Web Auth logout windows shows IP address as URL vs DNS

Similar Messages

• Windows 7 Clients Not Working With Web-Auth

  I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
  The login page is customised showing T's & C's with two buttons Except or Reject.
  Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
  Thanks in advance for any replies.
  Jay

  Nicolas,
  Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
  After doing a quick search on the net I found this.
  NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
  NCSI does this whether you are logged on or not.
  Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
  Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
  1.       Permit DNS resolution (UDP/53) to 213.199.181.90
  2.       Permit TCP port 80 to 131.107.255.255
  Jay

• Show web auth users on WLC

  Hello all!
  I have a Cisco WLC 2500 running software version 7.0.220.0 and one of its WLANs it´s configured to Web Auth with LDAP (Microsoft AD) and it´s working fine.
  Now i need to figure out how to list all the authenticated users, they IP Address, AP Name and some other informations located in the Clients > Detail page.
  Is there any CLI command that will show the information I need? Or even another way to retrieve that information?
  Thanks in advance.
  Valdecir
  São Paulo, Brazil.

  The only way you can see this detail is from the CLI of the WLC:
  show client summary
  Find the mac address of the user
  show client detail <mac address>

• Using firefox 14.0.1. Loading a link using right-click and "Open Link In New Window", results in new window opening but address bar does not show URL..

  Using firefox 14.0.1. Loading a link using right-click and "Open Link In New Window", results in new window opening but address bar does not show URL. However, if I right click on a link and select "Open Link In New Tab", the Tab shows URL in address bar. So it's working when it's a New Tab but not a New Window.

  The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information.
  Note: ''This will cause you to lose any Extensions, Open websites, and some Preferences.''
  To Reset Firefox do the following:
  #Go to Firefox > Help > Troubleshooting Information.
  #Click the "Reset Firefox" button.
  #Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
  #Firefox will open with all factory defaults applied.
  Further information can be found in the [[Reset Firefox – easily fix most problems]] article.
  Did this fix your problems? Please report back to us!

• When I download something from the Web, the "Downloads" window opens, but the window remains blank. Before it used to at least show the name of the file and I could open the file from the "Downloads" window. Is there a way to get this functionality back?

  I'm running Windows XP which is updated to latest version (which I think might be Service Pack 3, but not positive.) Mozilla Firefox is version 5.0. I tend to use Google as my search engine so most of the stuff I download comes through sites found through Google, which is also updated.
  At some time in the past (maybe a few versions ago) when I would download a file from the Web, the "Downloads" window would open and in the window would be displayed the name of the file I was downloading or had just completed downloading. I think I used to be able to then click on that file name and the file (or the installation file if needed to start the new program) would open. I am currently using Firefox 5.0 (the "About Firefox" screen says this is up to date) and when I download a file or document, the "Downloads" window appears on the screen as it always has in the past, but it remains blank, i.e., nothing appears in the downloads box. I don't remember making any configuration changes, etc., that may have caused the window to remain blank, but I could be mistaken. I know how to find the items I've downloaded (My Documents / Downloads) and can usually guess what the name of the downloaded file might be, but it used to be much easier when something (anything) showed up in the downloads window.
  I'd love for someone to tell me about a simple fix for this. I'm willing to be quite embarrassed that I did something I shouldn't have.'''

  In Firefox Options / Privacy be sure "Remember download history" is checked. To see all of the options on that panel, "Firefox will" must be set to "Use custom settings for history".
  To find your OS information, on your Windows desktop, right-click the My Computer icon, choose Properties, under System on that small window is info about your OS.
  '''If this reply solves your problem, please click "Solved It" next to this reply when <u>signed-in</u> to the forum.'''

• Insert Invitee email address..hit send...pop window shows..hit cancel..nothing..have to stop and re-start imail to send invite...spent 40 mins with cpu support for naught

  not sure if this is an ical or imal problem.  It appears there is some type of handshaking problem between them.  I can enter and invitee address and hit send...A pop up window shows, I hit the canel option, the window closes and that is it.  If I wish to send the invite I have to shut down Imail and re-start it.  At wich time the pop up window shows, I cancel it and then can send the invite.....is this normal?

  - ability to choose deletion of an email on handset only
  - desktop software working with all older BB's allowing drag and drop type of transferring data, contacts etc. (BB link doesn't recognize my old Storm) 
  - auto power on/off
  - contacts syncing with yahoo & Outlook (almost two weeks trying to work around it and no luck)

• Framed-IP-Address in RADIUS Access Request for WLC web-auth users

  We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address. 
  So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?

  Hi ,
  Try using:
  aaa accounting delay-start
  Regards,
  ~JG
  Do rate helpful posts

• Cisco WLC 5508 simultaneous Web Auth Users logins?

  Hi there,
  We have 2 WLC5508 (7.2.111.3) with several SSID's.
  One of them is configured as Passthrough with an external splash server. Works fine.
  Now we want to use the "On MAC Filter failure".
  If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
  If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
  To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
  So, every client WebAuth uses the same username&password for authentication against the WLC.
  User Login Policies is set to unlimited.
  So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
  The two WLC's have abount 100-170 clients connected.
  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information wolud be great.
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  Thanks for the answers ;-)
  Kind regards,
  Norbert

  Question:
  - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
  > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
  - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
    If yes, some guide information would be great.
  > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
  - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
  > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• Guest WLAN Web Auth problem

  Was just wondering whether anyone else had seen this problem as it is defeating TAC right now…
  We have a number of 4402 WLCs on various sites and another one in a DMZ acting as an anchor controller for the guest network. We’re using just the basic web auth built into the WLC for access out on to the Internet for visiting third parties. All the EOIP stuff is setup and working and all clients can associate and get an IP address.
  All clients get redirected to the authentication page and all clients appear to authenticate successfully. With the exception of a few clients, at this stage most get stuck and cannot browse the web; the pages just time out. All other Internet traffic (SSH, TELNET, SMTP, ICMP) works fine once authenticated , just not HTTP/HTTPS.
  We have upgraded the WLCs to the latest code on the advice of TAC (6.0.196) but this made no difference. The problem seems to happen on all OSs (Mac, XP, Vista, Windows 7, Ubuntu, iPhone) and all browsers (IE6, IE7, IE8, Safari, Firefox, Chrome). We have tried upgrading drivers and changing browser settings, but nothing seems to help. We have working XP laptops and non-working XP latops; it just doesn’t make any sense.
  The attached packet capture shows a non-working laptop and the only thing I noticed was very large window sizes (512k) which seems a bit odd.
  Any ideas?
  Thanks

  hi there
  apparently i have a fix for the issue, it has just been tested for over 8 hours and my computer running wireless on windows 7 never disconected anymore (and i don't have either quick 1 second hangs anymore)....HOW????? it was the wireless driver!!
  my computer has an Atheros 928x wireless card and i was running version 8.0.0... (can't remember the exact version) which as far as i know was the version bundled with the original installation alhough i dont remember if i had an update from somewhere else... anyway. i did this:
  1. went to device manager, clicked on the wireless card, clicked delete, then confirm with the box about deletion of the software connected with the device.... then clicked on "scan for hardware changes" - in theory i wanted to update the driver with another .exe i downloaded but i thought let's give a go... and long story short, win 7 found in "his" files another suitable driver, probably the "generic" one, but nevertheless works as a charm, driver version is 2.0.0.74, driver date 09/06/2009, driver provider: microsoft, digital signer: microsoft windows, driver name : Atheros AR928X Wireless Network Adapter.
  if you need more info about the driver let me know!
  gabrio

• Web-Auth not working on Apple IOS devices

  I am using L3 web-auth (when no mac filter match). I currently have downloaded the custom page to the controller. It works fine with Windows and Android. I can not get to the redirect page on Apple IOS though.
  In my pre-auth ACL I have added rules to allow any traffic to and from 17.0.0.0/8. I can see that it is getting hits.         
  I have also tried the config netwrok web-auth captive-bypass enable command.
  Neither of these have helped.
  My Apple client is getting an IP address.
  Any ideas? Thanks

  WLAN on Anchor controller:
  (Cisco Controller) >show wlan 2
  WLAN Identifier.................................. 2
  Profile Name..................................... HopeNet
  Network Name (SSID).............................. HopeNet
  Status........................................... Enabled
  MAC Filtering.................................... Enabled
  Broadcast SSID................................... Disabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
    Client Profiling Status ....................... Disabled
     DHCP ......................................... Disabled
     HTTP ......................................... Disabled
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Maximum number of Clients per AP Radio........... 200
  Number of Active Clients......................... 2
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 3600 seconds
  CHD per WLAN..................................... Enabled
  --More-- or (q)uit
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ guest-dmz
  Multicast Interface.............................. Not Configured
  WLAN IPv4 ACL.................................... unconfigured
  WLAN IPv6 ACL.................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  PMIPv6 Mobility Type............................. none
  Quality of Service............................... Silver
  Per-SSID Rate Limits............................. Upstream Downstream
  Average Data Rate................................   0    0
  Average Realtime Data Rate.......................   0    0
  Burst Data Rate..................................   0    0
  Burst Realtime Data Rate.........................   0    0
  Per-Client Rate Limits........................... Upstream Downstream
  Average Data Rate................................   0    0
  Average Realtime Data Rate.......................   0    0
  Burst Data Rate..................................   0    0
  Burst Realtime Data Rate.........................   0    0
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  --More-- or (q)uit
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Drop
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Disabled
     Accounting.................................... Disabled
     Dynamic Interface............................. Disabled
  LDAP Servers
     Server 1...................................... 10.4.21.177 389
     Server 2...................................... 10.4.21.178 389
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
  --More-- or (q)uit
     FT Support.................................... Enabled
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     Wi-Fi Direct policy configured................ Disabled
     EAP-Passthrough............................... Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Enabled-On-MACFilter-Failure
  IPv4 ACL........................................ web-auth-test
  IPv6 ACL........................................ Unconfigured
  Web-Auth Flex ACL............................... Unconfigured
  Web Authentication server precedence:
  1............................................... local
  2............................................... radius
  3............................................... ldap
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Enabled
     FlexConnect Local Switching................... Disabled
     flexconnect Central Dhcp Flag................. Disabled
     flexconnect nat-pat Flag...................... Disabled
     flexconnect Dns Override Flag................. Disabled
  --More-- or (q)uit
     FlexConnect Vlan based Central Switching ..... Disabled
     FlexConnect Local Authentication.............. Disabled
     FlexConnect Learn IP Address.................. Enabled
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  KTS based CAC Policy............................. Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Multicast Buffer................................. Disabled
  Mobility Anchor List
  WLAN ID     IP Address            Status
  2           10.241.15.5           Up                             
  802.11u........................................ Disabled
  MSAP Services.................................. Disabled
  WLAN on foreign controller:
  WLAN Identifier.................................. 4
  Profile Name..................................... HopeNet
  Network Name (SSID).............................. HopeNet
  Status........................................... Enabled
  MAC Filtering.................................... Enabled
  Broadcast SSID................................... Disabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
    Client Profiling Status ....................... Disabled
     DHCP ......................................... Disabled
     HTTP ......................................... Disabled
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Maximum number of Clients per AP Radio........... 200
  Number of Active Clients......................... 2
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 3600 seconds
  CHD per WLAN..................................... Enabled
  --More-- or (q)uit
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ management
  Multicast Interface.............................. Not Configured
  WLAN IPv4 ACL.................................... unconfigured
  WLAN IPv6 ACL.................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  PMIPv6 Mobility Type............................. none
  Quality of Service............................... Silver
  Per-SSID Rate Limits............................. Upstream Downstream
  Average Data Rate................................   0    0
  Average Realtime Data Rate.......................   0    0
  Burst Data Rate..................................   0    0
  Burst Realtime Data Rate.........................   0    0
  Per-Client Rate Limits........................... Upstream Downstream
  Average Data Rate................................   0    0
  Average Realtime Data Rate.......................   0    0
  Burst Data Rate..................................   0    0
  Burst Realtime Data Rate.........................   0    0
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  --More-- or (q)uit
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Drop
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Disabled
     Accounting.................................... Disabled
     Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     FT Support.................................... Disabled
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
  --More-- or (q)uit
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     Wi-Fi Direct policy configured................ Disabled
     EAP-Passthrough............................... Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Enabled-On-MACFilter-Failure
  IPv4 ACL........................................ Unconfigured
  IPv6 ACL........................................ Unconfigured
  Web-Auth Flex ACL............................... Unconfigured
  Web Authentication server precedence:
  1............................................... local
  2............................................... radius
  3............................................... ldap
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Enabled
     FlexConnect Local Switching................... Disabled
     flexconnect Central Dhcp Flag................. Disabled
     flexconnect nat-pat Flag...................... Disabled
     flexconnect Dns Override Flag................. Disabled
     FlexConnect Vlan based Central Switching ..... Disabled
     FlexConnect Local Authentication.............. Disabled
     FlexConnect Learn IP Address.................. Enabled
  --More-- or (q)uit
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  KTS based CAC Policy............................. Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Multicast Buffer................................. Disabled
  Mobility Anchor List
  WLAN ID     IP Address            Status
  4           10.241.15.5           Up                             
  802.11u........................................ Disabled
  MSAP Services.................................. Disabled
  Interface detailed virtual on Anchor controller:
  (Cisco Controller) >show interface detailed virtual
  Interface Name................................... virtual
  MAC Address...................................... 68:ef:bd:93:bd:00
  IP Address....................................... 1.1.1.1
  Virtual DNS Host Name............................ anchor.stjude.org
  AP Manager....................................... No
  Guest Interface.................................. No
  Interface detailed virtual on Foreign controller:
  (30-WiSM2-slot2-1) >show interface detailed virtual
  Interface Name................................... virtual
  MAC Address...................................... 2c:54:2d:3a:51:a0
  IP Address....................................... 1.1.1.1
  Virtual DNS Host Name............................ Disabled
  AP Manager....................................... No
  Guest Interface.................................. No

• Web-Auth with 802.1x

  Environment is WLC 2106 with 4 LWAPP access points. Currently running 2 WLANs: 1 using 802.1x authentication with a Windows IAS (RADIUS) server for Active Directory authentication; 1 using basic WEP for guest access that drops the user in it's own secure VLAN.
  I am trying create a 3rd WLAN that uses Web-Authentication using 802.1x RADIUS that passes the username/password to the Windows IAS server. I can see the request being passed to the IAS server, but it is being logged on the IAS server as:
  An Access-Request message was received from RADIUS client WLAN Controller without a message authenticator attribute when a messages authenticator attribute is required. Verify the configuration of the RADIUS client in the Internet Authentication Service snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.
  I already have the one WLAN using 802.1x where the RADIUS client on the IAS server has the "Request must contain the Message Authenticator attribute" checkbox checked and it works jsut fine. It is just the Web-Auth using 802.1x where it seem the authentication isn't being passed properly to the RADIUS server. I cannot figure out what I am doing wrong or missing.

  Hi,
  I don't know if you have resolved the problem or not, But I will propose my solution anyway,
  There are two ways to solve this problem, either to make the controller send the radius request with md5 or make the windows reply to the radius requests that does not contain a md5 hash
  Microsoft Solution:
  When you add the Radius Client using the wizard there are certain options that don't show; for instance the md5 attribute that is causing the IAS to drop the web auth requests. So what you need to do is after you use the wizard, you right click on the client that you added (in our case the WLC) and uncheck the box that says "Access-Request message must contain the Message-Authenticator attribute" (attached is a screenshot).
  That should make the IAS respond to the web auth requests.
  WLC Solution:
  I haven't tested this solution, but I think it will work. if you did test it, please let me know how it turned out.
  By default, the Web Radius Authentication is set to "PAP" (can be found in the Controller Tab @ the WLC GUI), you need to set it to MD5-CHAP. (attached is another screenshot).
  Hope that solves your problem, and please let me know how the problem was solved.

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• WiSM 7.0.116 Web-Auth Fail & GUI Management Fail

  Dears,
  I find two log:
  *spamReceiveTask: Jul 28 08:38:28.078: %LWAPP-3-RADIUS_ERR: spam_radius.c:137 Could not send join reply, AP authorization failed; AP:00:14:69:3b:ee:20
  *emWeb: Jul 28 08:38:17.314: %PEM-1-WEBAUTHFAIL: pem_api.c:4990 Web authentication failure for station 00:25:d3:9a:cb:da
  Then, Wireless Client cannnot access web-auth page, and I cannot access the controller management GUI.
  When the first Radius Fail, It happened!!!
  I don't know why happen it @@"
  Device:
  WiSM
  7.0.196

  - Model of AP?
  - Console log of this AP as it boots up?
  - From WLC CLI, send "show network summary"
  - From WLC GUI, send snapshot of
  Managment > HTTP-HTTPS
  Security > WebAuth > Certificate
  Controller > Interfaces
  - Did you try adding the mac address of AP 00:14:69:3b:ee:20 in the AP authorization list OR under mac filtering
  - On WLC GUI, capture a snapshot of Security > AP Policies
  Then under same tab, click on Add > enter mac address of AP 00:14:69:3b:ee:20 > enter certificate type MIC
  and see if this AP can join

• Cisco Web Auth Page

  We have url-directed login page for web authentication.
  Why does the Cisco page flashed, in a bit of a sec, before it goes ahead to the directed url.
  Unfortunately, some customers are not happy with this.
  Can that Cisco page be totally eliminated?

  no... the client doesn't get the full-blown cisco web-auth page. just at the Title bar of the Window, the Cisco Title bar appears very swiftly and directed right away to the supposed external web authentication page.
  the code used and tested with were 4.1.171, 4.2.185, 5.2.157. and the behavior is the same for all code. it will flash that Cisco title bar and then directed right away to the external web authentication page.
  nope, we're not trying to do something special. just the customer noticed it and somehow is not happy with it.
  what could be the best acceptable explanation we can provide our customer for this very small yet customer-annoying instance. is there a Cisco document that we can show the customer regarding this behavior?
  Thanks!

• Cannot connect to web auth login page

  Controller is vWLC 7.4, AP is 2600. Browser gets successfully redirected to 1.1.1.1, so DNS appears to work. However 1.1.1.1 does not respond. Wireshark in the client shows SYN frames but no response. I tried various debugs but nothing is shown on the WLC when the client attempts to reach the login page. 1.1.1.1 is not used in the local network and ends up at the default route. WLAN operates in central mode.
  The browser works when web auth is disabled, but when enabled in either "authentication" or "passthrough" mode any attempts gets redirected to 1.1.1.1 and times out at that point. Telnet to 1.1.1.1:443 failed also.
  Same on two different clients using different OS versions.

  I've tested it in two very different production VLANs having different DHCP servers. Any client connected to those VLANs, whether by Wifi or Ethernet, gets an IP address and can work normally. The Wifi client also works fine when L3 web policy is disabled. A client connected via AP successfully gets an IP address in any case. DNS resolution has been verified and the redirection to 1.1.1.1 also works. It's just the connection to 1.1.1.1 which fails, everything else up to this point appears to work.
  BTW: Is there a way to test the availability of the authentication web server on the WLC, locally? I can ping 1.1.1.1 successfully, but this only verifies the interface, not the web server. Normally I'd try a telnet to 1.1.1.1:443, but did not find anything similar on the WLC.