Tablets and Cisco WLC Web Authentication

Similar Messages

• Ciosco WLC Web Authentication with Internet Explorer 10

  Hi my name is Ivan
  I have a question:
  Cisco WLC Web Authentication woks fine with Internet Explorer 10. I have worked with Chrome, Mozilla, IE 7 and I don't have any trouble.
  When i put the ip address https://1.1.1.1/login, the web page show me.
  Thanks for your answers
  Regards

  HUmm Im a mac guy hard for me to test. I also did a search and dont see anything about bugs. Did you make any chnages to IE10 settings ? Is proxy enabled ?
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Firefox 10 and IE 9 is not displaying Cisco ASA Web Authentication

  Hi All,
  We are having issue on AAA authentication page display for our ASA.
  1. There 2 issue reported here.
  2. First is customer cannot access the  website using IE 9. But this is because there is security patch on customer  PC.
  3. After customer uninstall KB2585542, the website load fine.
  4.  Second issue is, today morning, there is auto update on FireFox which  automatically upgrade users firefox to Firefox 10.
  5. After these upgrade,  users cannot load the website anymore.
  6. Error message is Server Does Not  Support RFC 5746/ CVE-2009-3555
  7. Customer using Firefox as default Internet  Browsing.
  8. As workaround, customer have downgrade their Firefox to version  3.6.22 and it's working fine.
  9. Java Version 6 update 23.
  10. An Cisco  case have been raise the check the compatibility of Cisco Web Authentication  with the FF10
  11. SR 620756799.
  Firewall Version : ASA 5520 7.2(5)
  Does anyone also experiencing the same issue? Any idea does this is a cisco bug or AAA issue.

  Hi,
  Please share the URL of the web site.
  Regards,
  Abhishek Maurya

• WLC web authentication ACL to allow internet surfing only

  Hi forumers'
  I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
  according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
  i also try on this ACL at my core switch but seem not success.
  ip access-list extended ACL-VLAN-20
  permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 any eq 80
  permit tcp 172.16.20.0 0.0.0.255 any eq 443
  deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
  deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
  int vlan 20
  ip access-group ACL-VLAN-20 in
  any problem with it?
  well, as long as can block web authenticaiton user only goto internet then serve my purpose
  thanks
  Noel

  This should work
  deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31    (deny all IP traffic from guest to internal)
  permit udp 172.16.20.0 0.0.0.255 any eq 53              (or list the specific servers you want them to use)
  permit tcp 172.16.20.0 0.0.0.255 any eq 80               (allows HTTP but only outside as the deny stops internal)
  permit tcp 172.16.20.0 0.0.0.255 any eq 443             (allows HTTPS but only outside as the deny stops internal)
  but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above.  I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers.  If you want to allow that, it's better to permit the explicit servers
  You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
  When you do the ACL on the WLC, you need to do the inverse ACL as well.  So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
  But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
  HTH,
  Steve

• Bonjour Discovery browser and cisco WLC mDNS

  Hello
  I'm using a Bonjour Discovery browser on an iPad to see if I can check what Bonjour services are available on a cisco 2504 running code 7.5.102.0. WLC is configured as per cisco documentation for mdns:
  Multicast disabled on WLC
  wired vlan (with bonjour services) is trunked to WLC
  mdns profile configured and bonjour services are visible on WLC
  mdns profile applied to WLAN
  when i connect an ipad to the wlan and start the browser, no services appear (2 are visible on the WLC). Debug on the WLC shows the following (where XX:XX:XX:XX:XX:XX is the iPad mac)
  *Bonjour_Msg_Task: Nov 04 10:51:06.674: XX:XX:XX:XX:XX:XX Failed to updated data to Service Provider DB
  *Bonjour_Msg_Task: Nov 04 10:51:12.798: processBonjourPacket : 935 Queried service-string : _dns-sd._udp.local. is not configured in MSAL-DB
  Is it possible to get Bonjour Discovery browser working with cisco WLC?
  thanks
  andy

  I have used Avahi when I have had deployments that were FlexConnect and the site had multiple subnets for Apple TV's and or the devices that would be using the Apple TV, printers, etc.  Avahi is free and my customers would spin this up on an available PC or laptop and connect it to the network.
  mDNS AP
  1. This feature enhancement allow controllers to have the visibility of wired service providers which are on VLANs that are not visible to the controller.
  2. User configuration is required to configure APs as mDNS AP. This configuration allows AP to forward mDNS packets to WLC.
  3. VLAN's visibility at WLC is achieved by APs forwarding the mDNS advertisements to controllers. The mDNS packet between AP and controller are forwarded in CAPWAP data tunnel similar to mDNS packets from wireless client.
  4. APs can either be in access or trunk mode to learn the mDNS packets from wired side and forward it to the controller.
  5. This  configuration also allows the user to specify the VLANs from which the  AP should snoop the mDNS advertisements from wired side. The maximum  number of VLANs that AP can snoop is 10.
  6. If the AP is in access mode, the user should NOT configure any VLANs for AP to snoop.
  AP will send untagged packets when a query  is to be sent. When an mDNS advertisement is received by mDNS AP, VLAN  information is not passed to the controller. Hence the service provider's VLAN, learnt via mDNS AP's access VLAN will be maintained as 0 in the controller.
  7. If  the AP is in trunk mode, then the user has to configure the VLAN on the  controller on which AP would snoop & forward the mDNS packets. The  native VLAN snooping is enabled by default when mDNS AP is enabled. AP will send VLAN information as 0 for packets snooped on native VLAN.
  8. This feature is supported on local and monitor mode AP, and not on Flexconnect mode APs.
  9. If a mDNS AP joins/resets (or) joins the same/another controller, the behavior is as follows:
  a. If global snooping is disabled on the controller, then a payload will be sent to AP to disable mDNS snooping.
  b. If global snooping is enabled on the controller, then configuration of the AP previous to reset/join procedure will be retained.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• MacBookPro and Cisco's LEAP authentication method

  I am getting ready to get laptop in next couple of weeks.
  The Law School's wireless network standard is 802.11g. The network uses Cisco's LEAP authentication method. Only LEAP-enabled notebook computers may connect to all access points of the Law School wireless network.
  I googled this and at least last year in 2006, macbook pro's weren't working with the LEAP system because they woudln't assign an IP address. Do you know has this been resolved?
  MacG5 Mac OS X (10.4.10)

  I found this: Finder>Help>Mac Help>Search: LEAP>
  "AirPort: How to configure Mac OS X 10.4 "Tiger" clients for LEAP authentication
  If you select LEAP authentication on a Mac OS X 10.4.2 or later computer on which the AirPort 4.2 or later update has been installed, your authentication settings may be lost after restart, sleep, or location change. As a workaround, you should use the steps shown here, which will have the effect of configuring LEAP, even though you will choose WEP from the menu.
  Go to the Network pane of the System Preferences, show AirPort, and click the AirPort tab.
  Be sure the "By default, join" menu is set to "Preferred networks."
  Note: If you don't have "Preferred networks" as a choice, this means that your 10.4 system was upgraded from 10.3, and that you're still using a Location imported from 10.3 (Panther). In this situation, you experience Panther behavior instead of new Tiger features. You will need to create a new location to utilize Tiger features and complete these steps.
  Click the "+" button.
  Enter the desired network name in the window that appears.
  From the Wireless Security pop-up menu, choose WEP Password.
  Replacing username and password with actual name and password, enter them exactly as show here, including both brackets and slash:
  <username/password>
  Note: Though there will not be any visible indication, this entry format sets the client to use LEAP rather than WEP.
  Click OK. Note: The network entry will appear in the table as "WEP," but LEAP will be used.
  Click Apply Now."
  Looks like it works when you know what to do (or where to search).

• Called-Station-ID attribute and Cisco WLC code 7.4

  Hello
  I have 2 WLCs configured with 2 SSIDs (one is [WPA2][Auth(802.1X)] and the other is Web-Auth). One of the WLCs is remote and its WLANs are configured with mobility anchors pointing to the other WLC. Both WLCs are configured with Called-Station-ID set to AP Mac Address:SSID. I use this attribute on ACS to authenticate/authorize users based on what SSID they connect to.
  This worked fine on WLC code 7.0 but on upgrading to 7.4 I started having some issues:
  clients on the remote WLC can still authenticate on the [WPA2][Auth(802.1X)] SSID as the Called-Station-ID attribute is still AP Mac Address:SSID
  clients on the remote WLC cannot authenticate on the Web-Auth SSID as the Called-Station-ID attribute now appears to be the Mac Address of the WLC anchor controller
  WLC models are 5508 and current code is 7.4.110.0 (APs are AIR-LAP1142N-E-K9). Can anyone tell me why I'm seeing this behaviour on the Web-Auth SSID on the remote WLC?
  Thanks
  Andy

  Since you have two AAA devices that's sending info, you can have your policy for the guest specifying the guest WLC. The SSID policy for the foreign WLC is only really needed if you have multiple 802.1x authentication from the foreign WLC and that's when you can use the regex to defiance the SSID per AD Group.
  Look at a successful authentication from one of the guest users. Look at the detailed log and then in that log, you will see all the attributes being sent that the radius can send back to the WLC. You can use any of those attributes in your policies.
  Called-Station-ID might not be sent like what your use to, because the foreign WLC has the access point the guest user associates to and tunnels it back to the anchor WLC. So this attribute might not be available. Things do change with code versions so you might just have to adjust your policies. I haven't played around with 7.0.x code with guest anchor and radius in a while, but I have in the past upgraded radius or the WLC and had to tweak my radius policies.
  Sent from Cisco Technical Support iPhone App

• BILLING SETUP WITH NOMADIX AND CISCO WLC

  Hai I need to implement cisco wireless controller along with nomadix box for bandwidth control and billing in a hotel . anybody implemented same ?.
  how the topology in this case ?.nessary config on wlc

  Refer the post: https://supportforums.cisco.com/discussion/11431756/wlc-and-nomadix
  https://supportforums.cisco.com/discussion/11601111/guest-ssid-redirect-nomadix-box

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.

• WiSM and GUEST web authentication

  I have a WiSM and we use Cisco open web
  authentication with a user email address.
  When performing  this command via CLI:
  >config network secureweb disable
  >save config
  > reset system
  Will this make the web authentication come up HTTP instead of HTTPS ?

  That command is in order that you manage the unit.
  However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
  Let me know if it works for you

• Certificate for WLC web auth - HELP

  Hi all
  I need to buy a cert for my WLC web authentication
  I have read the document below
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml              
  However, I want to fill in the details and generate the CSR via the provider im buying the cert from, thawte
  Am I ok doing all this via the provider, or do I need to use open SSL to generate the CSR?    
  Can anyone post the steps in here I need to take when purchasing and installing a chained certificate on my WLC.
  The WLC has the latest version of code.
  cheers
  Carl

  Here are the instructions for a chained certificate.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  It's simple enough, copy and paste the chanin below the certificate when you generate the final.pem.
  Main thing to remember when compiling the final.pem use a version of OpenSSL < 1.0 as it won't install.
  If your provider will generate the CSR for you it should be fine, but you will need the private key to recompile the certificate.
  As you'll be using OpenSSL to recompile the certificate you may as well use it to generate the CSR, there's not much to it.
  Thanks
  Chris

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Cisco APs get disconnected from cisco WLC after 30 min when connected on Juniper SRX

  Hi,
  I am connecting all my Cisco 1131AG APs via Juniper SRX 240 box and Cisco WLC is placed in the LAN.
  We are running LWAPP in layer 3 mode. The APs get dissassociated form the WLC after 30 min.
  The Setup is like :-
  AP->AccessSwitch-->JuniperSRX(reth2.0)-->JuniperSRX(reth1.0)-->CoreSwitch-->CiscoWLC
  could anyone please help me to resolve this issue.

  Firmware for WLC is AIR-WLC4400-K9-4-2-99-0
  Firmware for AP is 12.4(10b)JA1
  The logs form WLC during disconnection :-
  Mon Sep 6 20:05:52 2010 AP Disassociated. Base Radio MAC:00:1f:ca:2d:4e:a0
  1 Mon Sep 6 20:05:52 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:ca:2d:4e:a0 Cause=Heartbeat Timeout
  2 Mon Sep 6 20:05:51 2010 AP Disassociated. Base Radio MAC:00:1f:9e:c1:0d:30
  3 Mon Sep 6 20:05:51 2010 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:1f:9e:c1:0d:30 Cause=Heartbeat Timeout

• Web Authentication Panel Failing to Load in Safari 3.2.1

  I recently started having a problem with Safari 3.2.1 under Mac OS 10.5.6.
  We use a proxy server at work, and usually the web authentication window would appear and I could enter my username and password. Recently I started getting the following error:
  Safari[258] * Assertion failure in -[NSTextFieldCell _objectValue:forString:errorDescription:], /SourceCache/AppKit/AppKit-949.43/AppKit.subproj/NSCell.m:1338
  Safari[258] Failed to show WebAuthenticationPanel: Invalid parameter not satisfying: aString != nil
  I have reset safari, emptied the cache...
  I can use Firefox just fine so I think this is a local problem with safari on my computer.
  Any ideas?

  I have the same problem:
  9/05/09 1:44:01 PM Safari[5774] * Assertion failure in -[NSTextFieldCell _objectValue:forString:errorDescription:], /SourceCache/AppKit/AppKit-949.43/AppKit.subproj/NSCell.m:1338
  9/05/09 1:44:01 PM Safari[5774] Failed to show WebAuthenticationPanel: Invalid parameter not satisfying: aString != nil
  I also use a proxy, set by a proxy.pac in the network preferences (Automatic Proxy).
  However I have found it is not this that causes it.
  I also use the 1Password safari extension, and with Safari 3.2.1 and a proxy configured, it causes this issue.
  *How I fixed it:* was to goto into 1Password > Preferences > General, and disabling "Use 1Password enabled HTTP Authentication windows", then restart Safari.

• WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

  Hi All,
  I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
  Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
  Thanks,
  Kashif

  Hi,
  if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
  Lemme know if this answered ur question!!
  Regards
  Surendra