Https redirection issue for Wireless Guest CWA - ISE 1.3

Similar Messages

• SA 540 and DMZ Issue for Wireless Guest Access

  I have hooked up a Wireless AP into the Optional Port setup as DMZ on the SA 540.  My goal is to provide internet access to wireless guest users without giving them access to the entire LAN.     The internet access for the wireless guest users is painfully slow.   It takes 5 minutes to access Google.   Has anybody else had issues with slowness.    I am able to successfully ping websites and retrieve their IP address, but it won't connect to any websites via web browsers.   Just to humor myself,  I configured firewall rules to allow DMZ full access to the LAN and WAN.   I am still having the same results.   Any thoughts and suggestions?

  Hi,
  I'm not the one with the AP problem, I just have the same issue with the DMZ port. I think you have to forget about the whole AP issue here since the problem is with the DMZ port on the SA500.
  I have my Web and Mail server set up on the DMZ port, I can ping and resolve Domain names to the outside world, but trying to reach anything with a browser takes foreeever. On, eg. www.apple.com I just get a few lines from their web page (so there is a connection) and then it halts to a stop (takes about 5 min).
  I also tried to move my laptop to the DMZ, just to make sure there is no problem with the server, and it has the same issue.
  To summarize, I have about 16 Mb connection on my LAN and on my DMZ i can't even load a full web page.
  Firmware 1.0.39
  BTW, when I upgraded the firmware it wiped my configuration, but it kept my firewall rules in place, even though they weren't shown in the Firewall table. e.g. I could still access my DMZ from my LAN. I had to hard reset the router from the hardware reset button on the router before that changed and the router was completely reset.

• WLC 2500 and WCCP for Wireless Guest Users

  Hi there
  I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
  Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.               
  You advice will be highly appreciated.
  Regards

  For guest wireless traffic redirect to proxy server
  https://supportforums.cisco.com/thread/2126486

• DMZ Anchor WLC setup for Wireless Guest Access

  I have the following setup.
  A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
  An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
  Both WLCs are running the same 4.2.176 code.
  DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
  I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
  The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
  1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
  What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
  Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
  In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
  2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
  3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
  4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
  Thanks.

  One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

• Best way for wireless guest authentication

  Hi
  Can anyone tell me what a good way to authenticate guest wireless in my workplace, we currently use mac auth and usernames in the controller, which is not Cisco.
  What solutions are out there for this, ie something separate to the controller like a radius or authentication server, we may want the guests to register themselves by providing there mobile number etc
  Any ideas?

  When you want to provide guest authentication and then you want certain fields for the user to enter, guest access is best when there is a portal page. When you want guest to enter information like cell number etc, then you either need to find a 3rd party captive portal software, or external webauth server or if you have Cisco wlc, you use ISE.
  Your final requirements will determine what solution can or can't work.
  Sent from Cisco Technical Support iPhone App

• Latest Maverick update issues for wireless connection

  I just did the update and now my wireless network won't connect and my mouse is skipping around some. Anyone having this problem and if so, how do you correct it?

  Welcome to Apple Discussions
  Wireless issues continue after the (I assume 10.9.2. update).
  There are a variety of actions that seem to help for different users... AFAIK no "sure fire" fix. You don't have to try them all at once. Try a few things and see if there's any change.

• Multiple redirect URLs for mutliple guest VLANs

  We are trying to implement 2 guest WLANs tunnneled to our DMZ and want to redirect users to 2 different URLs (one for each WLAN) when they click the "Accept" button. We are running 6.0.182 on the DMZ controllers and have a customized web passthrough page currently working for the 1st WLAN.
  It appears that only 1 redirect URL can be configured via the command line (config custom-web redirectUrl), and we haven't had much luck modifying the web page for the 2nd WLAN to redirect correctly. Is this supported? Thanks

  Since you are on version 6, the config guide mentions the following in Chapter 10 (and talks about how to do a "global override" per WLAN):
  Assigning Login, Login Failure, and Logout Pages per WLAN
  You can display different web authentication login, login failure, and logout pages to users per WLAN.
  This feature enables user-specific web authentication pages to be displayed for a variety of network
  users, such as guest users or employees within different departments of an organization.
  Different login pages are available for all web authentication types (internal, external, and customized).
  However, different login failure and logout pages can be specified only when you choose customized as
  the web authentication type.

• DHCP issues for Wired Guest LAN

  Hi Everyone,
  I've a 1751 acting as a DHCP server for client PCs on a guest network A.B.8.x (using an Anchor controller) on the DMZ of my firewall. The 1751 reports the following
  Nov 30 15:35:45: DHCPD: DHCPDISCOVER received from client 0100.1708.37a3.55 through relay A.B.7.y.
  Nov 30 15:42:41: DHCPD: there is no address pool for A.B.7.y.
  I'd tied my guest vlan and corresponding DHCP scope on the router to A.B.8.x, but as A.B.7.x is the DHCP relay for the Anchor controller I don't understand why the DHCP server on the router is not doing what I expected it to.
  As ever any help will be appreciated.
  Many Thanks
  Scott

  Hi Cristian,
  After much pulling of hair and gnashing of teeth I have got it working - what was not clear to me, and it looks as though you've fallen into the same trap, is that the egress interface on the anchor controller (ie the management port) defines the addresses given to the clients. The dhcp scope on your server has to be from the same network as the address of the management interface (so my guest clients get a A.B.7.x address). In fact the ingress interface addresses have no bearing (as I'm sure I read somewhere afterwards!) on how the guest access operates and can (should?) be dummy addresses.
  I tried creating another vlan (with A.B.8.x) on the anchor controller and assigning that to the egress of the guest WLAN on the anchor and I could get A.B.8.x addresses from my DHCP server as I had planned, but, and this is a big but, web authentication just will not instigate. So it would seem that guest access is reliant on using the management interface as the egress on the anchor of the guest WLAN.
  I hope this is helpful,
  Regards
  Scott

• HTTP Redirect issues

  My webcache is the gateway to the HTTP Server. Web cache is port 80 while HTTP Server is port 7780. Redirects that occur in HTTP appears to do a browser redirect and adds on the port 7780. Because port 7780 is blocked by our firewall, I get a "connection timeout" error. If I then delete the port in the URL, I would successfully get the page it was requesting.
  Does anyone know how I can change the redirect (or the target URL) so that these programmed redirects can use port 80 (the webcache) versus port 7780 (HTTP Server)??
  All input appreciated.
  Thanks,
  Vue

  Solution:
  Add Port directive inside the VirtualHost. This Port directive inside the VirtualHost behaves differently then the Port directive in the Main Server. It will not affect what port the HTTP Server is listening on. When HTTP does self-redirects, it'll use the value assigned to Port that's inside the VirtualHost; if there is none defined then it'll use the Port in the Main Server.

• Wireless guest and HTTPS sites issue

  Dear all,
  I'm experiencing an issue with wireless guest, when accessing a site with https, the traffic is not intercepted by my controller, http sites are intercepted without any issue, I've found a document where this issue is mentioned as bug ID CSCar04580
  http://cisco.biz/application/pdf/paws/108501/webauth-tshoot.pdf
  could you please let me know what the fix is?
  Thanks,

  Thanks for the feedback, however I've added the 443 port and the traffic
  is still not redirected.
  AP Fallback ................................ Enable
  Web Auth Redirect Ports .................... 80,443
  Fast SSID Change ........................... Disabled
  802.3 Bridging ............................. Disable
  Any other suggestion?
  Thanks,
  Aziz

• ISE Profiling for Wireless Devices (WLC 5508) like Laptops and Mobile Devices

  Hi,
  We have integrated WLC 5508 to cisco ise 3315 with ios 1.1.1 and using Guest Sponsor portal for wireless guest users.
  Where we have created open ssid in wlc and redirect web login portal in wlc for guest  users. We have enable all respective node in policy service for profiling and also configure snmp in wlc as well as in ise.
  When guest user is connected to open ssid its get redirected to web login page of ise portal and when it gets login we are  only able to see the username which guest user login but not the end device in monitoring log.
  Wireless End devices are not able to get profiled can any one tell me what configuration I need to do on ise or wlc side to profiled end guest wireless device like android,iphone and laptops
  Thanks
  Pranav

  Hi Tarikh,
  I only want to identify the end devices for wilress guest user. I have configured MAB Authentication and configure autorization policy where in mention identity group any condition as wlc web authentication and athorization profile only guest mentioning plain access for the same.
  Can you help me how I can achived profiling for wirless guest devices. I have configured all profiling probes . Enable snmp on wlc as well as in network devices.
  What else I need to configured to achived just identiting device nothing but profiling and which should reflect in authnetication logs.
  Thanks
  Pranav

• LWA guest portal ISE & 4400 7.0.x

  Has anyone managed to guest LWA working with ISE for wireless guest portal access?  Examples seem to skip bits and I can't find anyone that has managed to get it working.  I have Cisco 4400 WLCs running latest 7.0 code and ISE 1.1.2.
  All guest portal examples seem to be CWA which only works on 7.2 code.
  Am I without hope getting this working on 7.0 code?

  We got LWA guest portal to work between ISE & 4400 7.0, before we migrated to CWA w/ a 5508.
  Can't remember exactly which documents we used, but your best bet is the TrustSec 2.0 (not 2.1) guide:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf
  and the WLC example:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml
  Keep in mind if you use LWA, you'll need two SSL certs - one on WLC, and one on ISE.
  With CWA, only one cert is needed on ISE.

• Wireless Guest Portal with Device registration

  Hi,
  I have configured the ISE for wireless guest authentication. Once i got the guest portal and enter usernam/password, it redirecting to Self Provisioning portal for  Device Registration. (attached)
  I have unchecked the option "enable my device portal" under My Device-->Portal configuraiton (attached)
  Can someone please advise, why I'm still getting Self provisioning portal, although I might need this later for On-board provisioning, at this time I just want guest user authentication and allow access to internet.
  Thanks in advance.

  I think you should disable in the DefaultGuestPortal (Administration >> Web Portal Management >> Settings >> Guest >> Multi-Portal Configurations >> DefaultGuestPortal >> Operations  .... Uncheck the option Enable Self-Provisioning Flow
  Daniel Escalante.

• Wlc 5508 and wireless guest vlan

  Hi guys,
  I have a 5508 running(version 6).
  I have an adsl releasing public IP for guest users mapped into vlan 10.
  Now i want use this adsl only for wireless guest users
  how can i create an ssid and associate to vlan 10 without using ip address(dynamic interfaces requires an ip address,mask,defaul gateway,etcc..).
  Thx in advance.

  Hi,
  the fact that you can't ping in the guest SSID is normal. That SSID blocks all traffic until you authenticated on the web page.
  If your users are using a proxy to browse the web, all you need to do is to add an exception in the client browser for "1.1.1.1" if that is your virtual ip. So that the proxy doesn't get contacted when client is redirected for authentication.
  The second step is to make WLC listen on the proxy port (often it's 8080 for example). Command is "config network web-auth-port" :
  http://www.cisco.com/en/US/partner/docs/wireless/controller/6.0/command/reference/cli60.html#wp1728200
  Hope this helps,
  Nicolas

• Wireless Guest Athentication Requirement

  Hello,
                 We have one wireless guest authentication requirement.
  For any guest coming should get connected to SSID and need to redirect to  a Web portal application form ,there guest should request desired Username, and password and duration for wireless guest internet access.
  This request alert should go to IT team and they will verify and create account with requested username, password with specified duration
  Please let me know if we can do it in WLC .
  With Regards
  Dev

  To complete this task, Please refer this guide:
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf