Internal web auth prob

Similar Messages

• Problem loading internal web auth page when heavy load

  Hi
  I am troubleshooting a wireless-problem related to the internal web authentication page. Simply, when 5-10 computers opens the web browser and got redirected to the 1.1.1.1-page, no problem. But when 20+ computers do this simultanously half of them takes up to a minute to load the web page.
  WiSM:s running latest 6.x-code and 1131 LAP:s.
  Anyone experienced the same or know what this can be related to?
  Br Jimmy

  hi surendra
  pls c below
  we are getting below out put .
  Connection to host lost.
  C:\Documents and Settings\guest>nslookup
  Default Server:  blr-ge-dc01.XXX.com
  Address:  172.50.6.24
  > www.cisco.com
  Server:  blr-ge-dc01.titan.com
  Address:  172.50.6.24
  DNS request timed out.
      timeout was 2 seconds.
  DNS request timed out.
      timeout was 2 seconds.
  *** Request to blr-ge-dc01.XXX.com timed-out
  >

• WLC 4402 web auth Internal login page

  Hi,
  We recently upgraded our code on our wlc and now our internal web auth page has a nice teal colored L shaped bar in the right upper part of the screen.
  Is there a way to edit the internal web auth page other than just uploaded a new bundle to the box?
  When I view the source of the preview page I can see the exact coding that is causing the issue.
  Thanks for any ideas.
  Code 4.1.185.0
  Craig

  The only way is to customized the code and then upload it to the wlc as a tar file. Of course, you will have to set the wlc to custom webauth and not internal webauth.

• Multiple Web Auth Pages

  I have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts.
  We are using a 5508 WLAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
  What I would like to do is to configure multiple guest WLANS for each of our regional offices. Each of these WLANS needs to be configured with a Web Auth page relevant to the office location. My question is this, can I have a Web Auth page for each location or just 2, the default internal page and 1 customised page?
  Thanks for any help.
  Murray

  Here is a link that explains it also
  https://supportforums.cisco.com/docs/DOC-13954#Lets_go_for_custom_
  Sent from Cisco Technical Support iPhone App

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• Web auth with , intenal web page of WLC and ISE as radius server

  Hi All ,
  We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
  When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
  "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
  When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
  Only for L3 web auth it is not happening..
  Any clue on this ..???
  Thanks,
  Regards,
  Vijay.

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Problem with Web Auth

  hi
  i have two wireless networks,one for the guests and the other one extends the corporate network.i created two vlan on my 6509 swicth and mapped the vlns to to the wlans.All is working fine but when i enable web auth for guest i can no longer ping my gateway or browse and even web auth is not authenticating against the internal users configured on the WLC...web auth just wont work.
  what could be wrong..i really need to authenticate using web auth.

  ok, SO this is what i need
  send me show custom-web details
  S if you open the page do you get the default cisco webauth redirected page ; are you able to put the user name and password ?
  can you send me the screen shot of events
  Regards
  Seema

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• Web Auth Redirection

  I have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.
  The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.
  If I point the web auth at the internal WLC page using a WLC local user account it works.
  If I set the guest access to pass through it works without issues getting dhcp and dns.
  On the ISE is there a policy needed to say if guests are web authenticated give them access?
  The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with. Does anyone have any ideas where I might be going wrong?
  Thanks for any ideas Mick

  Does this work if you point to the WLC internal page and use AAA credentials?

• How to generate CSR on switches for web auth with NGS

  Hello
  I am doing a dot1x solution with web auth on cisco 3750 switches.
  Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
  I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
  Is there any way to solve this?
  Greetings
  Steven

  Hi Steven,
  The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
  Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
  Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
  This document goes into a little more detail on all the indivual commands and what they do:
  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
  Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
  Thanks,
  Nate

• PALM with WLC 4400 (Web Auth Portal)

  We cannot get the Web Portal splash page to display on wireless Palm units....the site simply hangs. Is there any fixes out there for this problem. Thanks for all replies!!

  Has anyone else seen this Palm/WebAuth issue or found a fix? I am seeing this on our Palm devices too. Running 4.x code with internal guest auth, laptops work just fine with the https://1.1.1.1 redirect, but the Palm just hangs. Could it be the certificate is not valid and the Palm has no way to prompt for that message like a laptop. Any ideas?

• Web auth not working on new controllers

  We are currently experiencing a problem with web auth on one of our sites. This uses WiSM2 controllers running version 7.2.110.0 of the software.
  The affected SSID is set up for web auth exactly the same way as our other site and that works (although that uses WiSMs running 7.0.230.0).
  Both sites use the same web auth bundle and the same certificate. We have a DNS entry that points back to the virtual interface IP they all use which is 1.1.1.1.
  When users connect to the SSID they are not being presented with the login page. Running a preview on the controller at the problem sites shows the correct page that should be being displayed.
  The controllers have had the certificate re-applied, the web auth bundle reloaded on and have been upgraded from 7.2.103.0 to 7.2.110.0 but none of these have resolved the issue. All other SSIDs work fine, but this is the only one that uses web auth.
  As I say, the only configuration difference is the hardware (WiSM2 vs WiSM) and the software level.
  Any suggestions?                

  When you mention that the login page does not open, that usually means that is a DNS issue. Make sure that you allow DNS from the guest subnet to the DNS server in which the FQDN of the certificate is being resolved.
  Are you anchoring the guest ssid to an anchor controller? It would be the same troubleshooting, but make sure the anchor is configured correctly. The foreign wlc guest ssid needs to have a mobility anchor to the anchor wlc and the FW needs to allow DNS back in if your using an internal DNS server.
  If you are not using an anchor wlc, the best way to test is to map the guest to another dynamic interface on the inside network that is working. If that works, your FW is blocking DNS on the guest subnet. You also can remove the FQDN (make sure it was entered correctly) from the VIP and test. If that fixes it, then DNS was not resolving the certificate FQDN.
  Hope this helps
  Sent from Cisco Technical Support iPad App

• External Web Server links to internal web server on LAN - how to configure?

  I'm hoping someone can give me a bit of assistance with some routing configurations:
  Currently, I have a Cisco PIX 515E that's handling my VPN and routing/DNS, etc. I'm dumping the PIX (it's overkill for my organization and it's costing too much money for Cisco-certified techs to come in and still not configure it correctly for my needs - long story).
  Furthermore, an external website hosted with our ISP links to a public IP (let's say 192.x.x.1) that points through the current PIX firewall, through a DMZ, and then to a webserver hosted locally behind our firewall.
  I'd like our Xserve to take over for the PIX, providing VPN access, DNS, etc. and to properly route calls from the web to 198.x.x.1 to the correct server behind out network.
  The Xserve has two NIC cards, one on a public IP 192.x.x.2 (for the sake of this discussion) and one with it's internal address of 10.1.0.2 for file sharing, etc.
  The internal web server also has 2 NIC cards, one that listens for the links to 192.x.x.1, and one that listens locally on 10.1.0.80 for LAN application services.
  How do I configure DNS/etc. on the Xserve to properly channel the incoming calls to 192.x.x.1 to properly reach the server they're supposed to reach?
  Any help is appreciated. If more info is needed, I'm happy to provide.
  Thanks in advance!

  I've read your post several times and I'm pretty sure I understand what you're saying, until the line:
  >How do I configure DNS/etc. on the Xserve to properly channel the incoming calls to 192.x.x.1 to properly reach the server they're supposed to reach?
  Assuming that the 192.x.x.1 address is a real-world, public IP address that the web server is using, you want all requests from the outside world to go to this address, correct? but requests from the inside world want to go to the 10.1.0.80 address on that server?
  That part I get - you want split DNS, which is not trivial to setup, but is manageable. The part I don't get is where the firewall comes in - you're removing the pix and replacing it with an XServe, but the web server has a public IP address in the same range as the XServe's public IP address and on that basis no traffic is going to flow through the firewall.
  So I'm not sure if this is a firewall or a DNS question.
  Split DNS will handle the internal vs. external traffic going to the different IP addresses of your server. You can't use Server Admin to do this (it can't handle multiple views of the DNS), but it is possible to do by hand.
  The firewall element stumps me, though - but if the XServe is going to run as the firewall you might just find it easier to put the web server behind the firewall and forget the whole DMZ concept.
  Then again, you could get the PIX operating correctly - it's a viable firewall appliance and I'd be surprised if it couldn't do what you want here.

• Web Auth Type: Customized(downloaded) Redirect URL after login not working.

           5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
  Everything is working as it should.  I downloaded the web auth bundle from Cisco and  will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
  I have edited the aup.html and login.html to say what I want it to.  I have 2 different login.html pages and bundle to a .tar file like the documentation says.  I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should.  The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined. 
     I must be missing some setting somewhere, but I just can not seem to find it.  Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page  Redirect URL after login is http://www.mccg.org which is our home page.
  Any help will be appreciated.  I cannot seem to fine very good documentation, or I am just overlooking something.
  Thanks
  John   

  Your HTML code is wrong. Attach your code if your okay with it and I can check.
  Sent from Cisco Technical Support iPhone App

• Client unable to search partial names after internal web F5 VIP placed

  I am running a dual pool set up, all 2013 EE on 2012 R2.  
  So, the other day I finally got access to a hardware load balancing solution.  Not wanting a full conversion and to keep SIP flowing through DNS, I opted for balancing the internal web services.  There is a separate administrator that handles F5;
  thus, I am F5 knowledge deficient. 
  After having the VIP set up, I placed it's FQDN in the Override FQDN field within the Lync Topology Builder, published the topology and re-ran set up on each server.  Keep in mind, that for some reason the builder already had the Lync pool FQDN in the
  External Web Services FQDN.
  Having enabled this new logical route for Lync web services, I have run into a problem, users are unable to search partial names but inputting a full SIP address yields the result.  All clients are forced to do Web Search Only and the GALInitialDownloadDelay
  across the board is 0.  HLB is set to allow 80, 8080, 443, and 4443.  I know that 8080 and 4443 are for external VIPs but it's better to ask for more and need less than ask for less and need more.
  I have a few areas I think I goofed on but I am not able to change "willy nilly."
  -Do I need to reissue the server certificates to include the FQDN of the VIP that points to the F5?  I was noticing a certificate error on my web checks after the change.
  -Do I need to reroute the exchange connection, somehow, to point to the VIP instead of the pool address?
  -Do I need to remove my internal pool name from the External Web Services FQDN, or is that normal?  Ideally I believe I would just point EWSFQDN to my Reverse Proxy internal interface VIP, that would be set up soon-ish.
  Clarification, links to articles, or personal experience is appreciated.  I've read through most (if not all Schertz's articles), technet (maybe sentence I missed), the F5 documentation, and NextHop.  
  TL;DR - When I put an F5 VIP FQDN into the Internal Web Services FQDN, Lync clients can't search and websites receive certificate errors.  I believe it is certificate related but am unsure.
  Thank you.

  If you changed the internal override address from the poolname.domain.com to internalweb.doamin.com (just an example) you would need to ensure that your certificate that is used on your front-end servers includes internalweb.domain.com. As you noted, you
  will see a certificate error. For address book services, it all happens under the hood, so you won't get any prompts of errors on searching, it will simply fail in the background.
  In terms of your other question.  By default, topology builder will put your pool name into the external name field.  You should change that to whatever name you are using to publish your Lync environment to the internet.  You shouldn't use
  the same name as your pool.  Often times in Lync documentation you will find lyncrp.domain.com or lws.domain.com as the name.
  Hope that helps.
  Thanks,
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com