auth after dot1x. Do not trust dot1x alone anymore, now that it is so easy to steal sertificates from laptops...
Would like to force users (after eap-tls with certificate) to logon using their AD cred.
Eirik
Sent from Cisco Technical Support iPad App -
Is Guest Access via web auth available on Standalone 1130AP?
Hi,
I have seen that using LWAPP and a WLC, Guest WLans can be authenticated via a web page.
Is this possible on an Autonomous 1130 AP ?
Or is that only a functionality of the Controller ?
ThanksAs the other user said, this web authorization isn't native to the access point. It is a web authorization portal that is on the WLC.
With that said, any web authorization portal on your network could be used. I'm not sure what your budget is, but if you are looking to do this on a handful of devices, you might go with something like NoCat (nocat.net). I haven't actually used it but I think it is just an entry level (free?) portal.
I'm sure there are many of product out there, and cisco probably has thier fair share...
Note: in this case, it would most likely be used to authorize anyone to get connected to the LAN (or Internet), it probably wouldn't be used to authorize the actual Wireless Connection, just authorize the ability to get off the VLAN (like to the Internet) -
Guest Anchor N+1: Multiple guest WLANs and Mobility List
Hi Experts,
We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
And between these two new anchor WLCs, do they need to add each other to Mobility List?
Or maybe I should ask first, does it matter if they are in the same mobility group or not?
Thanks
CedarN+1 for guest anchors isn't what N+1 was designed for. N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors. This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
Guest anchors should have a different mobility group name from the foreign WLC's. You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s). The redundant guest anchors do not need to have each other in the mobility group list.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Locally switched Guest WLAN with Web Authentication
I have a remote location that has its own internet pipe. I have set up a new guest SSID and set to switch locally and changed the AP mode to Flex connect. When I connect to the new SSID, I get an IP address from the local LAN, but the Web redirection page will not load. Is this because the local LAN does not have a route to the WLC virtual interace of 1.1.1.1? Is there a way to tunnel just the web authentication portion of traffic and locally switch everything else?
You are close in your understanding.
If you want to use the web portal services on the WLC then you need to bring that traffic back to the WLC.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Wireless guest wlan and secured corporate wlan
I am implementing an enterprise wireless network for my company. I am planning on setting up one secured corporate wlan for employee and one open guest wlan for the guest/contractor/vendor. Is there a way I can prevent my employee jump from the secured wlan to the guest wlan? Thanks.
LeeHi stepehen
LWAPP also defines the tunneling mechanism for data traffic.
A LAP discovers a controller with the use of LWAPP discovery mechanisms. The LAP sends an LWAPP join request to the controller. The controller sends the LAP an LWAPP join response, which allows the AP to join the controller. When the LAP joins to the controller, the LAP downloads the controller software if the revisions on the LAP and controller do not match. Subsequently, the LAP is completely under the control of the controller. LWAPP secures the control communication between the LAP and the controller by means of a secure key distribution. The secure key distribution requires already provisioned X.509 digital certificates on both the LAP and the controller. Factory-installed certificates are referenced with the term "MIC", which is an acronym for Manufacturing Installed Certificate. Cisco Aironet APs that shipped before July 18, 2005, do not have a MIC. So these APs create a self-signed certificate (SSC) when they are upgraded in order to operate in lightweight mode. Controllers are programmed to accept SSCs for the authentication of specific APs.
Pls Refer the docu..
http://cisco.com/en/US/products/ps6306/products_qanda_item09186a00806a4da3.shtml
Regds
Saji k.s -
Guest WLAN and VLAN out of 2811 w WLC module
Using a WLC 2006 or 4000 series, there is
no problem getting the traffic on a "guest WLAN" connected to a wired VLAN.
But, how to do that when one is using
a 2811 with a WLC module?
Now the "guest WLAN" connects internally
to the 2811 "interface wlan-controller 1/0" as a VLAN on a subinterface. I do not want the default GW for that VLAN within the 2811. Instead I just want to get it out at layer 2. Transparent bridging between a subinterface "int wlan-controller1/0.x" and "int fastethernet0/1.x" failed. Any ideas?Try these links:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml -
VLAN Override and Web Auth: How to overcome issues?
Hello
I have been investigating if we can deploy vlan override and assign a user vlan via RADIUS, post authentication on a WRD SSID. Having read around the discussions, I can see that there are others who have wanted similar, but have been told that it is not possible:
"Marucho, the particularity of how Web authentication works on the WLC is that it is carried over HTTP between Client and WLC. So the Wireless Client has to already have an IP address prior to starting the web authentication. Since the Wireless Client already has an IP address then you cannot override it anymore.
Unlike dot1x, which takes place over EAPOL and then when you have eap success, client moves to get an ip address from the sent by Radius VLAN."
However, we still have a problem that we would like to overcome and wonder if anyone has any experience or suggestions they could share?
We are a University with a large number of devices grabbing an IP address whilst only remaining associated and not actually going on to authenticate through the WRD. This creates a situation where we have a large number of IP addresses deployed unnecessarily and we would like to tackle this.
We are unable to use private IP for authenticated users (Policy decision) but could use them for associated users and so were hoping we might be able to deploy a private subnet on the WRD SSID prior to authentication and then use VLAN override to assign authenticated users onto the correct VLAN. In order to try and achieve this we were planning on using a very short DHCP lease on the private subnet, so that post-authentication the client device requests a public IP address almost instantly.
Is there any way of achieving this that someone could suggest or would we be knocking our ehads against a brick wall?
thanks
BrynJust giving 2 ideas :
-How about using a WPA PSK on your webauth ssid ? Just give the PSK in the SSID name. This prevents non-intended connections (no automatic association because it's open ssid) and still allows anyone with an intention, to connect to it and you still have the webauth behind. This reduces number of ip addresses.
-How about modifying the webauth successful authentication page to give the credentails to access a private network (PSK or dot1x) where credentials would regularly change ?
Those are workarounds.
Nicolas -
WCSs (5.0.148) lose Terminal, Webfrontend and Web Auth
Hello,
3xWCS 4404 with 5.0.148 and WCS 5.0.56.
After serveral days, I were not able to connect to the telnet, SSH and webfrontend interfaces on all controllers. I tried management and service-port IPs. But I get ping responses from the interfaces and the Wireless LANs are also working, except the Web Authentication, which is now configured to relay the user to a special url.
In the release notes (http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn501480.html#wp234299) was a caveat (CSCsi30541), but it occurs when you create a new dynamic interface, which I didn't.
The controllers respond to the WCS, so I were able to reboot them via the WCS. After that the situation is normal, until the next time.
Three weeks ago, I installed 5.0 on one of the three WCS. One week ago, I installed it on the other two. This problem occurs on the first WLC for the second time, so I assume, it can happen again.
Any ideas what could be the reason?
p.k.It is a bug in 5.0... The controller will only respond to snmp. The workaround is to reboot. This is a bug if you are using WebAuth. i would open a TAC case to see if they have a work around as of yet, which most likely will be a ER.
-
I am trying to set up a WLAN with internal users and guest users.
I have 2 ssid's one visible one hidden, the visible one is for guest use.
Problem is when I connect to the guest wlan and web auth, I can then ping and telnet to the rest of the corporate network. How do I stop this?Hi
Have you got separate vlans setup ie.
vlan 10 = users
vlan 11 = guest
You would then hand out different IP address ranges for each vlan eg.
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.10.0/24
Then you can either use a firewall or use access-lists on the vlan interfaces ie. suppose the coporate network was made up of subnets
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
Also assume you want to allow your guest users out to the Internet
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
etc..
int vlan 11
ip access-group 101 in
This would allow guest users on 192.168.10.0 to access the Internet but not coporate LAN.
HTH
Jon
Maybe you are looking for
-
Bold 9930 no longer connecting to Skype
I can no longer connect to Skype since recent changes. I have downloaded and installed the latest app version available from Verizon, but everytime I connect I get an error stating that the "Connection failed. Please check your connection settings an
-
27" iMac Powers Up - Black Display - Able To Use External Monitor
I have a strange problem, but I believe it's a software problem and maybe could get some help here before lugging it over to the apple store for the second time in 3 months. - Today when I turned on my 2010 27" iMac it booted up, gave me the start up
-
When I'm scrolling down the msgs. it keeps stopping & saying not responding. Then it will start up again for a few seconds & then stop again. It's very slow. When I'm playing Farmville or Frontierville it's extremely slow too.
-
I need help with my iPhone 4 restrictions
How many times can you enter your restrictions password wrong, & can it lock you out of your iPhone 4?
-
My airport express has stopped working when set to 802.11 b/g
All of a sudden I have basically no signal when my Airport Extreme is set to 802.11n (802.11 b/g compatible). It works fine at 802.11a compatible, but the Playstation 3 needs the g network.