Redirection without web-auth

Similar Messages

• Web Auth logout windows shows IP address as URL vs DNS

  We are using Web Auth with DNS name which works fine. We did notice however that upon successful login that the logout popup page displays the logut url with the IP address and not the DNS.
  Is this a bug?
  Runnig WCS 4.2.62.0 WLC 4.2.112.0

  See steps below. It might be clearer this way.
  Guest user gets an IP address via DHCP with DNS information.
  Guest user goes to website www.cisco.com
  Guest User is redirected to Web auth page https://webauth.xyz.com/login.html?redirect=www.cisc.com/
  Guest User logs in
  Guest User receives POPUP page indicating successfull login and is reminded to either minimize this window or remember the URL to retrieve this window to logout.
  It is here the the URL indicates the IP address http://1.1.1.1/logout.html and not the DNS name http://webauth.xyz.com/logout.html

• Web Auth Redirection

  I have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.
  The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.
  If I point the web auth at the internal WLC page using a WLC local user account it works.
  If I set the guest access to pass through it works without issues getting dhcp and dns.
  On the ISE is there a policy needed to say if guests are web authenticated give them access?
  The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with. Does anyone have any ideas where I might be going wrong?
  Thanks for any ideas Mick

  Does this work if you point to the WLC internal page and use AAA credentials?

• Web Auth Type: Customized(downloaded) Redirect URL after login not working.

           5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
  Everything is working as it should.  I downloaded the web auth bundle from Cisco and  will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
  I have edited the aup.html and login.html to say what I want it to.  I have 2 different login.html pages and bundle to a .tar file like the documentation says.  I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should.  The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined. 
     I must be missing some setting somewhere, but I just can not seem to find it.  Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page  Redirect URL after login is http://www.mccg.org which is our home page.
  Any help will be appreciated.  I cannot seem to fine very good documentation, or I am just overlooking something.
  Thanks
  John   

  Your HTML code is wrong. Attach your code if your okay with it and I can check.
  Sent from Cisco Technical Support iPhone App

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue

  Hi everyone.
  I'm seting up an environment which uses Web-Auth for my wired and wireless networks. I have followed the exact same steps in this Cisco page to get it working:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html
  I'm only testing the wired environment right now.
  I plug a PC to a port, and I try to get access to a randon internet page (for example www.cisco.com) . It is automatically redirected to authentication page. I type the username and password, but, when authentication passes, it goes automatically to https version of the page, which brings me to the problem. I have to add an exception (continue on this webpage option on IE) to that page in order to continue with the authentication and get the access to the internet. I'm attaching the steps I have to perform:
  I think it is related to Certificate, but I'm not quite sure which or where. I'd like to have some advices from you to avoid this problem. I'm not planning to buy any certificates, so if I could skip the https would be great.
  Thanks a bunch for your help
  Victor Alves

  You need a certificate that your client will trust.
  Easy way is to buy one from an official source. All PC browsers have a list of the major cert vendors so that's automatically trusted.
  You could issue the certificate yourself also, for free :
  -Self signed : the signing authority is the switch ... That means you need all your PCs to trust all your switches. Manual operation ...
  -You create an enterprise CA and create a certificate for all your switches : you just need your clients to trust your enterprise CA so that's still a manual task but a simpler one.
  When laptops are integrated in a domain, it's usually easier to create your CA on windows server and push the certificates to the clients automatically

• Firefox does not redirect users to web auth page

  I have a client that uses web auth for the guest wireless.  When a users opens up FF, it does not automatically redirect them to the web auth page.  However, IE and Chrome work fine.  If you copy and paste the redirection page into FF, it will go to the page then.  The only two possible solutions I have found are to either enable web auth proxy or regenerate the WLC self-signed cert. 
  Anyone have any other ideas? 
  TIA,
  Dan

  I've been trying to figure out a very similar issue where Firefox wouldn't open the guest webpage (the connection was interrupted) and finally found it was caused by opening Yahoo as my startup page. I change it to Google, for example, and it comes up everytime now. When set to Yahoo I could clear my cache and it would work once but then wouldn't work again. If I load Yahoo as the startup page in IE it works everytime. Very strange.
  Here's what the debug looks like:
  *webauthRedirect: Jul 23 20:59:33.793: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.794: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.795: xx:xx:xx:xx:xx:xx- received request
  *webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received request
  *webauthRedirect: Jul 23 20:59:33.806: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.807: xx:xx:xx:xx:xx:xx- received request
  *webauthRedirect: Jul 23 20:59:33.810: xx:xx:xx:xx:xx:xx- received connection

• Is there a way to submit a pdf form without redirecting my web page?

  I have a fillable pdf form inside of a web page.  When a user clicks on a submit button I have the pdf calling the submitform method.  This redirects the web page to the url I specified inside of my pdf document.  I don't want the web page to be redirected.  I would like to have the pdf submitted to the server and know when I have handled the submission.  Is there a way to do this? 

  Normally you'd return an (X)FDF in this situation. It can contain content that causes an informative popup dialog to be displayed to the user, fill in form fields, and some other things. Are you able to reprogram the server to return an FDF instead of HTML?

• ISE, WLC: web auth, blocking user account

  Hello!
  We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
  On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
  Credentials are created at the ISE sponsor portal.
  We create user account in ISE sponsor portal with one hour lease.
  In 10 minutes we delete (or block)  user credentials.
  In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
  This happens because WLC thinks, that client is still associated.
  There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
  From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
  In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
  How the user account blocking process can be automated without manually deleting the client session from WLC client database?

  It seems that there is some bug about CoA when deleting Guest accounts
  CSCuc82135
  Guests need to be removed from the network on Suspend/Delete/Expiration
  When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.
  Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  from BUG Toolkit there is Release-Pending in "Fixed-in" option.

• Cisco WLC 5508 simultaneous Web Auth Users logins?

  Hi there,
  We have 2 WLC5508 (7.2.111.3) with several SSID's.
  One of them is configured as Passthrough with an external splash server. Works fine.
  Now we want to use the "On MAC Filter failure".
  If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
  If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
  To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
  So, every client WebAuth uses the same username&password for authentication against the WLC.
  User Login Policies is set to unlimited.
  So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
  The two WLC's have abount 100-170 clients connected.
  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information wolud be great.
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  Thanks for the answers ;-)
  Kind regards,
  Norbert

  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information would be great.
  > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• WLC 4404 5.1.151.0 - custom web-auth bundle

  Ultimately the user needs to see a custom "splash page" without having to authenticate. I have successfully installed a custom web-auth bundle that appears when the WLAN Web Policy is enabled, but without any authentication, there is no access to the outside.
  Is what I'm trying to accomplish possible in some other way?

  You will not be able to do this unless you use some 3rd party hotspot utility. The main reason you should have an accept button is to be able to display a terms and conditions for users to read if they wish. This will protect you from an legal troubles. You can try to write a script on the html page (you can keep the page blank and hide everything) that will activate the accept button, that way you can redirect them to your web page.
  Try to add this to your html page:
  setTimeout("submitAction()",20);
  Hope this helps... just make sure you keep you html page blank.... by setting the background and text to white or any color of your choice.

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• ISE web auth for non-cisco switch(D-link 3528)

  Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
  And the wired users will get full network access after they pass the web auth.

  you can use ISE ln-line posture node with 3rd part switches
  RADIUS access device must supply the following RADIUS attributes:
      Calling-Station-Id (for MAC_ADDRESS)
      User-Name
      NAS-Port-Type
      RADIUS accounting message must have the Framed-IP-Address attribute
  VLAN, DACL features can be used  but again it depends on switch models let us know  specific switch  models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

• Central Web Auth with Anchor Controller and ISE

  Hi All
  I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
  I also have an ISE sat on the corporate LAN.
  Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
  DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
  I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
  My questions are:
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
  4. Is ICMP still blocked by the WLC until the web authentication is complete?
  Thanks.
  Regards
  Roger

  Hi Roger,
  Thanks for your brief explanation here are the answers for your queries.
  1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
  The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
  2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
  Yes, you have to configure the ISE server address on the anchor WLC.
  3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
  Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
  4. Yes, ICMP will work only after the sucessful web auth is complete.
  Please do go through the link below to understand the Anchor-Foreigh Scenario.
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
  Regards
  Salma

• Web-Auth with 802.1x

  Environment is WLC 2106 with 4 LWAPP access points. Currently running 2 WLANs: 1 using 802.1x authentication with a Windows IAS (RADIUS) server for Active Directory authentication; 1 using basic WEP for guest access that drops the user in it's own secure VLAN.
  I am trying create a 3rd WLAN that uses Web-Authentication using 802.1x RADIUS that passes the username/password to the Windows IAS server. I can see the request being passed to the IAS server, but it is being logged on the IAS server as:
  An Access-Request message was received from RADIUS client WLAN Controller without a message authenticator attribute when a messages authenticator attribute is required. Verify the configuration of the RADIUS client in the Internet Authentication Service snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.
  I already have the one WLAN using 802.1x where the RADIUS client on the IAS server has the "Request must contain the Message Authenticator attribute" checkbox checked and it works jsut fine. It is just the Web-Auth using 802.1x where it seem the authentication isn't being passed properly to the RADIUS server. I cannot figure out what I am doing wrong or missing.

  Hi,
  I don't know if you have resolved the problem or not, But I will propose my solution anyway,
  There are two ways to solve this problem, either to make the controller send the radius request with md5 or make the windows reply to the radius requests that does not contain a md5 hash
  Microsoft Solution:
  When you add the Radius Client using the wizard there are certain options that don't show; for instance the md5 attribute that is causing the IAS to drop the web auth requests. So what you need to do is after you use the wizard, you right click on the client that you added (in our case the WLC) and uncheck the box that says "Access-Request message must contain the Message-Authenticator attribute" (attached is a screenshot).
  That should make the IAS respond to the web auth requests.
  WLC Solution:
  I haven't tested this solution, but I think it will work. if you did test it, please let me know how it turned out.
  By default, the Web Radius Authentication is set to "PAP" (can be found in the Controller Tab @ the WLC GUI), you need to set it to MD5-CHAP. (attached is another screenshot).
  Hope that solves your problem, and please let me know how the problem was solved.