Web Auth Redirection

I have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.
The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.
If I point the web auth at the internal WLC page using a WLC local user account it works.
If I set the guest access to pass through it works without issues getting dhcp and dns.
On the ISE is there a policy needed to say if guests are web authenticated give them access?
The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with. Does anyone have any ideas where I might be going wrong?
Thanks for any ideas Mick

Does this work if you point to the WLC internal page and use AAA credentials?

Similar Messages

  • WLC Web Auth Redirect URL point to an ISE Policy NODE only?

    Hi all,
    I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

    Thanks Peter for your clarification regarding the semantic I used and the question I made.
    Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

  • Anchor WLC web-auth secure web issue

    Hi all,
    I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue...Has anyone ran into this before and any idea how to fix it?
    Thanks in advanced for your input!
    Robin

    The custome page might be from Cisco web auth page sample by the look of the webpage. I don't know how to verify whether or not it was hard coded for HTTPS...
    Do I also need to diable the web-auth secure web on the main controller?
    This anchor is running in production and has to reboot after hour, will do the test and let you know how it goes.
    Thanks!
    Robin

  • Web Auth Type: Customized(downloaded) Redirect URL after login not working.

             5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
    Everything is working as it should.  I downloaded the web auth bundle from Cisco and  will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
    I have edited the aup.html and login.html to say what I want it to.  I have 2 different login.html pages and bundle to a .tar file like the documentation says.  I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should.  The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined. 
       I must be missing some setting somewhere, but I just can not seem to find it.  Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page  Redirect URL after login is http://www.mccg.org which is our home page.
    Any help will be appreciated.  I cannot seem to fine very good documentation, or I am just overlooking something.
    Thanks
    John   

    Your HTML code is wrong. Attach your code if your okay with it and I can check.
    Sent from Cisco Technical Support iPhone App

  • Redirection without web-auth

    Hi all,
    I came across a  setup which is bit different to what I have seen in the past.
    Basically the client gets redirected  to the NAC login page but there is no web-auth related configs under the WLAN on the WLC.
    Just to confirm I had look at the WLAN security but they only had a PSK no other security configs.
    Any ideas on how this could be achived? I have experience with the web-auth but this approach seems much simpler.
    Thanks,
    janesh

    For ISE you can follow the TrustSec Guide Here
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_40_webauthentication_dg.pdf
    or this general CWA with ISE and WLC guide here
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    It involves using Mac Filtering in order to hit ISE for MAB authentication and the use of CoA for changing session states as you go through the authentication Flow.
    This requires WLC versio 7.2.110.0 at a minimum along with ISE 1.1.1 for full feature set.

  • Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue

    Hi everyone.
    I'm seting up an environment which uses Web-Auth for my wired and wireless networks. I have followed the exact same steps in this Cisco page to get it working:
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html
    I'm only testing the wired environment right now.
    I plug a PC to a port, and I try to get access to a randon internet page (for example www.cisco.com) . It is automatically redirected to authentication page. I type the username and password, but, when authentication passes, it goes automatically to https version of the page, which brings me to the problem. I have to add an exception (continue on this webpage option on IE) to that page in order to continue with the authentication and get the access to the internet. I'm attaching the steps I have to perform:
    I think it is related to Certificate, but I'm not quite sure which or where. I'd like to have some advices from you to avoid this problem. I'm not planning to buy any certificates, so if I could skip the https would be great.
    Thanks a bunch for your help
    Victor Alves

    You need a certificate that your client will trust.
    Easy way is to buy one from an official source. All PC browsers have a list of the major cert vendors so that's automatically trusted.
    You could issue the certificate yourself also, for free :
    -Self signed : the signing authority is the switch ... That means you need all your PCs to trust all your switches. Manual operation ...
    -You create an enterprise CA and create a certificate for all your switches : you just need your clients to trust your enterprise CA so that's still a manual task but a simpler one.
    When laptops are integrated in a domain, it's usually easier to create your CA on windows server and push the certificates to the clients automatically

  • Firefox does not redirect users to web auth page

    I have a client that uses web auth for the guest wireless.  When a users opens up FF, it does not automatically redirect them to the web auth page.  However, IE and Chrome work fine.  If you copy and paste the redirection page into FF, it will go to the page then.  The only two possible solutions I have found are to either enable web auth proxy or regenerate the WLC self-signed cert. 
    Anyone have any other ideas? 
    TIA,
    Dan

    I've been trying to figure out a very similar issue where Firefox wouldn't open the guest webpage (the connection was interrupted) and finally found it was caused by opening Yahoo as my startup page. I change it to Google, for example, and it comes up everytime now. When set to Yahoo I could clear my cache and it would work once but then wouldn't work again. If I load Yahoo as the startup page in IE it works everytime. Very strange.
    Here's what the debug looks like:
    *webauthRedirect: Jul 23 20:59:33.793: xx:xx:xx:xx:xx:xx- received connection
    *webauthRedirect: Jul 23 20:59:33.794: xx:xx:xx:xx:xx:xx- received connection
    *webauthRedirect: Jul 23 20:59:33.795: xx:xx:xx:xx:xx:xx- received request
    *webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received connection
    *webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received request
    *webauthRedirect: Jul 23 20:59:33.806: xx:xx:xx:xx:xx:xx- received connection
    *webauthRedirect: Jul 23 20:59:33.807: xx:xx:xx:xx:xx:xx- received request
    *webauthRedirect: Jul 23 20:59:33.810: xx:xx:xx:xx:xx:xx- received connection

  • Guest Anchor with web auth using ISE guest portal

    Hello All,
    Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
    I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
    massive thanks to anyone that can assist.
    JS.

    Thanks for the reply RikJonAtk.
    so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
    Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
    Thanks in Advanced,
    JS

  • ISE, WLC: web auth, blocking user account

    Hello!
    We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
    On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
    Credentials are created at the ISE sponsor portal.
    We create user account in ISE sponsor portal with one hour lease.
    In 10 minutes we delete (or block)  user credentials.
    In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
    This happens because WLC thinks, that client is still associated.
    There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
    From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
    In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
    How the user account blocking process can be automated without manually deleting the client session from WLC client database?

    It seems that there is some bug about CoA when deleting Guest accounts
    CSCuc82135
    Guests need to be removed from the network on Suspend/Delete/Expiration
    When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.
    Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
    from BUG Toolkit there is Release-Pending in "Fixed-in" option.

  • ISE web auth for non-cisco switch(D-link 3528)

    Is it possible to use ISE(inline posture node) to redirect the wired users to ISE guest portal ?
    And the wired users will get full network access after they pass the web auth.

    you can use ISE ln-line posture node with 3rd part switches
    RADIUS access device must supply the following RADIUS attributes:
        Calling-Station-Id (for MAC_ADDRESS)
        User-Name
        NAS-Port-Type
        RADIUS accounting message must have the Framed-IP-Address attribute
    VLAN, DACL features can be used  but again it depends on switch models let us know  specific switch  models . Certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality,

  • Central Web Auth with Anchor Controller and ISE

    Hi All
    I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
    I also have an ISE sat on the corporate LAN.
    Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
    DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
    I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
    My questions are:
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
    4. Is ICMP still blocked by the WLC until the web authentication is complete?
    Thanks.
    Regards
    Roger

    Hi Roger,
    Thanks for your brief explanation here are the answers for your queries.
    1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
    The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
    2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
    Yes, you have to configure the ISE server address on the anchor WLC.
    3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
    Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
    4. Yes, ICMP will work only after the sucessful web auth is complete.
    Please do go through the link below to understand the Anchor-Foreigh Scenario.
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
    Regards
    Salma

  • Cisco WLC 5508 simultaneous Web Auth Users logins?

    Hi there,
    We have 2 WLC5508 (7.2.111.3) with several SSID's.
    One of them is configured as Passthrough with an external splash server. Works fine.
    Now we want to use the "On MAC Filter failure".
    If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
    If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
    To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
    So, every client WebAuth uses the same username&password for authentication against the WLC.
    User Login Policies is set to unlimited.
    So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
    The two WLC's have abount 100-170 clients connected.
    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information wolud be great.
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    Thanks for the answers ;-)
    Kind regards,
    Norbert

    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information would be great.
    > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Web auth with , intenal web page of WLC and ISE as radius server

    Hi All ,
    We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
    When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
    "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
    When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
    Only for L3 web auth it is not happening..
    Any clue on this ..???
    Thanks,
    Regards,
    Vijay.

    Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Problem with Web Auth

    hi
    i have two wireless networks,one for the guests and the other one extends the corporate network.i created two vlan on my 6509 swicth and mapped the vlns to to the wlans.All is working fine but when i enable web auth for guest i can no longer ping my gateway or browse and even web auth is not authenticating against the internal users configured on the WLC...web auth just wont work.
    what could be wrong..i really need to authenticate using web auth.

    ok, SO this is what i need
    send me show custom-web details
    S if you open the page do you get the default cisco webauth redirected page ; are you able to put the user name and password ?
    can you send me the screen shot of events
    Regards
    Seema

  • WLC 4402 - only present guest with web auth page once every (x) days

    Hi all,
    I am looking to migrate our guest wireless from a third-party system to the WLC.  Currently, we change our guest password (WPA2 PSK) every (x) days.  Each time the guest password is changed and connections are made with the new PSK, guests are redirected to a terms and conditions page which they must accept.  The MAC address is then cached and the page is not displayed again until we clear the MAC cache and change the PSK.
    I can almost replicate this with web auth in passthrough mode on the WLC, but it presents the guest with the terms and conditions page each time they reconnect to the WLAN, whether it be from roaming offsite or turning the wireless radio off then on.
    Is there any way to have the WLC replicate our current system, where a MAC is cached and the page is not displayed until some other event takes place (changing the PSK or clearing the cache?)
    Thanks!
    -P

    Wait ... Shaoqin, will the 7.5 code be released for the 4400 series controllers?  The current release is 7.0.240.0 - I see releases up to 7.4 on the 5500 series controllers
    Thanks
    -P

Maybe you are looking for

  • What's the best speakers for the Z3

    Today I was looking at some induction touch speakers and they were mainly made for the iphone and wouldn't really work with the sony z3.  So what would everyone suggest??  Should mention that I'm trying to go for something wireless.

  • Multiple channels in one task with ch to ch config

    Hi, Normally the way I acquire sample from more than one channel on a cDAQ system is like this: 1, I create virtual channels for my AIs in MAX 2, in LabVIEW I use channel constants and merging them using comma as a separator (eg. with the concatenate

  • Manual Exporting of BLOB specific table to text file

    Hi, Our application is having 60000 record in a BLOB specific table. My requirement is to export the entire table data to text files . When I tried converting BLOB to sting and writing to file, it took almost 3 mins for 100 records, if so, will take

  • Udev never ever works for me

    Udev is supposed to be so simple, but every time I play with it, I get edgy. Can somebody explain to me (in very very small words;)) why this is happening: dusty:~ $ ls -l /dev/misc/nvram crw-r----- 1 root kmem 10, 144 2008-12-01 19:23 /dev/misc/nvra

  • Why does Spry horizontal menu bar displays as a list?

    I createda spry hoizontal menu bar which looks great on my workspace but when I preview it in a browser, it displays as an unordered list.Does anyone have an explanation for what has happened and how to correct it?