WCSs (5.0.148) lose Terminal, Webfrontend and Web Auth

Similar Messages

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• WLC 5508, 7.4.100.0, dot1x and web auth

  Release notes for 7.4.100.0 states;
  "Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
  Anybody know anything about this and how-to's?
  Eirik

  I know what it is. :-)
  Want to test to use web auth after dot1x. Do not trust dot1x alone anymore, now that it is so easy to steal sertificates from laptops...
  Would like to force users (after eap-tls with certificate) to logon using their AD cred.
  Eirik
  Sent from Cisco Technical Support iPad App

• Wireless 3850 and Web-Auth for Wireless clients

  Hi
  I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
  Internet is all tested and there is full IP connectivity.
  Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
  I am using local authentication for the guest users.
  When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
  Config below
  interface Vlan302
  description **** Wireless Guest ****
  ip address 10.145.224.161 255.255.255.224
  ip helper-address 10.144.214.134
  ip helper-address 172.17.2.56
  ip http server
  ip http secure server
  ip dhcp snooping
  wlan XXXXX 2 XXXXXX
  aaa-override
  accounting-list default
  client vlan 302
  ip flow monitor wireless-avc-basic input
  ip flow monitor wireless-avc-basic output
  no security wpa
  no security wpa akm dot1x
  no security wpa wpa2
  no security wpa wpa2 ciphers aes
  security dot1x authentication-list WEB_AUTH
  security ft
  security web-auth
  security web-auth authentication-list WEB_AUTH
  security web-auth parameter-map vit_web
  no shutdown
  parameter-map type webauth vit_web
  type webauth
  security web-auth parameter-map vit_web
  user-name Guest1
  creation-time 1390837878
  privilege 15
  password 7 022D0156060F1B351D
  type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
  user-name Guest2
  creation-time 1390838016
  privilege 15
  password 7 0724244143000D1145
  type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
  aaa new-model
  aaa authentication login WEB_AUTH local
  aaa authorization network WEB_AUTH local

  Hey Greg,
  Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
  parameter-map type webauth global
  type webauth
  virtual-ip ipv4 x.x.x.x wlc.whatever.org
  max-http-conns 50
  Also I had to enable http server in addition to secure server
  ip http server
  ip http secure-server
  Are you using a self signed cert?
  I saw windows clients take a long time to load the page when using a self signed cert.
  MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE  but I still have the problem.
  -Kyle

• VLAN Override and Web Auth: How to overcome issues?

  Hello
  I have been investigating if we can deploy vlan override and assign a user vlan via RADIUS, post authentication on a WRD SSID. Having read around the discussions, I can see that there are others who have wanted similar, but have been told that it is not possible:
  "Marucho, the particularity of how Web authentication works on the WLC  is that it is carried over HTTP between Client and WLC. So the Wireless  Client has to already have an IP address prior to starting the web  authentication. Since the Wireless Client already has an IP address then  you cannot override it anymore.
  Unlike  dot1x, which takes place over EAPOL and then when you have eap success,  client moves to get an ip address from the sent by Radius VLAN."
  However, we still have a problem that we would like to overcome and wonder if anyone has any experience or suggestions they could share?
  We are a University with a large number of devices grabbing an IP address whilst only remaining associated and not actually going on to authenticate through the WRD. This creates a situation where we have a large number of IP addresses deployed unnecessarily and we would like to tackle this.
  We are unable to use private IP for authenticated users (Policy decision) but could use them for associated users and so were hoping we might be able to deploy a private subnet on the WRD SSID prior to authentication and then use VLAN override to assign authenticated users onto the correct VLAN. In order to try and achieve this we were planning on using a very short DHCP lease on the private subnet, so that post-authentication the client device requests a public IP address almost instantly.
  Is there any way of achieving this that someone could suggest or would we be knocking our ehads against a brick wall?
  thanks
  Bryn

  Just giving 2 ideas :
  -How about using a WPA PSK on your webauth ssid ? Just give the PSK in the SSID name. This prevents non-intended connections (no automatic association because it's open ssid) and still allows anyone with an intention, to connect to it and you still have the webauth behind. This reduces number of ip addresses.
  -How about modifying the webauth successful authentication page to give the credentails to access a private network (PSK or dot1x) where credentials would regularly change ?
  Those are workarounds.
  Nicolas

• Paying termination fee and upgrading phone

  My wife has an old nondata phone with a contract expiring in a few months and is willing to pay the termination fee and enter into a new 2-year contract on an IPhone 5s.  Two questions.
  1.  The manager of the Verizon store looked on his computer and insisted the termination fee would be $175.  I think it should be $175 minus $5 for each completed month of the contract, which is much less.  I know from the web site that this is the rule for a "post pay" contract, but I'm not sure what that means.  The contract is a normal two year unlimited calling contract with each month's fee paid in advance.  When I questioned the $175 termination fee, the manager said that this was what his computer said and he was not willing to discuss the issue.  Who is right?
  2.  Aside from the termination fee, when we told the manager we wanted to terminate the old contract and enter into a new one on a new phone, the manager started muttering something about how this could be prohibited "churning".  He couldn't explain what that meant, especially after I pointed out that we could just pay the termination fee and then go over to AT&T and enter into a new contract with them.  This is not desirable because we would lose the benefits of our share everything plan.  Is there a rule against terminating and upgrading in this way?  The web site does not let you do it online.

      Hey there michael1000,
  The iPhone 5s is a great phone so I absolutely understand your eagerness to get your hands on one.
  When you upgrade at the discounted pricing you are agreeing to a new two year agreement. If you disconnect before the agreement end date you are billed a early termination fee. The Early Termination Fee for a basic phone starts at $175 and decreases $5 for each month completed. The Early Termination Fee for a smartphone starts at $350 and decreases $10 for each month completed.
  We wouldn't want you to disconnect your line, lose your number and have to start all over. Let's take a look at available options to make this as easy as possible.
  When is your wife's upgrade date exactly? Dial #UPG from her cellphone to find out.
  NicholasB_VZW
  Follow us on Twitter @VZWSupport

• Camera Raw loses system focus and becomes inactive

  While working in ACR if I hover over any of the command buttons, Save Image,  Open Image, Cancel, or Done for a few seconds the "tool tip" for the button displays and as soon as I move the mouse again the whole Camera Raw windows loses system focus and becomes inactive (every tab, control, menu, etc., becomes greyed out).  To regain the system focus I must move the mouse to the windows 7 taskbar and then back into Camera Raw.  If the fullscreen checkbox in Camera Raw is active the only way to regain system focus is to press the Windows Key twice on the keyboard and move the mouse out of the taskbar tray.  This gets pretty frustrating.  Any clues?

  It doesn't normally do this, I can assure you.  Normally the tooltips just pop up and Camera Raw stays active.
  Do you have any desktop management software installed, besides what Windows provides?
  Are your video drivers up to date?
  -Noel

• WHEN I TRY TO OPEN ITUNES ON MY PC IT SAYS THE THIS COPY OF ITUNES IS CORRUPTED OR INSTALLED INCORRECTLY AND TO REINSTALL ITUNES. I DON'T WANT TO LOSE MY APPS AND MUSIC AND DON'T KNOW FOR SURE HOW TO REINSTALL IF I SHOULD.

  I AM TRYING TO OPEN ITUNES ON MY PC BUT WHEN I GO TO OPEN IT, I GET AN ERROR MESSAGE AND IT SAYS ``THIS COPY OF ITUNES IS CORRUPTED OR IS NOT INSTALLED CORRECTLY. PLEASE REINSTALL ITUNES.``
  I `DON`T WANT TO LOSE MY APPS AND MUSIC AND I ALSO DON`T KNOW HOW TO OR IF I SHOULD REINSTALL ITUNES. COULD SOMEONE PLEASE HELP ME.

  Your library will be preserved through reinstalling. Backup anyway.
  tt2

• Will I lose my sms and notes if I upgrade to 6.0.1

  I have an iPhone 4 which currently is running on iOS 6. Will I lose my sms and notes if I upgrade to iOS 6.0.1? Other things I am not worried about. SMS is a must. Please suggest a wayout.

  If you are updating from iOS 6, you won't lose data. However, you must make an iTunes or iCloud backup before updating in case the update fails and you have to restore the iPhone

• If I create a new Apple ID and I delete the old one, Will I lose my purchases and data?

  If I create a new Apple ID and I delete the old one, my books, songs, docs and all the data that my old Apple ID contained including my purchased Apps will appear in my new Apple ID and its associated Icloud?
  I want to create a new Apple ID but do not lose my data and purchases, How could I do it?

  Are you entering your Existing Email Address for which you have Access and also are you Entering the Password which Matches Apple Requirement ?
  Enter the Email Address that you already have (like Gmail, Yahoo, MSN, Live, etc) but you have never used it for creating Apple ID before.
  Passwork Requirement is Minimum 8 Characters, Alpha Numeric and Password should Content atleast 1 Upper Case and 1 Lower Case Letter. You will find the more detail on the same page when Creating Apple Id and iTunes will give you Error if the Password you enter does not match their requirement.

• I have logged in to my itunes account on a different computer and none of my purchased music is showing up. I also have plugged my iphone in to get updates but it says I will lose all media and apps if I don't update on the computer where  I sync everythi

  I have logged in to my itunes account on a different computer and none of my purchased music is showing up. I also have plugged my iphone in to get updates but it says I will lose all media and apps if I don't update on the computer where  I sync everything. I have authorized this new computer so I don't know what the problem is. I can't get on my old computer with my itunes account because the computer is broken. Not sure what to do

  "I have logged in to my itunes account on a different computer and none of my purchased music is showing up."
  Correct.  it does not magially appear in other places.  It will only be where you put it.
  "I also have plugged my iphone in to get updates but it says I will lose all media and apps if I don't update on the computer where  I sync everything. "
  Correct as well.  Iphone will sync with one computer at a time.  Syncing to another will erase the current content.
  You need to copy everything ( itunes library/contacts/pics/calendars/files/docs) from the old computer, or your backup copy of the old one, to the new one.

• My iPod nano 5th generation is not recognized by iTunes. I did update, but still, it won't work. I don't want to uninstall the iTunes cos  I don't want to lose my music and audio books. What to do? It started after I updated iTunes.

  my iPod nano 5th generation is not recognized by iTunes. I did update, but still, it won't work. I don't want to uninstall the iTunes cos  I don't want to lose my music and audio books. What to do? It started after I updated iTunes.

  iPod appears in Windows but not in iTunes

• My daughters ipod 4th gen will no longer charge past 20% and will not connect to a pc in order to back everything up. the cable is working fine, otherwise it would not even charge to the 20%. i have tried the reset to not lose any data and no luck. help!

  my daughters ipod 4th gen will no longer charge past 20% and will not connect to a pc in order to back everything up. the cable is working fine, otherwise it would not even charge to the 20%. i have tried the reset to not lose any data and no luck, home+power for 10-15 seconds. I really would like to not lose everything she has, again, because I can't back it up this time. I have tried charging via a wall outlet and PC and both charge fine, just only to 20%. I am using the cable that came with it so no aftermarket issues there. Please help so I don't have to reset everything again.

  Because once it has charged enough to be powered on as soon as you turn it on it says battery is at 20% and will not charge anymore after that, it just runs for about 5-10 minutes before the battery dies again. The battery cycles discharge/recharge daily and its not on the charger at full charge for more than a couple hours and is never totally dead for more than a couple of hours.

• My ipod touch is disabled for 22 million minutes and I want to fix it but I dont want to lose my pictures and everything else. Help please

  my ipod touch is disabled for 22 million minutes and I want to fix it but I dont want to lose my pictures and everything else. Help please I dont remember the last time I updated it. Idk I think its been a year in an half since I known about it being disabled. What do I do? Im scared to restore it because I dont want to lose my stuff.

  You have to restore and thus erase your iPod. that is how it works.
  Place the iOS device in Recovery Mode and then connect to your computer and restore via iTunes. The iPod will be erased.
  iOS: Wrong passcode results in red disabled screen                        
  If recovery mode does not work try DFU mode.                       
  How to put iPod touch / iPhone into DFU mode « Karthik's scribblings       
  For how to restore:
  iTunes: Restoring iOS software
  To restore from backup see:
  iOS: How to back up    
  If you restore from iCloud backup the apps will be automatically downloaded. If you restore from iTunes backup the apps and music have to be in the iTunes library since synced media like apps and music are not included in the backup of the iOS device that iTunes makes.
  You can redownload iTunes purchases by:
  Downloading past purchases from the App Store, iBookstore, and iTunes Store       
  Photos
  - If they are in an iPod backup then restore from that backup. See the restore topic of:
  iOS: How to back up
  - If they are in the iTunes backup then get them from the backup by:
  Recover iPhone, iPad or iPod photos from backups with Picturescue
  - If you used PhotoStream then try getting them from your PhotoStream. See that topic of:
  iOS: Importing personal photos and videos from iOS devices to your computer

• I lose my wifi and phone frequently, the internet company says it's my time capsule. What's going on?

  I've only had the Time Capsule since the end of Dec. I frequently lose my wifi and phone, I've called
  My service provider and they always say everything on their end is working and that it may be my wireless router. I don't know how to fix this. I have had some error messages show up on my MacBook Pro saying a backup wasn't done and that I need to reconnect my Time Capsule. Once I hit ok and re enter my password everything backs up again. I have no idea what's going on or how to fix it. Please help.

  Is your main modem cable?? We need to know more to help.
  Tell us the whole setup of your home network.. modem make and model?? Who is the ISP?
  Is the main modem also a router? How is the TC configured?
  The new TC (AC version) has been buggy with some cable modems.. particularly SB6121, 6141.
  The ISP is more than likely correct.. your TC is simply unreliable.. if it is faulty you can return it and apple will replace it.. but it can also just be setup wrongly or the bugs have got you due to the particular combo of equipment.