HREAP with web-auth (internal)
I have a lwap at a remote site that is configured as HREAP so that it can continuously provide connectivity when the WLC is un-reachable. I have two vlans on the lwap. One is locally authenticated and locally switched for intranet connectivity. The other is for internet connectivity and I wanted that one to be locally switched, but authenticate at the WLC. When I configure the WLAN as HREAP - locally switched, it doesn't work. If I configure the WLAN as non-HREAP it works. Anyone know what the trick is to get this thing to work? I want my internet wlan at that site to be locally switched but centraly authenticated. My WLC only seems to have a selection for HREAP - Local switching, it doesn't have anything you would check to specify central authentication.
My WLC (2106) is version 6.0.182.0 and my lwap is an 1142n.
Thanks!
In the first document:
Q. Can I do web authentication with Local switching?
Yes, you can have an SSID with web−authentication enabled and drop the traffic locally after
web−authentication. Web−authentication with Local switching works fine.
1. WLAN, (wlan you want to local switch), Advanced tab, click the "H-REAP Local Switching" checkbox.
2. Wireless, (click the h-reap modify), H-REAP tab, click "Vlan Support", Vlan Mappings button, then map the wlan to vlan you want to drop traffic onto.
Also, for wan up/local switched wlans authentication still happens on the controller until the h-reap goes into wan down. WLANs default to central switching, you have to define the ones which need to be locally switched as described above.
Similar Messages
-
WLC 4402 - only present guest with web auth page once every (x) days
Hi all,
I am looking to migrate our guest wireless from a third-party system to the WLC. Currently, we change our guest password (WPA2 PSK) every (x) days. Each time the guest password is changed and connections are made with the new PSK, guests are redirected to a terms and conditions page which they must accept. The MAC address is then cached and the page is not displayed again until we clear the MAC cache and change the PSK.
I can almost replicate this with web auth in passthrough mode on the WLC, but it presents the guest with the terms and conditions page each time they reconnect to the WLAN, whether it be from roaming offsite or turning the wireless radio off then on.
Is there any way to have the WLC replicate our current system, where a MAC is cached and the page is not displayed until some other event takes place (changing the PSK or clearing the cache?)
Thanks!
-PWait ... Shaoqin, will the 7.5 code be released for the 4400 series controllers? The current release is 7.0.240.0 - I see releases up to 7.4 on the 5500 series controllers
Thanks
-P -
Guest Anchor with web auth using ISE guest portal
Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS -
I have a guest WLAN on a mobility anchor that uses web auth for access. There is a small set of local users, but the majority of the auth comes from a Radius server. Question is, can I setup some type of policy that will auto login users based on MAC address so they don't have to web authenticate?
Thanks!
Edit: I have seen where you can enable mac filtering on the WLAN and specify individual mac addresses to permit. This would work, but I still want web auth for the majority of users. Only a few users should be automatically connected. The rest should still authenticate via web auth.Well I have some fantastic news.... and then some horrible news at the same time...
In 7.0.116.0 a new feature was introduced called web auth on mac-filter failure. Basically it does exactly what I think you are asking. Right? You mac filter your wlan, and then if anyone fails the mac filter, they can web authenticate.
Unfortunately, it doesn't work in an Anchored scenario as the Mac filter is L2 performed on the Foreign WLC, and the Anchor does L3 with no knowledge the Foreign was good to bypass webauth.... CSCts54424 is tracking this behavior for Anchor scenario, but I don't think it is planned to go into 7.0...... -
hi
i have two wireless networks,one for the guests and the other one extends the corporate network.i created two vlan on my 6509 swicth and mapped the vlns to to the wlans.All is working fine but when i enable web auth for guest i can no longer ping my gateway or browse and even web auth is not authenticating against the internal users configured on the WLC...web auth just wont work.
what could be wrong..i really need to authenticate using web auth.ok, SO this is what i need
send me show custom-web details
S if you open the page do you get the default cisco webauth redirected page ; are you able to put the user name and password ?
can you send me the screen shot of events
Regards
Seema -
WLC 4402 web auth Internal login page
Hi,
We recently upgraded our code on our wlc and now our internal web auth page has a nice teal colored L shaped bar in the right upper part of the screen.
Is there a way to edit the internal web auth page other than just uploaded a new bundle to the box?
When I view the source of the preview page I can see the exact coding that is causing the issue.
Thanks for any ideas.
Code 4.1.185.0
CraigThe only way is to customized the code and then upload it to the wlc as a tar file. Of course, you will have to set the wlc to custom webauth and not internal webauth.
-
Windows 7 Clients Not Working With Web-Auth
I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
The login page is customised showing T's & C's with two buttons Except or Reject.
Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
Thanks in advance for any replies.
JayNicolas,
Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
After doing a quick search on the net I found this.
NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
NCSI does this whether you are logged on or not.
Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
1. Permit DNS resolution (UDP/53) to 213.199.181.90
2. Permit TCP port 80 to 131.107.255.255
Jay -
HREAP local switching with web auth
Hello All,
Does web authentication work perfectly fine while locally switching the SSID on Hreap mode APs with older WLC firmwares - 7.0.98.218.
I see it is supported in 7.0.116.0 onwards. Does it work on older versions? Has anyone tested and faced any issues?
Thanks
JeenIt worked as far back as 4.0 from what I remember
Steve
Sent from Cisco Technical Support iPhone App -
WLC 5508- how to setting up with Web auth with 2 profile
Hi Guys,
I wanted to control the 2 different profile to access internet with Cisco default landing page is that possible??
Example:
When connnected the SSID will redirect to Cisco landing pages
Cisco landing pages will differentiate there is member or guess with the password key in.
Member can access internet for 30 minute
guess only can access internet for 15 minuteJust some notes on WebAuth in the WLC. The timeout is specified per SSID so there would be no way to set a timeout unless you use a radius server and send a radius attribute to the WLC to set the session timeout.
So we really need to know if you have a radius server, is the radius server tied to Active Directory or is the plan just using the WLC for everything.
Sent from Cisco Technical Support iPhone App -
How to generate CSR on switches for web auth with NGS
Hello
I am doing a dot1x solution with web auth on cisco 3750 switches.
Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
Is there any way to solve this?
Greetings
StevenHi Steven,
The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
This document goes into a little more detail on all the indivual commands and what they do:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
Thanks,
Nate -
WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)
Hi there,
Is it possibe to use sleeping clients when using ISE and CWA?
I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
Or is the only solution to use LWA?Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
And your users will be connected all this time even if they going in sleepmode
be carefull with CPU loading -
Web auth not working on new controllers
We are currently experiencing a problem with web auth on one of our sites. This uses WiSM2 controllers running version 7.2.110.0 of the software.
The affected SSID is set up for web auth exactly the same way as our other site and that works (although that uses WiSMs running 7.0.230.0).
Both sites use the same web auth bundle and the same certificate. We have a DNS entry that points back to the virtual interface IP they all use which is 1.1.1.1.
When users connect to the SSID they are not being presented with the login page. Running a preview on the controller at the problem sites shows the correct page that should be being displayed.
The controllers have had the certificate re-applied, the web auth bundle reloaded on and have been upgraded from 7.2.103.0 to 7.2.110.0 but none of these have resolved the issue. All other SSIDs work fine, but this is the only one that uses web auth.
As I say, the only configuration difference is the hardware (WiSM2 vs WiSM) and the software level.
Any suggestions?When you mention that the login page does not open, that usually means that is a DNS issue. Make sure that you allow DNS from the guest subnet to the DNS server in which the FQDN of the certificate is being resolved.
Are you anchoring the guest ssid to an anchor controller? It would be the same troubleshooting, but make sure the anchor is configured correctly. The foreign wlc guest ssid needs to have a mobility anchor to the anchor wlc and the FW needs to allow DNS back in if your using an internal DNS server.
If you are not using an anchor wlc, the best way to test is to map the guest to another dynamic interface on the inside network that is working. If that works, your FW is blocking DNS on the guest subnet. You also can remove the FQDN (make sure it was entered correctly) from the VIP and test. If that fixes it, then DNS was not resolving the certificate FQDN.
Hope this helps
Sent from Cisco Technical Support iPad App -
WLC 5508 Web Auth and EAP / PEAP
Morning all, I'm looking for some clarification.
Current setup:
I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
In line with child protection policies I need an 'auditable' trail when students access wireless resources.
Planned setup:
I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
Clarification:
With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
Many thanks.If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
Check the following link which contain couple of EAP config examples:
http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
Please make sure to rate correct answers -
HiGuys We are facing issue in authenticating guest user via web authentication on WiSM.We have WiSM with 270 APs. We have guest ssid with web-auth enabled.we are running 4.2.061 code. It was working fine till last week, now suddenly it keeps getting off. Users are not getting web-auth login page. We had to disable the web-auth & reenable it then it again starts working. I dont know wht to do in this case. didnt find any log..whts going on in background.
need help to resolve it.
Thanks
NKI had the same basic issue and after reseaching found caveat CSCsk54969 which is a pretty close match. This caveat has been fixed in release 4.2.130. I have just upgraded to this release over the week end so to soon to tell yet.... fingers crossed...
-
FlexConnect VLAN Central Switching and guest WEB Auth
Hi,
I have a senario where all my AP's are flexconnect AP's, that is because og WVoIP.
In most loacation I have a local intenet connection for guests, and beacuse of that the Guest SSID is locally sitched.
I have a few small locations that do not have a local subnet for guests and on those locations I would like to centrally switch the guest trafic.
I was looking at FlexConnect VLAN Central Switching to solve my problem, but as far as I can see this only works with 802.1x SSID's and aaa override.
Is there no way to do FlexConnect VLAN Central Switching on SSID's with WEB auth or PSK?
Hope some one can answer me.
Thanks
AkselSo create a new WLAN, the WLAN profile will be different that the original guest WLAN and assign it a WLAN ID of 16 or higher. This new WLAN will have the same setting as the original guest SSID except that local switching is not enabled.
You now need to create AP Groups so you can specify site with local guest vlan's will use the original SSID and the sites with no guest local clan will use the new SSID you created.
Here is a doc regarding AP Groups
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
Sent from Cisco Technical Support iPhone App
Maybe you are looking for
-
I have had a reinstall nightmare getting my loops back they are in the apple library, I can access them through the media browser but I only have a few available through the loop browser, how do I get them all back there again? please help
-
How can I verify an apple id already created without attaching a credit card?
how can I verify an apple id already created without attaching a credit card?
-
Hi I have a pl/sql block..which is having one cursor with a select statement. This select statement will return values when proper values passed..sometimes it will return null. When it return null, I have to insert "invalid code " value into a table.
-
Configurable Product in SAP CRM 5.0
Hi All, I'm using CRM 5.0. In CRM 5.0, i should download material, sce, and condition type from R/3 or ECC. Is it possible for create material, sce, and condition type in CRM? Is it possible for create configurable product in CRM? Not download from R
-
Is the 'Close' Button Considered An Abnormal Exit in SQL Developer?
I do know unhandled exceptions on the program connecting to the database, and reboots of the PC are abnormal, I am wondering if the 'X' button is an abnormal exit as well.