Web Auth Cert Download

Similar Messages

• Web Auth Type: Customized(downloaded) Redirect URL after login not working.

           5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
  Everything is working as it should.  I downloaded the web auth bundle from Cisco and  will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
  I have edited the aup.html and login.html to say what I want it to.  I have 2 different login.html pages and bundle to a .tar file like the documentation says.  I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should.  The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined. 
     I must be missing some setting somewhere, but I just can not seem to find it.  Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page  Redirect URL after login is http://www.mccg.org which is our home page.
  Any help will be appreciated.  I cannot seem to fine very good documentation, or I am just overlooking something.
  Thanks
  John   

  Your HTML code is wrong. Attach your code if your okay with it and I can check.
  Sent from Cisco Technical Support iPhone App

• 5508 loading cert for web auth

  I have web auth enabled on the WLC so when clients connec they get a cert error because it is using the self signed cert.  I was reading up on getting a third part cert and it explains about getting openssl and then generating the cert and sending it to a third party CA etc.
  Any links you can share would be very helpful explaining best practices and method to load a third party cert on the WLC 5508 for web authentication.
  Why can't I just get a cert from them for our domain and simply load it on the WLC?

  Hi Mohammed,
  Here are the two links which are like bible to generate certs..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Depends on whether you are using Chained or Un chained certs.. Following the above link will help you in getting the issue resolved!!
  Lemme know if this answered ur question!!
  Regards
  Surendra

• WLC 5508 Web Auth Splash Page: Is it possible to place a download?

  Hi,
  I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
  Thanks
  Michael

  It could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe).  This shouldn't be a problem considering a .doc size, but I have to ask the same question.   Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html?  Maybe there is a good reason, but I can't really think of any scenario.  Feel free to elaborate.

• WLC Custom Web Auth Bundle sample .tar file is not on WCS

  The WLC documentation would make it appear (or maybe previously) you should download a sample web auth bundle code from the WCS Templates. I was never able to find a sample .tar file on the WCS 7.0.172.0 templates.
  However I found on Cisco.com under Support > Downloads > Products >Wireless> Wireless LAN Controller Standalone Controllers> Cisco 5500 Series Wireless Controllers > Cisco 5508 Wireless Controller > Wireless Lan Controller Web Authentication Bundle-1.0.2  > webauth_bundle-1.0.2.zip
  It was updated in June 2011, some pretty good sample html code.
  The readme.html in the sample webauth_bundle-1.0.2.zip file has been very helpful , almost as good as the suppport community web page on custom web auth.
  https://supportforums.cisco.com/docs/DOC-13954

  WCS config guide 7.0.172 is correct
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/temp.html#wp1129979
  The bundle in WCS is downloaded through :
  configure->controller
  "select a command"-> download customized webauth bundle.
  Just tested it and it was there.
  The one on cisco.com is better though

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• Guest WLAN Web Auth problem

  Was just wondering whether anyone else had seen this problem as it is defeating TAC right now…
  We have a number of 4402 WLCs on various sites and another one in a DMZ acting as an anchor controller for the guest network. We’re using just the basic web auth built into the WLC for access out on to the Internet for visiting third parties. All the EOIP stuff is setup and working and all clients can associate and get an IP address.
  All clients get redirected to the authentication page and all clients appear to authenticate successfully. With the exception of a few clients, at this stage most get stuck and cannot browse the web; the pages just time out. All other Internet traffic (SSH, TELNET, SMTP, ICMP) works fine once authenticated , just not HTTP/HTTPS.
  We have upgraded the WLCs to the latest code on the advice of TAC (6.0.196) but this made no difference. The problem seems to happen on all OSs (Mac, XP, Vista, Windows 7, Ubuntu, iPhone) and all browsers (IE6, IE7, IE8, Safari, Firefox, Chrome). We have tried upgrading drivers and changing browser settings, but nothing seems to help. We have working XP laptops and non-working XP latops; it just doesn’t make any sense.
  The attached packet capture shows a non-working laptop and the only thing I noticed was very large window sizes (512k) which seems a bit odd.
  Any ideas?
  Thanks

  hi there
  apparently i have a fix for the issue, it has just been tested for over 8 hours and my computer running wireless on windows 7 never disconected anymore (and i don't have either quick 1 second hangs anymore)....HOW????? it was the wireless driver!!
  my computer has an Atheros 928x wireless card and i was running version 8.0.0... (can't remember the exact version) which as far as i know was the version bundled with the original installation alhough i dont remember if i had an update from somewhere else... anyway. i did this:
  1. went to device manager, clicked on the wireless card, clicked delete, then confirm with the box about deletion of the software connected with the device.... then clicked on "scan for hardware changes" - in theory i wanted to update the driver with another .exe i downloaded but i thought let's give a go... and long story short, win 7 found in "his" files another suitable driver, probably the "generic" one, but nevertheless works as a charm, driver version is 2.0.0.74, driver date 09/06/2009, driver provider: microsoft, digital signer: microsoft windows, driver name : Atheros AR928X Wireless Network Adapter.
  if you need more info about the driver let me know!
  gabrio

• Having trouble with custom web auth page on 4404

  Hi all
  I am having trouble with a custom web auth page on my controller, we have edited the original file, but when we click login it goes to page cannot be displayed and it doesnt redirect to the page I want, however when I close the window and reopen it has already authenticated me.
  Has anyone got a copy of some working html code I can use ?
  cheers

  There is sample Web Authentication bundle avaiable for download from cisco.com. if you go to the software download page and go to Wireless->Standalone Controllers->4404 you should see a link for Wireless Lan Web Authentication Bundle.
  Its the same bundle whether you have a WiSM, 4404 or 2100

• How to install Web Auth. Bundle on WLC 2504

  Hi, 
  I need to install a Web Auth bundle and when I download the file from cisco's webpage, its a .zip, but the WLC asks for a .tar file, so I converted it to a .tar and tried again but then it said file was too big.
  Can someone please instruct me on how to do it?
  Thanks in advance,
  Javier

  Hi,
     the .tar file size (no more than 1Mb
  the filename length of the files (should be no more than 30 characters)
  Plus other guide lines while downloading at the below location
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049431
  Regards
  Dhiresh
  **Please rate helpful posts**

• How to generate CSR on switches for web auth with NGS

  Hello
  I am doing a dot1x solution with web auth on cisco 3750 switches.
  Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
  I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
  Is there any way to solve this?
  Greetings
  Steven

  Hi Steven,
  The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
  Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
  Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
  This document goes into a little more detail on all the indivual commands and what they do:
  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
  Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
  Thanks,
  Nate

• Loading web auth bundle for pass through

  I have created a web page using the web auth template that I downloaded from Cisco.  Am I just supposed to upload the TAR file that I created from the wap folder or do I have to upload the entire bundle that I downloaded from Cisco created as a TAR file?
  Thank you.
  I have attached the files I am using and cannot get them to load on the web browser when I click on preview.  The login.tar file loads onto the controller with no problem and reports succesful installation.
  Seth

  You need to use a Linux/unix box or else on windows you can use 7-zip, pico zip or power archiver.
  Per this doc
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_user_accts.html#wp1183650
  Note
  If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller cannot extract the files in the bundle and the following error messages appear: "Extracting error" and "TFTP transfer failed." Therefore, we recommend that you use an application that complies with GNU standards, such as PicoZip, to compress the .tar file for the webauth bundle.
  Sent from Cisco Technical Support iPhone App

• Customized Web-Auth Bundle

  Hi
  I am trying to upload a customized web-auth bundle to a WLC 5508 and having some issues.
  I have downloaded the web-auth bundle from Cisco and used this as a template to create the web pages.
  I seem to recall that there is only a couple of Windows tools that you can use to TAR the file such as TUGZIP and IZARC. Anyway I have tried both and I still cannot get the file to extract. I have tried to strip the file out so that I only send up the login.html page and even this does not work.
  I am using a software release 7.0.220.0
  The error message I receive when I do a TFTP is
  Error extracting webauth files.
  Any help would be appreciated
  Thanks
  Greg

  Hi Greg:
  I hope you find the answer here:
  You can compress the page and image files used for displaying a web authentication login page into a.tar file for download to a controller. These files are known as the webauth bundle. The maximum allowed size of the files in their uncompressed state is 1 MB. When the .tar file is downloaded from a local TFTP server, it enters the controller's file system as an untarred file.
  Note If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller cannot extract the files in the bundle and the following error messages appear: "Extracting error" and "TFTP transfer failed." Therefore, we recommend that you use an application that complies with GNU standards, such as PicoZip, to compress the .tar file for the webauth bundle.
  Reference: http://tiny.cc/rbqbfw
  So double check the size and tarring utility.
  Try to use WinRar or 7Zip if the tarring format is the issue.
  HTH
  Amjad

• Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue

  Hi everyone.
  I'm seting up an environment which uses Web-Auth for my wired and wireless networks. I have followed the exact same steps in this Cisco page to get it working:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html
  I'm only testing the wired environment right now.
  I plug a PC to a port, and I try to get access to a randon internet page (for example www.cisco.com) . It is automatically redirected to authentication page. I type the username and password, but, when authentication passes, it goes automatically to https version of the page, which brings me to the problem. I have to add an exception (continue on this webpage option on IE) to that page in order to continue with the authentication and get the access to the internet. I'm attaching the steps I have to perform:
  I think it is related to Certificate, but I'm not quite sure which or where. I'd like to have some advices from you to avoid this problem. I'm not planning to buy any certificates, so if I could skip the https would be great.
  Thanks a bunch for your help
  Victor Alves

  You need a certificate that your client will trust.
  Easy way is to buy one from an official source. All PC browsers have a list of the major cert vendors so that's automatically trusted.
  You could issue the certificate yourself also, for free :
  -Self signed : the signing authority is the switch ... That means you need all your PCs to trust all your switches. Manual operation ...
  -You create an enterprise CA and create a certificate for all your switches : you just need your clients to trust your enterprise CA so that's still a manual task but a simpler one.
  When laptops are integrated in a domain, it's usually easier to create your CA on windows server and push the certificates to the clients automatically

• WEB-AUTH Page customization

  Hi, All can anybody let me know how can I customize the WEB-AUTH login page. If I want to put some image & background how can I do that ? do we need anything special software ..how can I download & upload page from Controller...how can I edit the Page...please help me to do this....
  I appreciate your response.

  Hi,
  I would suggest that when you test the default web auth page as a user on the "guest" network (or even use the preview page but the code may be slightly different, you should be able to view the source code from within your browser (e.g. within Firefox use Ctrl-U). You can then use this as a basis for creating your own page.
  In terms of HTML tools there are many available, but I use MS-Word 2003 and when necessary the script editor within MS-Word 2003. Once you are happy with your page save in the appropriate format. You can create a page as you want to see it and then convert it to HTML, and then remembering to embed the required "username" and "password" fields and the submit button.
  HTH

• Web-auth page alterations and tweaking on WLC 4404

  Hi,
  As I mentioned in a previous post I'm running two guest WLANs through a C4404. One of them requires a Lobby Admin to generate a user for a 'less restricted' network and the other requires entry of some personal details into the capture screen before you get onto the filtered, web and secureweb only network.
  I've got the registration one working fine and managed to create a login page tailored to suit.
  What I'm having trouble with is altering the web-auth passthrough page. Currently it just asks for an email address (not verified) and then allows access to the network. I really want to capture an email, name and other details but it doesn't seem like I can easily upload another page to replace the default as the login.html file is being used for the other WLAN.
  Has anyone else done a similar thing or managed to use a page called something other than login.html. My web skills are fairly weak, but I can work my way through most pages and make minor alterations.
  Any info would be great...even better would be some page examples.
  Thanks

  It seems that every time you wish to use a customised page (either for webauth or passthrough) you need to name it login.html.
  The email passthrough uses the WLC default page, but just includes an email field rather than the user/pass that's configured by a lobbyadmin.
  So, without using any external server, do you think it's possible to have a customised webauth login page and a customised passthrough w/ email page AT THE SAME TIME?
  As a side note, has anyone got the downloadable logo to fit in to the default page without problems. I can't seem to get the image size right and end up with blue borders around my customised logo?
  Any help would be greatly appreciated.
  Thanks