Web Auth logout windows shows IP address as URL vs DNS
We are using Web Auth with DNS name which works fine. We did notice however that upon successful login that the logout popup page displays the logut url with the IP address and not the DNS.
Is this a bug?
Runnig WCS 4.2.62.0 WLC 4.2.112.0
See steps below. It might be clearer this way.
Guest user gets an IP address via DHCP with DNS information.
Guest user goes to website www.cisco.com
Guest User is redirected to Web auth page https://webauth.xyz.com/login.html?redirect=www.cisc.com/
Guest User logs in
Guest User receives POPUP page indicating successfull login and is reminded to either minimize this window or remember the URL to retrieve this window to logout.
It is here the the URL indicates the IP address http://1.1.1.1/logout.html and not the DNS name http://webauth.xyz.com/logout.html
Similar Messages
-
Windows 7 Clients Not Working With Web-Auth
I am using 5508 controllers, configured for WEB-AUTH passthrough, Windows XP clients work fine but Windows 7 clients are hit and miss getting redirected to the splash screen.
The login page is customised showing T's & C's with two buttons Except or Reject.
Do I need to Pre-Auth with ACL's? Has anyone had similar issues, or any good doc's etc.
Thanks in advance for any replies.
JayNicolas,
Many thanks for your relpy, the problem is that this is a guest network that's also avalable to the public and I dont have any control over the end clients.
After doing a quick search on the net I found this.
NCSI : Uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way NCSI does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resovles to 131.107.255.255.
NCSI does this whether you are logged on or not.
Do I need to Create a Preauthentication ACL on the Guest WLAN interface:-
Configure a preauthentication ACL on the WLAN to allow wireless clients to allow:-
1. Permit DNS resolution (UDP/53) to 213.199.181.90
2. Permit TCP port 80 to 131.107.255.255
Jay -
Hello all!
I have a Cisco WLC 2500 running software version 7.0.220.0 and one of its WLANs it´s configured to Web Auth with LDAP (Microsoft AD) and it´s working fine.
Now i need to figure out how to list all the authenticated users, they IP Address, AP Name and some other informations located in the Clients > Detail page.
Is there any CLI command that will show the information I need? Or even another way to retrieve that information?
Thanks in advance.
Valdecir
São Paulo, Brazil.The only way you can see this detail is from the CLI of the WLC:
show client summary
Find the mac address of the user
show client detail <mac address> -
Using firefox 14.0.1. Loading a link using right-click and "Open Link In New Window", results in new window opening but address bar does not show URL. However, if I right click on a link and select "Open Link In New Tab", the Tab shows URL in address bar. So it's working when it's a New Tab but not a New Window.
The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information.
Note: ''This will cause you to lose any Extensions, Open websites, and some Preferences.''
To Reset Firefox do the following:
#Go to Firefox > Help > Troubleshooting Information.
#Click the "Reset Firefox" button.
#Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
#Firefox will open with all factory defaults applied.
Further information can be found in the [[Reset Firefox – easily fix most problems]] article.
Did this fix your problems? Please report back to us! -
I'm running Windows XP which is updated to latest version (which I think might be Service Pack 3, but not positive.) Mozilla Firefox is version 5.0. I tend to use Google as my search engine so most of the stuff I download comes through sites found through Google, which is also updated.
At some time in the past (maybe a few versions ago) when I would download a file from the Web, the "Downloads" window would open and in the window would be displayed the name of the file I was downloading or had just completed downloading. I think I used to be able to then click on that file name and the file (or the installation file if needed to start the new program) would open. I am currently using Firefox 5.0 (the "About Firefox" screen says this is up to date) and when I download a file or document, the "Downloads" window appears on the screen as it always has in the past, but it remains blank, i.e., nothing appears in the downloads box. I don't remember making any configuration changes, etc., that may have caused the window to remain blank, but I could be mistaken. I know how to find the items I've downloaded (My Documents / Downloads) and can usually guess what the name of the downloaded file might be, but it used to be much easier when something (anything) showed up in the downloads window.
I'd love for someone to tell me about a simple fix for this. I'm willing to be quite embarrassed that I did something I shouldn't have.'''In Firefox Options / Privacy be sure "Remember download history" is checked. To see all of the options on that panel, "Firefox will" must be set to "Use custom settings for history".
To find your OS information, on your Windows desktop, right-click the My Computer icon, choose Properties, under System on that small window is info about your OS.
'''If this reply solves your problem, please click "Solved It" next to this reply when <u>signed-in</u> to the forum.''' -
not sure if this is an ical or imal problem. It appears there is some type of handshaking problem between them. I can enter and invitee address and hit send...A pop up window shows, I hit the canel option, the window closes and that is it. If I wish to send the invite I have to shut down Imail and re-start it. At wich time the pop up window shows, I cancel it and then can send the invite.....is this normal?
- ability to choose deletion of an email on handset only
- desktop software working with all older BB's allowing drag and drop type of transferring data, contacts etc. (BB link doesn't recognize my old Storm)
- auto power on/off
- contacts syncing with yahoo & Outlook (almost two weeks trying to work around it and no luck) -
Framed-IP-Address in RADIUS Access Request for WLC web-auth users
We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address.
So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?Hi ,
Try using:
aaa accounting delay-start
Regards,
~JG
Do rate helpful posts -
Cisco WLC 5508 simultaneous Web Auth Users logins?
Hi there,
We have 2 WLC5508 (7.2.111.3) with several SSID's.
One of them is configured as Passthrough with an external splash server. Works fine.
Now we want to use the "On MAC Filter failure".
If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
So, every client WebAuth uses the same username&password for authentication against the WLC.
User Login Policies is set to unlimited.
So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
The two WLC's have abount 100-170 clients connected.
Question:
- Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
- Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
If yes, some guide information wolud be great.
- When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
Thanks for the answers ;-)
Kind regards,
NorbertQuestion:
- Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
> I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
- Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
If yes, some guide information would be great.
> ISE is really used to login with a username and password and to be able to profile. You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
- When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
> Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Was just wondering whether anyone else had seen this problem as it is defeating TAC right now…
We have a number of 4402 WLCs on various sites and another one in a DMZ acting as an anchor controller for the guest network. We’re using just the basic web auth built into the WLC for access out on to the Internet for visiting third parties. All the EOIP stuff is setup and working and all clients can associate and get an IP address.
All clients get redirected to the authentication page and all clients appear to authenticate successfully. With the exception of a few clients, at this stage most get stuck and cannot browse the web; the pages just time out. All other Internet traffic (SSH, TELNET, SMTP, ICMP) works fine once authenticated , just not HTTP/HTTPS.
We have upgraded the WLCs to the latest code on the advice of TAC (6.0.196) but this made no difference. The problem seems to happen on all OSs (Mac, XP, Vista, Windows 7, Ubuntu, iPhone) and all browsers (IE6, IE7, IE8, Safari, Firefox, Chrome). We have tried upgrading drivers and changing browser settings, but nothing seems to help. We have working XP laptops and non-working XP latops; it just doesn’t make any sense.
The attached packet capture shows a non-working laptop and the only thing I noticed was very large window sizes (512k) which seems a bit odd.
Any ideas?
Thankshi there
apparently i have a fix for the issue, it has just been tested for over 8 hours and my computer running wireless on windows 7 never disconected anymore (and i don't have either quick 1 second hangs anymore)....HOW????? it was the wireless driver!!
my computer has an Atheros 928x wireless card and i was running version 8.0.0... (can't remember the exact version) which as far as i know was the version bundled with the original installation alhough i dont remember if i had an update from somewhere else... anyway. i did this:
1. went to device manager, clicked on the wireless card, clicked delete, then confirm with the box about deletion of the software connected with the device.... then clicked on "scan for hardware changes" - in theory i wanted to update the driver with another .exe i downloaded but i thought let's give a go... and long story short, win 7 found in "his" files another suitable driver, probably the "generic" one, but nevertheless works as a charm, driver version is 2.0.0.74, driver date 09/06/2009, driver provider: microsoft, digital signer: microsoft windows, driver name : Atheros AR928X Wireless Network Adapter.
if you need more info about the driver let me know!
gabrio -
Web-Auth not working on Apple IOS devices
I am using L3 web-auth (when no mac filter match). I currently have downloaded the custom page to the controller. It works fine with Windows and Android. I can not get to the redirect page on Apple IOS though.
In my pre-auth ACL I have added rules to allow any traffic to and from 17.0.0.0/8. I can see that it is getting hits.
I have also tried the config netwrok web-auth captive-bypass enable command.
Neither of these have helped.
My Apple client is getting an IP address.
Any ideas? ThanksWLAN on Anchor controller:
(Cisco Controller) >show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... HopeNet
Network Name (SSID).............................. HopeNet
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 3600 seconds
CHD per WLAN..................................... Enabled
--More-- or (q)uit
Webauth DHCP exclusion........................... Disabled
Interface........................................ guest-dmz
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
--More-- or (q)uit
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
LDAP Servers
Server 1...................................... 10.4.21.177 389
Server 2...................................... 10.4.21.178 389
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
--More-- or (q)uit
FT Support.................................... Enabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled-On-MACFilter-Failure
IPv4 ACL........................................ web-auth-test
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
FlexConnect Local Switching................... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
--More-- or (q)uit
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
2 10.241.15.5 Up
802.11u........................................ Disabled
MSAP Services.................................. Disabled
WLAN on foreign controller:
WLAN Identifier.................................. 4
Profile Name..................................... HopeNet
Network Name (SSID).............................. HopeNet
Status........................................... Enabled
MAC Filtering.................................... Enabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status ....................... Disabled
DHCP ......................................... Disabled
HTTP ......................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 3600 seconds
CHD per WLAN..................................... Enabled
--More-- or (q)uit
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Per-Client Rate Limits........................... Upstream Downstream
Average Data Rate................................ 0 0
Average Realtime Data Rate....................... 0 0
Burst Data Rate.................................. 0 0
Burst Realtime Data Rate......................... 0 0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
--More-- or (q)uit
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
--More-- or (q)uit
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
Wi-Fi Direct policy configured................ Disabled
EAP-Passthrough............................... Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled-On-MACFilter-Failure
IPv4 ACL........................................ Unconfigured
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
FlexConnect Local Switching................... Disabled
flexconnect Central Dhcp Flag................. Disabled
flexconnect nat-pat Flag...................... Disabled
flexconnect Dns Override Flag................. Disabled
FlexConnect Vlan based Central Switching ..... Disabled
FlexConnect Local Authentication.............. Disabled
FlexConnect Learn IP Address.................. Enabled
--More-- or (q)uit
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Mobility Anchor List
WLAN ID IP Address Status
4 10.241.15.5 Up
802.11u........................................ Disabled
MSAP Services.................................. Disabled
Interface detailed virtual on Anchor controller:
(Cisco Controller) >show interface detailed virtual
Interface Name................................... virtual
MAC Address...................................... 68:ef:bd:93:bd:00
IP Address....................................... 1.1.1.1
Virtual DNS Host Name............................ anchor.stjude.org
AP Manager....................................... No
Guest Interface.................................. No
Interface detailed virtual on Foreign controller:
(30-WiSM2-slot2-1) >show interface detailed virtual
Interface Name................................... virtual
MAC Address...................................... 2c:54:2d:3a:51:a0
IP Address....................................... 1.1.1.1
Virtual DNS Host Name............................ Disabled
AP Manager....................................... No
Guest Interface.................................. No -
Environment is WLC 2106 with 4 LWAPP access points. Currently running 2 WLANs: 1 using 802.1x authentication with a Windows IAS (RADIUS) server for Active Directory authentication; 1 using basic WEP for guest access that drops the user in it's own secure VLAN.
I am trying create a 3rd WLAN that uses Web-Authentication using 802.1x RADIUS that passes the username/password to the Windows IAS server. I can see the request being passed to the IAS server, but it is being logged on the IAS server as:
An Access-Request message was received from RADIUS client WLAN Controller without a message authenticator attribute when a messages authenticator attribute is required. Verify the configuration of the RADIUS client in the Internet Authentication Service snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.
I already have the one WLAN using 802.1x where the RADIUS client on the IAS server has the "Request must contain the Message Authenticator attribute" checkbox checked and it works jsut fine. It is just the Web-Auth using 802.1x where it seem the authentication isn't being passed properly to the RADIUS server. I cannot figure out what I am doing wrong or missing.Hi,
I don't know if you have resolved the problem or not, But I will propose my solution anyway,
There are two ways to solve this problem, either to make the controller send the radius request with md5 or make the windows reply to the radius requests that does not contain a md5 hash
Microsoft Solution:
When you add the Radius Client using the wizard there are certain options that don't show; for instance the md5 attribute that is causing the IAS to drop the web auth requests. So what you need to do is after you use the wizard, you right click on the client that you added (in our case the WLC) and uncheck the box that says "Access-Request message must contain the Message-Authenticator attribute" (attached is a screenshot).
That should make the IAS respond to the web auth requests.
WLC Solution:
I haven't tested this solution, but I think it will work. if you did test it, please let me know how it turned out.
By default, the Web Radius Authentication is set to "PAP" (can be found in the Controller Tab @ the WLC GUI), you need to set it to MD5-CHAP. (attached is another screenshot).
Hope that solves your problem, and please let me know how the problem was solved. -
Guest WLAN and Web Auth?
Hi Guys,
Maybe someone can help me out?
I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
"Cisco Wireless Controller" with the exception of having 2 ports. Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN. When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page.
What I tried so far is..
add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
I've attached some screenshots of our configuration.Troubleshooting Web Authentication
After you configure web authentication, if the feature does not work as expected, complete these
troubleshooting steps:
Check if the client gets an IP address. If not, users can uncheck
DHCP Required
on the WLAN and
give the wireless client a static IP address. This assumes association with the access point. Refer to
the
IP addressing issues
section of
Troubleshooting Client Issues in the Cisco Unified Wireless
Network for troubleshooting DHCP related issues
1.
On WLC versions earlier than 3.2.150.10, you must manually enter
https://1.1.1.1/login.html
in
order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
connects to a WLAN configured for web authentication, the client obtains an IP address from the
DHCP server. The user opens a web browser and enters a website address. The client then performs
the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
authentication login page.
2.
Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
Windows, choose
Start > Run
, enter
CMD
in order to open a command window, and do a nslookup
www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a nslookup www.cisco.com" and see if the IP
address comes back.
If you believe the client is not getting DNS resolution, you can either:
Enter either the IP address of the URL (for example, http://www.cisco.com is
http://198.133.219.25)
♦
Try to directly reach the controller's webauth page with
https:///login.html. Typically this is http://1.1.1.1/login.html.
♦
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
be a certificate problem. The controller, by default, uses a self−signed certificate and most web
browsers warn against using them.
3.
For web authentication using customized web page, ensure that the HTML code for the customized
web page is appropriate.
You can download a sample Web Authentication script from Cisco Software Downloads. For
example, for the 4400 controllers, choose
Products > Wireless > Wireless LAN Controller >
Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
Bundle−1.0.1
and download the
webauth_bundle.zip
file.
These parameters are added to the URL when the user's Internet browser is redirected to the
customized login page:
4.
ap_mac The MAC address of the access point to which the wireless user is associated.
♦
switch_url The URL of the controller to which the user credentials should be posted.
♦
redirect The URL to which the user is redirected after authentication is successful.
♦
statusCode The status code returned from the controller's web authentication server.
♦
wlan The WLAN SSID to which the wireless user is associated.
♦
These are the available status codes:
Status Code 1: "You are already logged in. No further action is required on your part."
♦
Status Code 2: "You are not configured to authenticate against web portal. No further action
is required on your part."
♦
Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
already logged into the system?"
♦
Status Code 4: "You have been excluded."
♦
Status Code 5: "The User Name and Password combination you have entered is invalid.
Please try again."
♦
All the files and pictures that need to appear on the Customized web page should be bundled into a
.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
login.html. You receive this error message if you do not include the login.html file:
Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
Authentication Configuration Example for more information on how to create a customized web
authentication window.
Note:
Files that are large and files that have long names will result in an extraction error. It is
recommended that pictures are in .jpg format.
5.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
Other browsers may or may not work.
6.
Ensure that the
Scripting
option is not blocked on the client browser as the customized web page on
the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
7.
Note:
The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
messages for the user.
Note:
If you browse to an
https
site, redirection does not work. Refer to Cisco bug ID CSCar04580
(registered customers only) for more information.
If you have a
host name
configured for the
virtual interface
of the WLC, make sure that the DNS
resolution is available for the host name of the virtual interface.
Note:
Navigate to the
Controller > Interfaces
menu from the WLC GUI in order to assign a
DNS
hostname
to the virtual interface.
8.
Sometimes the firewall installed on the client computer blocks the web authentication login page.
Disable the firewall before you try to access the login page. The firewall can be enabled again once
the web authentication is completed.
9.
Topology/solution firewall can be placed between the client and web−auth server, which depends on
the network. As for each network design/solution implemented, the end user should make sure these
ports are allowed on the network firewall.
Protocol
Port
HTTP/HTTPS Traffic
TCP port 80/443
CAPWAP Data/Control Traffic
UDP port 5247/5246
LWAPP Data/Control Traffic
(before rel 5.0)
UDP port 12222/12223
EOIP packets
IP protocol 97
Mobility
UDP port 16666 (non
secured) UDP port 16667
(secured IPSEC tunnel)
10.
For web authentication to occur, the client should first associate to the appropriate WLAN on the
WLC. Navigate to the
Monitor > Clients
menu on the WLC GUI in order to see if the client is
associated to the WLC. Check if the client has a valid IP address.
11.
Disable the Proxy Settings on the client browser until web authentication is completed.
12.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
RADIUS server for this to work. In order to check the status of client authentication, check the
debugs and log messages from the RADIUS server. You can use the
debug aaa all
command on the
WLC to view the debugs from the RADIUS server.
13.
Update the hardware driver on the computer to the latest code from manufacturer's website.
14.
Verify settings in the supplicant (program on laptop).
15.
When you use the Windows Zero Config supplicant built into Windows:
Verify user has latest patches installed.
♦
Run debugs on supplicant.
♦
16.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
> Run > CMD:
netsh ras set tracing eapol enable
netsh ras set tracing rastls enable
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
will be located in C:\Windows\tracing.
17.
If you still have no login web page, collect and analyze this output from a single client:
debug client
debug dhcp message enable
18.
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable
If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
Service Request Tool (registered customers only) in order to open a Service Request.
debug pm ssh−appgw enable
debug pm ssh−tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh−engine enable packet -
WiSM 7.0.116 Web-Auth Fail & GUI Management Fail
Dears,
I find two log:
*spamReceiveTask: Jul 28 08:38:28.078: %LWAPP-3-RADIUS_ERR: spam_radius.c:137 Could not send join reply, AP authorization failed; AP:00:14:69:3b:ee:20
*emWeb: Jul 28 08:38:17.314: %PEM-1-WEBAUTHFAIL: pem_api.c:4990 Web authentication failure for station 00:25:d3:9a:cb:da
Then, Wireless Client cannnot access web-auth page, and I cannot access the controller management GUI.
When the first Radius Fail, It happened!!!
I don't know why happen it @@"
Device:
WiSM
7.0.196- Model of AP?
- Console log of this AP as it boots up?
- From WLC CLI, send "show network summary"
- From WLC GUI, send snapshot of
Managment > HTTP-HTTPS
Security > WebAuth > Certificate
Controller > Interfaces
- Did you try adding the mac address of AP 00:14:69:3b:ee:20 in the AP authorization list OR under mac filtering
- On WLC GUI, capture a snapshot of Security > AP Policies
Then under same tab, click on Add > enter mac address of AP 00:14:69:3b:ee:20 > enter certificate type MIC
and see if this AP can join -
We have url-directed login page for web authentication.
Why does the Cisco page flashed, in a bit of a sec, before it goes ahead to the directed url.
Unfortunately, some customers are not happy with this.
Can that Cisco page be totally eliminated?no... the client doesn't get the full-blown cisco web-auth page. just at the Title bar of the Window, the Cisco Title bar appears very swiftly and directed right away to the supposed external web authentication page.
the code used and tested with were 4.1.171, 4.2.185, 5.2.157. and the behavior is the same for all code. it will flash that Cisco title bar and then directed right away to the external web authentication page.
nope, we're not trying to do something special. just the customer noticed it and somehow is not happy with it.
what could be the best acceptable explanation we can provide our customer for this very small yet customer-annoying instance. is there a Cisco document that we can show the customer regarding this behavior?
Thanks! -
Cannot connect to web auth login page
Controller is vWLC 7.4, AP is 2600. Browser gets successfully redirected to 1.1.1.1, so DNS appears to work. However 1.1.1.1 does not respond. Wireshark in the client shows SYN frames but no response. I tried various debugs but nothing is shown on the WLC when the client attempts to reach the login page. 1.1.1.1 is not used in the local network and ends up at the default route. WLAN operates in central mode.
The browser works when web auth is disabled, but when enabled in either "authentication" or "passthrough" mode any attempts gets redirected to 1.1.1.1 and times out at that point. Telnet to 1.1.1.1:443 failed also.
Same on two different clients using different OS versions.I've tested it in two very different production VLANs having different DHCP servers. Any client connected to those VLANs, whether by Wifi or Ethernet, gets an IP address and can work normally. The Wifi client also works fine when L3 web policy is disabled. A client connected via AP successfully gets an IP address in any case. DNS resolution has been verified and the redirection to 1.1.1.1 also works. It's just the connection to 1.1.1.1 which fails, everything else up to this point appears to work.
BTW: Is there a way to test the availability of the authentication web server on the WLC, locally? I can ping 1.1.1.1 successfully, but this only verifies the interface, not the web server. Normally I'd try a telnet to 1.1.1.1:443, but did not find anything similar on the WLC.
Maybe you are looking for
-
Opening pictures from the desktop with iphoto
Hey guys, When I download pics onto my desktop (or anywhere else for that matter) (say a friend skype me some pics) and i want to open them with iphoto to store them in the relevant roll or album, i have to go through all the hassle of : -ctrl click
-
Every 30 seconds or so my phone tells me this, "This cable or accessory is not certified and may not work reliably with this iPhone." There is nothing plugged in! How can I get this to stop coming up? To say it's annoying is an understatement!
-
I recently down loaded quick time to view a video and wow guess what came bundled in with it? iTunes software! At first I figured no problem, I won't use it anyway. Recently I decided to remove programs I hadn't used in about 30 days just to keep thi
-
SAP SAPFV45A encounters "Time_Out" while deleting thousands of items
I am getting the error - "ABAP/4 runtime error - TIME_OUT" whenever I try to create a CN refering to a Billing Doc with 7000+ line items. Steps to re-produce - 1. At the Create Sales Order screen, enter the field value below - Type 'CR', SalesOrg 'SG
-
4.6 Mobile iOS SoftKeyboard Hiding
Hey everyone, So i'm new to not only this community but also Flex programming. I'm working on a app project at my work using FB. My question is, about the Softkeyboard still coming up even thougtht the event was canceled.We were recently using FB 4.5