SSL web auth equals encyrption?

If you use a self signed cert/SSL web auth page that uses LDAP usernames and passwords is the traffic there on considered encrypted or is it only my user name and password that gets encrypted ?

If there is no layer 2 encryption going on, then only the authentication piece is encrypted by SSL. After the user is authenticated, there's no more encrypted communication with the AP/controller. You'd need layer 2 encryption (AES, TKIP, WEP), VPN, or possibly some sort of SSL proxy for additional encryption.

Similar Messages

Multiple Web Auth Pages

I have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts.
We are using a 5508 WLAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
What I would like to do is to configure multiple guest WLANS for each of our regional offices. Each of these WLANS needs to be configured with a Web Auth page relevant to the office location. My question is this, can I have a Web Auth page for each location or just 2, the default internal page and 1 customised page?
Thanks for any help.
Murray

Here is a link that explains it also
https://supportforums.cisco.com/docs/DOC-13954#Lets_go_for_custom_
Sent from Cisco Technical Support iPhone App

ORA-29532 error when invoking SSL web services using UTL_DBWS

Web Service gurus,
The WSDL for web services is as follows -
<definitions name="Webservice" targetNamespace="http://webservice.airclic.com/">
−
<types>
−
<xs:schema targetNamespace="http://webservice.airclic.com/" version="1.0">
<xs:element name="Exception" type="tns:Exception"/>
<xs:element name="listenForEvents" type="tns:listenForEvents"/>
<xs:element name="listenForEventsResponse" type="tns:listenForEventsResponse"/>
<xs:element name="sendAuthenticationResponse" type="tns:sendAuthenticationResponse"/>
<xs:element name="sendAuthenticationResponseResponse" type="tns:sendAuthenticationResponseResponse"/>
<xs:element name="upsertTask" type="tns:upsertTask"/>
<xs:element name="upsertTaskResponse" type="tns:upsertTaskResponse"/>
−
<xs:complexType name="upsertTask">
−
<xs:sequence>
<xs:element minOccurs="0" name="task" type="tns:Task"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="Task">
−
<xs:complexContent>
−
<xs:extension base="tns:PlatformObject">
−
<xs:sequence>
<xs:element minOccurs="0" name="status" type="tns:status"/>
<xs:element minOccurs="0" name="assignee" type="xs:string"/>
<xs:element minOccurs="0" name="assigneeUserId" type="xs:string"/>
<xs:element minOccurs="0" name="name" type="xs:string"/>
<xs:element minOccurs="0" name="type" type="xs:string"/>
<xs:element minOccurs="0" name="creationTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="updateTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="startTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="endTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="source" type="tns:source"/>
<xs:element minOccurs="0" name="notes" type="xs:string"/>
<xs:element minOccurs="0" name="priority" type="xs:int"/>
<xs:element minOccurs="0" name="penalized" type="xs:boolean"/>
<xs:element minOccurs="0" name="hasSLA" type="xs:boolean"/>
<xs:element minOccurs="0" name="location" type="tns:Location"/>
<xs:element minOccurs="0" name="windowStartTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="windowEndTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="signee" type="xs:string"/>
<xs:element minOccurs="0" name="signature" type="xs:base64Binary"/>
<xs:element minOccurs="0" name="customerId" type="xs:string"/>
<xs:element minOccurs="0" name="travelTime" type="xs:int"/>
<xs:element minOccurs="0" name="expirationTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="parentId" type="xs:long"/>
<xs:element minOccurs="0" name="externalTimezone" type="xs:string"/>
<xs:element minOccurs="0" name="localTimeOffset" type="xs:long"/>
<xs:element minOccurs="0" name="consignee" type="xs:string"/>
<xs:element minOccurs="0" name="assignmentWindowStartTimestamp" type="xs:long"/>
<xs:element minOccurs="0" name="assignmentWindowEndTimestamp" type="xs:long"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
−
<xs:complexType name="PlatformObject">
−
<xs:sequence>
<xs:element name="id" type="xs:string"/>
<xs:element name="externalId" type="xs:string"/>
<xs:element name="revision" type="xs:long"/>
<xs:element name="platformDateCreated" type="xs:dateTime"/>
<xs:element name="platformDateUpdated" type="xs:dateTime"/>
<xs:element name="objectName" type="xs:string"/>
<xs:element maxOccurs="unbounded" name="extendedAttributes" type="tns:ExtendedAttribute"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="Location">
−
<xs:sequence>
<xs:element minOccurs="0" name="name" type="xs:string"/>
<xs:element minOccurs="0" name="description" type="xs:string"/>
<xs:element minOccurs="0" name="type" type="xs:string"/>
<xs:element minOccurs="0" name="address" type="tns:Address"/>
<xs:element minOccurs="0" name="position" type="tns:Position"/>
<xs:element minOccurs="0" name="geofenceId" type="xs:long"/>
<xs:element minOccurs="0" name="capcity" type="xs:int"/>
<xs:element minOccurs="0" name="contact" type="xs:string"/>
<xs:element minOccurs="0" name="email" type="xs:string"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="Address">
−
<xs:sequence>
<xs:element minOccurs="0" name="addressLine" type="xs:string"/>
<xs:element minOccurs="0" name="addressLine2" type="xs:string"/>
<xs:element minOccurs="0" name="city" type="xs:string"/>
<xs:element minOccurs="0" name="secondaryCity" type="xs:string"/>
<xs:element minOccurs="0" name="subdivision" type="xs:string"/>
<xs:element minOccurs="0" name="postalCode" type="xs:string"/>
<xs:element minOccurs="0" name="country" type="xs:string"/>
<xs:element minOccurs="0" name="phone" type="xs:string"/>
<xs:element minOccurs="0" name="freeform" type="xs:string"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="Position">
−
<xs:sequence>
<xs:element name="latitude" type="xs:double"/>
<xs:element name="longitude" type="xs:double"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="ExtendedAttribute">
−
<xs:sequence>
<xs:element name="name" type="xs:string"/>
<xs:element name="value" type="xs:anyType"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="upsertTaskResponse">
−
<xs:sequence>
<xs:element minOccurs="0" name="task" type="tns:Task"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="Exception">
−
<xs:sequence>
<xs:element minOccurs="0" name="message" type="xs:string"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="listenForEvents">
−
<xs:sequence>
<xs:element minOccurs="0" name="listenParams" type="tns:ListenParams"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="ListenParams">
−
<xs:sequence>
<xs:element name="queueName" type="xs:string"/>
<xs:element name="resendLast" type="xs:boolean"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="listenForEventsResponse">
−
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" name="events" type="tns:Event"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="Event">
−
<xs:sequence>
<xs:element name="id" type="xs:string"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="AuthenticationRequestEvent">
−
<xs:complexContent>
−
<xs:extension base="tns:RequestEvent">
−
<xs:sequence>
<xs:element name="username" type="xs:string"/>
<xs:element minOccurs="0" name="password" type="xs:string"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
−
<xs:complexType name="RequestEvent">
−
<xs:complexContent>
−
<xs:extension base="tns:Event">
−
<xs:sequence>
<xs:element name="correlationId" type="xs:string"/>
<xs:element name="response" type="tns:Response"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
−
<xs:complexType name="Response">
−
<xs:sequence>
<xs:element name="correlationId" type="xs:string"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="AuthenticationResponse">
−
<xs:complexContent>
−
<xs:extension base="tns:Response">
−
<xs:sequence>
<xs:element name="success" type="xs:boolean"/>
<xs:element name="username" type="xs:string"/>
<xs:element minOccurs="0" name="password" type="xs:string"/>
<xs:element minOccurs="0" name="firstName" type="xs:string"/>
<xs:element minOccurs="0" name="lastName" type="xs:string"/>
<xs:element minOccurs="0" name="email" type="xs:string"/>
<xs:element minOccurs="0" name="active" type="xs:boolean"/>
<xs:element minOccurs="0" name="timeZone" type="xs:string"/>
<xs:element minOccurs="0" name="group" type="xs:string"/>
<xs:element minOccurs="0" name="role" type="xs:string"/>
<xs:element minOccurs="0" name="errorCode" type="xs:string"/>
<xs:element minOccurs="0" name="errorMessage" type="xs:string"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
−
<xs:complexType name="DispatchEvent">
−
<xs:complexContent>
−
<xs:extension base="tns:Event">
−
<xs:sequence>
<xs:element name="type" type="tns:eventType"/>
<xs:element minOccurs="0" name="previousTask" type="tns:Task"/>
<xs:element name="changeTask" type="tns:Task"/>
<xs:element minOccurs="0" name="newTask" type="tns:Task"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
−
<xs:complexType name="sendAuthenticationResponse">
−
<xs:sequence>
<xs:element minOccurs="0" name="authenticationResponse" type="tns:AuthenticationResponse"/>
</xs:sequence>
</xs:complexType>
−
<xs:complexType name="sendAuthenticationResponseResponse">
<xs:sequence/>
</xs:complexType>
−
<xs:simpleType name="status">
−
<xs:restriction base="xs:string">
<xs:enumeration value="NULL"/>
<xs:enumeration value="UNASSIGNED"/>
<xs:enumeration value="ASSIGNED"/>
<xs:enumeration value="RECEIVED"/>
<xs:enumeration value="ACCEPTED"/>
<xs:enumeration value="REJECTED"/>
<xs:enumeration value="IN_PROGRESS"/>
<xs:enumeration value="POSTPONED"/>
<xs:enumeration value="COMPLETED"/>
<xs:enumeration value="CANCELED"/>
<xs:enumeration value="CLEARED"/>
<xs:enumeration value="EXPIRED"/>
</xs:restriction>
</xs:simpleType>
−
<xs:simpleType name="source">
−
<xs:restriction base="xs:string">
<xs:enumeration value="NULL"/>
<xs:enumeration value="DISPATCH"/>
<xs:enumeration value="SYSTEM"/>
<xs:enumeration value="ENDUSER"/>
</xs:restriction>
</xs:simpleType>
−
<xs:simpleType name="eventType">
−
<xs:restriction base="xs:string">
<xs:enumeration value="TaskCreated"/>
<xs:enumeration value="TaskUpdated"/>
<xs:enumeration value="TaskAssigned"/>
<xs:enumeration value="TaskDeleted"/>
<xs:enumeration value="TaskStatusChanged"/>
<xs:enumeration value="TaskConflicted"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
</types>
−
<message name="Webservice_listenForEvents">
<part element="tns:listenForEvents" name="listenForEvents"/>
</message>
−
<message name="Webservice_sendAuthenticationResponseResponse">
<part element="tns:sendAuthenticationResponseResponse" name="sendAuthenticationResponseResponse"/>
</message>
−
<message name="Webservice_sendAuthenticationResponse">
<part element="tns:sendAuthenticationResponse" name="sendAuthenticationResponse"/>
</message>
−
<message name="Webservice_upsertTaskResponse">
<part element="tns:upsertTaskResponse" name="upsertTaskResponse"/>
</message>
−
<message name="Exception">
<part element="tns:Exception" name="Exception"/>
</message>
−
<message name="Webservice_upsertTask">
<part element="tns:upsertTask" name="upsertTask"/>
</message>
−
<message name="Webservice_listenForEventsResponse">
<part element="tns:listenForEventsResponse" name="listenForEventsResponse"/>
</message>
−
<portType name="Webservice">
−
<operation name="listenForEvents" parameterOrder="listenForEvents">
<input message="tns:Webservice_listenForEvents"/>
<output message="tns:Webservice_listenForEventsResponse"/>
<fault message="tns:Exception" name="Exception"/>
</operation>
−
<operation name="sendAuthenticationResponse" parameterOrder="sendAuthenticationResponse">
<input message="tns:Webservice_sendAuthenticationResponse"/>
<output message="tns:Webservice_sendAuthenticationResponseResponse"/>
<fault message="tns:Exception" name="Exception"/>
</operation>
−
<operation name="upsertTask" parameterOrder="upsertTask">
<input message="tns:Webservice_upsertTask"/>
<output message="tns:Webservice_upsertTaskResponse"/>
<fault message="tns:Exception" name="Exception"/>
</operation>
</portType>
−
<binding name="WebserviceBinding" type="tns:Webservice">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
−
<operation name="listenForEvents">
<soap:operation soapAction=""/>
−
<input>
<soap:body use="literal"/>
</input>
−
<output>
<soap:body use="literal"/>
</output>
−
<fault name="Exception">
<soap:fault name="Exception" use="literal"/>
</fault>
</operation>
−
<operation name="sendAuthenticationResponse">
<soap:operation soapAction=""/>
−
<input>
<soap:body use="literal"/>
</input>
−
<output>
<soap:body use="literal"/>
</output>
−
<fault name="Exception">
<soap:fault name="Exception" use="literal"/>
</fault>
</operation>
−
<operation name="upsertTask">
<soap:operation soapAction=""/>
−
<input>
<soap:body use="literal"/>
</input>
−
<output>
<soap:body use="literal"/>
</output>
−
<fault name="Exception">
<soap:fault name="Exception" use="literal"/>
</fault>
</operation>
</binding>
−
<service name="Webservice">
−
<port binding="tns:WebserviceBinding" name="WebservicePort">
<soap:address location="https://webservice.mp.b.airclic.com:443/webservice/product/fieldservice/v1/Webservice"/>
</port>
</service>
</definitions>
Following is the pl/sql code using UTL_DBWS
DECLARE
l_service UTL_DBWS.service;
l_call UTL_DBWS.call;
l_wsdl_url VARCHAR2(32767);
l_namespace VARCHAR2(32767);
l_service_qname UTL_DBWS.qname;
l_port_qname UTL_DBWS.qname;
l_operation_qname UTL_DBWS.qname;
l_input_params UTL_DBWS.anydata_list;
soap_request xmltype;
l_result xmltype;
result_output VARCHAR2(32767);
BEGIN
l_wsdl_url := 'https://webservice.mp.b.airclic.com/webservice/product/fieldservice/v1/Webservice?WSDL';
l_namespace := 'http://webservice.airclic.com/';
dbms_output.put_line ('1');
l_service_qname := UTL_DBWS.to_qname(l_namespace, 'Webservice');
dbms_output.put_line ('2');
l_port_qname := UTL_DBWS.to_qname(l_namespace, 'WebservicePort');
dbms_output.put_line ('3');
l_operation_qname := UTL_DBWS.to_qname(l_namespace, 'sendAuthenticationResponse');
dbms_output.put_line ('4');
l_service := UTL_DBWS.create_service (
wsdl_document_location => URIFACTORY.getURI(l_wsdl_url),
service_name => l_service_qname);
dbms_output.put_line ('5');
l_call := UTL_DBWS.create_call (
service_handle => l_service,
port_name => l_port_qname,
operation_name => l_operation_qname);
dbms_output.put_line ('6');
UTL_DBWS.SET_PROPERTY(l_call,'USERNAME',<username to access wsdl>);
dbms_output.put_line ('7');
UTL_DBWS.SET_PROPERTY(l_call,'PASSWORD',<password>);
dbms_output.put_line ('8');
utl_dbws.set_property(l_call,'OPERATION_STYLE', 'document');
dbms_output.put_line ('9');
soap_request := xmltype.createxml('<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<ns2:sendAuthenticationResponse xmlns:ns2="http://webservice.airclic.com/">
<authenticationResponse>
<correlationId>4646735802698040711:[email protected]</correlationId>
<success>true</success>
<username>changlanih</username>
<password>abcd1234</password>
<firstName>hero</firstName>
<lastName>changlani</lastName>
<email>[email protected]</email>
<active>true</active>
<timeZone>eastern</timeZone>
<group>Northeast</group>
<role>Service Manager</role>
</authenticationResponse>
</ns2:sendAuthenticationResponse>
</S:Body>
</S:Envelope>');
l_result := UTL_DBWS.invoke ( l_call,soap_request);
UTL_DBWS.release_call (call_handle => l_call);
UTL_DBWS.release_service (service_handle => l_service);
result_output := l_result.getstringval;
dbms_output.put_line('web svc output ===> ' || result_output);
END;
Following is the error from pl/sql code
1
2
3
4
DECLARE
ERROR at line 1:
ORA-29532: Java call terminated by uncaught Java exception: java.lang.IllegalAccessException: error.build.wsdl.model: oracle.j2ee.ws.common.tools.api.WsdlValidationException:
Failed to read WSDL from https://webservice.mp.b.airclic.com/webservice/product/fieldservice/v1/Webservice?WSDL:
HTTP connection error code is 401
ORA-06512: at "SYS.UTL_DBWS", line 193
ORA-06512: at "SYS.UTL_DBWS", line 190
ORA-06512: at line 20
Notes
The program fails at following line of code -
l_service := UTL_DBWS.create_service (
wsdl_document_location => URIFACTORY.getURI(l_wsdl_url),
service_name => l_service_qname);
Web services are SSL.
The WSDL is at https location and needs username/password for access. The username/password to access WSDL are set using UTL_DBWS.SET_PROPERTY
To access the SSL site, I have imported the CA in Oracle Wallet, JVM home and JDK home.
Can anyone tell me what am I doing wrong here. I am not able to even establish connection to web service host.
This is very frustrating - Oracle has no examples on how to access a SSL Web Service (that needs authentication) from Database.
This is effecting our project deadlines ......... any help would be greatly appreciated.
Thanks.

Hi,
I presume your Web Service needs HTTP (BASIC?) Authentication.
All this needs is setting the following 2 properties, which as can be seen, you are setting....
UTL_DBWS.set_property(l_call, 'USERNAME', '<username>');
UTL_DBWS.set_property(l_call, 'PASSWORD', '<pwd>');
This should work as long as your DBWS Callout Utility was downloaded from OTN after June 2008, and it's version is atleast 10.1.3.1.
Following is a sample code snippet that was tested successfully for this :
Declare
l_service UTL_DBWS.service;
l_call UTL_DBWS.call;
l_result sys.XMLTYPE;
l_request sys.XMLTYPE;
BEGIN
l_service := UTL_DBWS.create_service(null);
l_call := UTL_DBWS.create_call(l_service);
UTL_DBWS.set_target_endpoint_address(l_call, 'http://xxx.oracle.com:8888/basic/MyWebService1SoapHttpPort');
UTL_DBWS.set_property(l_call, 'USERNAME', 'username');
UTL_DBWS.set_property(l_call, 'PASSWORD', 'pwd');
UTL_DBWS.set_property(l_call, 'OPERATION_STYLE', 'document');
UTL_DBWS.set_property(l_call, 'SOAPACTION_USE', 'true');
UTL_DBWS.set_property(l_call, 'SOAPACTION_URI', 'http://xxx.oracle.com:8888/basic/MyWebService1SoapHttpPort');
l_request := XMLTYPE('<Z_CENTRICITY_GET_DOCLIST
xmlns:urn="urn:sap-com:document:sap:rfc:functions">' ||
'<I_INCLUDE_OLD_VERSIONS></I_INCLUDE_OLD_VERSIONS>' ||
'<I_INSTITUTION>0001</I_INSTITUTION>' ||
'<I_PATIENT_NR>0000000181</I_PATIENT_NR>' ||
'</Z_CENTRICITY_GET_DOCLIST>');
l_result := UTL_DBWS.invoke(l_call, l_request);
UTL_DBWS.release_call (call_handle => l_call);
UTL_DBWS.release_service (service_handle => l_service);
EXCEPTION
WHEN OTHERS THEN
dbms_output.put_line(sqlcode || ' ' || sqlerrm);
END;
Hope this helps,
Yogesh

Guest Anchor with web auth using ISE guest portal

Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.

Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS

Web Auth Type: Customized(downloaded) Redirect URL after login not working.

         5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
Everything is working as it should. I downloaded the web auth bundle from Cisco and will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
I have edited the aup.html and login.html to say what I want it to. I have 2 different login.html pages and bundle to a .tar file like the documentation says. I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should. The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined.
   I must be missing some setting somewhere, but I just can not seem to find it. Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page Redirect URL after login is http://www.mccg.org which is our home page.
Any help will be appreciated. I cannot seem to fine very good documentation, or I am just overlooking something.
Thanks
John

Your HTML code is wrong. Attach your code if your okay with it and I can check.
Sent from Cisco Technical Support iPhone App

ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group.

Hello.
Have some issues, with ssl vpn on ASA 5515-X.
I have ASA (9.1) connected to the ACS (5.4) and configured anyconnect mobile client and clientless ssl web portal. ACS also have connection to Active Directory.
So it's configured that AD users from group, for example, VPN_clients could connect via anyconnect client or without client via SSL web page. And it's working fine.
My goal is that to make different SSL portal bookmarks (in terms of ASA different Group Polices) according to AD user group.
For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that users from these group after authentication at SSL web portal would see only their own bookmarks available only for their group.
As i inderstand after authentication process ACS must answer to ASA which AD groups the user consist of and ASA must choose the right group policy for the user, but i have no experience how to make this?

Hello Ivan,
You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.
Steps on ACS:
1- Defined AD groups:
2- Define the authorization profile under the Policy Elements tab:
3- Create the Authorization policy and access criteria:
Then, on the ASA:
1- Create a group-policy and name it it.
2- Through the ASDM, create and assign the bookmarks to this group-policy.
3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".
4- The ASA looks for the group-policy it and assigns it to the user's session.
Let me know if you have any questions.
HTH.
Please rate any helpful posts.

WLC Custom Web Auth Bundle sample .tar file is not on WCS

The WLC documentation would make it appear (or maybe previously) you should download a sample web auth bundle code from the WCS Templates. I was never able to find a sample .tar file on the WCS 7.0.172.0 templates.
However I found on Cisco.com under Support > Downloads > Products >Wireless> Wireless LAN Controller Standalone Controllers> Cisco 5500 Series Wireless Controllers > Cisco 5508 Wireless Controller > Wireless Lan Controller Web Authentication Bundle-1.0.2 > webauth_bundle-1.0.2.zip
It was updated in June 2011, some pretty good sample html code.
The readme.html in the sample webauth_bundle-1.0.2.zip file has been very helpful , almost as good as the suppport community web page on custom web auth.
https://supportforums.cisco.com/docs/DOC-13954

WCS config guide 7.0.172 is correct
http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/temp.html#wp1129979
The bundle in WCS is downloaded through :
configure->controller
"select a command"-> download customized webauth bundle.
Just tested it and it was there.
The one on cisco.com is better though

WLC Web Auth Redirect URL point to an ISE Policy NODE only?

Hi all,
I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

Thanks Peter for your clarification regarding the semantic I used and the question I made.
Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

WLC 7.5 Sleeping clients with ISE and Central WEB Auth(CWA)

Hi there,
Is it possibe to use sleeping clients when using ISE and CWA?
I was thinking of enabling layer3 auth with web auth on mac auth failure, but will that work with CWA?
Or is the only solution to use LWA?

Controller-> General-> User Idle Timeout (seconds) = 50 000 sec.
And your users will be connected all this time even if they going in sleepmode
be carefull with CPU loading

ISE, WLC: web auth, blocking user account

Hello!
We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
Credentials are created at the ISE sponsor portal.
We create user account in ISE sponsor portal with one hour lease.
In 10 minutes we delete (or block) user credentials.
In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
This happens because WLC thinks, that client is still associated.
There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
How the user account blocking process can be automated without manually deleting the client session from WLC client database?

It seems that there is some bug about CoA when deleting Guest accounts
CSCuc82135
Guests need to be removed from the network on Suspend/Delete/Expiration
When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists.
Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user.
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
from BUG Toolkit there is Release-Pending in "Fixed-in" option.

ISE web auth for non-cisco switch(D-link 3528)

Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
And the wired users will get full network access after they pass the web auth.

you can use ISE ln-line posture node with 3rd part switches
RADIUS access device must supply the following RADIUS attributes:
    Calling-Station-Id (for MAC_ADDRESS)
    User-Name
    NAS-Port-Type
    RADIUS accounting message must have the Framed-IP-Address attribute
VLAN, DACL features can be used but again it depends on switch models let us know specific switch models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

Central Web Auth with Anchor Controller and ISE

Hi All
I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
I also have an ISE sat on the corporate LAN.
Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
My questions are:
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
4. Is ICMP still blocked by the WLC until the web authentication is complete?
Thanks.
Regards
Roger

Hi Roger,
Thanks for your brief explanation here are the answers for your queries.
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
Yes, you have to configure the ISE server address on the anchor WLC.
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
4. Yes, ICMP will work only after the sucessful web auth is complete.
Please do go through the link below to understand the Anchor-Foreigh Scenario.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
Regards
Salma

Framed-IP-Address in RADIUS Access Request for WLC web-auth users

We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address.
So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?

Hi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts

WLC 5508, 7.4.100.0, dot1x and web auth

Release notes for 7.4.100.0 states;
"Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
Anybody know anything about this and how-to's?
Eirik

I know what it is. :-)
Want to test to use web auth after dot1x. Do not trust dot1x alone anymore, now that it is so easy to steal sertificates from laptops...
Would like to force users (after eap-tls with certificate) to logon using their AD cred.
Eirik
Sent from Cisco Technical Support iPad App

5508 loading cert for web auth

I have web auth enabled on the WLC so when clients connec they get a cert error because it is using the self signed cert. I was reading up on getting a third part cert and it explains about getting openssl and then generating the cert and sending it to a third party CA etc.
Any links you can share would be very helpful explaining best practices and method to load a third party cert on the WLC 5508 for web authentication.
Why can't I just get a cert from them for our domain and simply load it on the WLC?

Hi Mohammed,
Here are the two links which are like bible to generate certs..
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Depends on whether you are using Chained or Un chained certs.. Following the above link will help you in getting the issue resolved!!
Lemme know if this answered ur question!!
Regards
Surendra

SSL web auth equals encyrption?

Similar Messages

Maybe you are looking for