Web Auth using 5760 Guest Anchor and ISE

Similar Messages

• URL Logging for Guest Traffic using Guest Anchor and ISE

  Hi there all,
  I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.
  I'm wondering if anyone has managed to do this using ISE?
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

  Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.
  I have tried your suggestion and I cannot get the same results as you.
  I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?
  i have this configuration...
  dACL
  3k-access#sh ip access-list int fa0/1
       permit udp host 10.1.10.103 any eq domain
       permit icmp host 10.1.10.103 any
       permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443
       permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input
       deny ip host 10.1.10.103 10.1.0.0 0.0.255.255
       permit ip host 10.1.10.103 any
  Logging config...
  logging esm config
  logging trap debugging
  logging origin-id ip
  logging host 10.1.100.21 transport udp port 20514
  with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.
  DO you know if this can be done? maybe I am looking at the wrong report? Can you help?
  Mario

• Sending plain request to web service using receiver sender adapter and PI and expecting as attachment as response

  Hi
  In my scenario,we are sending plain request to web service using receiver sender adapter and PI will receive response as excel attachment. What are standard module required to achieve this and sequence? or checking Keep attachment box will help us to achieve this? 
  is it possible to receive excel sheet as attachment from receiver soap adapter ?
  Thanks in Advance

  Hi,
  This issue might be due to the invalid .pem certificate file.
  Make sure to include the beginning and end tags on each certificate.                   
  The result should look like this:                
  -----BEGIN CERTIFICATE-----
  (Your Primary SSL certificate: your_domain_name.crt)
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  (Your Intermediate certificate: DigiCertCA.crt)
  -----END CERTIFICATE-----
  For more detailed information, you could refer to:
  https://www.digicert.com/ssl-support/pem-ssl-creation.htm
  Regards

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• Web Auth FAIL on guest wlan

  We have a 2100 Wlan controller set up with multiple wlans.
  We are having problems on the Guest VLAN in that everytime a user tries to authenticate via Web Auth, they fail and are redirected to the username/password page.
  Local accounts have been added and the WLAN has been set up to use web auth but each time a user tries to authenticate the following message is in the log:-
  NOV 21 09:47:21.852 pem_api.c:4513 PEM-1-WEBAUTHFAIL : Web Authentication Failure for station aa:bb:cc:dd:ee:ff
  If the box is rebooted it works for around an hour, then begins to fail again.
  Any ideas?

  Here is the configuration guide for the Webauthentication for WLC with example it may help you to troubleshoot and configuration
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

• Guest Anchors and external DHCP servers

  Hi,
  We are using guest anchors (GA) for supporting wireless guest user.
  Until now we used internal DHCP server on the GA but now we want to move to external.
  For example:
  The guest will reside on 192.168.0.x, this is separated by a firewall from the inside network and is not routable on the inside.(this is the guest interface of the GA)
  The DHCP server will be somewhere on the internal network only reachable by GA's management interface.
  Is it possible for DHCP requests to be forwarded to the DHCP server originating from the management interface?
  If this is not how it should happen, than what other options are there for placing the external DHCP servers?
  Let me know if you need more information regarding our solution..
  Thank you,
  Laszlo

  Hello Laszlo,
  Yes, what you want to do can be done but there are few things that you have to consider.
  First is that you are not going to use the WLC as the DHCP server so you should go to the interface configuration and point the DHCP server to the external one.
  Now, what you want to do here is to make the wireless LAN controller a DHCP relay agent (or proxy), this way the wireless LAN controller is the one handling all the DHCP requests and it is going to be the one asking for an IP address in behalf of the client using the management interface. This behavior is enabled by default and I believe you have it already configured because it is necessary for the internal DHCP server of the WLC to work; it is configured on the "Controller" tab > Advanced > DHCP. On new versions of software this option is configurable by interface.
  There is a catch though, if the DHCP server is an ASA or if the request has to go through an ASA or firewall, this might not work because by design some ASAs will drop every DHCP request comming from a relay agent so just consider this when you do these type of deployments.
  If you have any questions let me know.
  Best regards,
  Marco Gonzalez
  Cisco TAC TL

• Web-auth using ASA and ACS 5.1

  In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use?  The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store.  Is this even possible with TACACS? 

  Hello,
  You might want to look for "Cut through proxy" on Cisco.com. That feature would allow you to accomplish the described scenario! Also, you might want to use RADIUS instead of TACACS+.
  Regards.

• Calling a Web Service in another Web Service using JDev10.1.3 and AS 10g

  I am using JDeveloper 10.1.3.0.4.3673 and Oracle AS 10g 10.1.3 on Windows XP Professional Version 2002 service pack 2.
  Has anyone called a web service in another web service? I have not researched this yet. I assume it is possible. I need to get this figured out asap.
  My guess is that
  1. For the web service which is going to be called in the other web service, you need to create client-side proxy to call the web service - create a static method to instantiate and call the service.
  2. I would deploy this client-side proxy Stub which calls the web service along with the other web service which calls it to the Oracle AS 10g.
  Is this right? Is there any documentation on this specific thing?

  Hi,
  rhis kind of orchestration is what BPEL is made for.
  http://www.oracle.com/technology/products/ias/bpel/index.html
  Frank

• Schedule webi report using  BW data source and send through email..

  Hi  all,
  I want to schedule webi report and send it through email.
  I am able to send through email.
  here im  got stopped how to schedule the report from bw data source . i have to schedule in webi infoview how to give date format in universe the report sholud run for (sysdate-2) daily
  eg. today is 02-DEC-2011 if i schedule the report it should run for 30-NOV-2011.  iam trying in both BW qyuery and CUBE im not getting how to give date format in
  let me knw is there any solutions..
  im using XIR3 3.1 sp3
  bw 7.1
  Integration kit sp3
  Regards,
  Ravi Sarma.

  it is resolvede by keeping sysdate-2 variable at bw query side i have solved my issue.
  Regards
  ravi

• 7.5 web-auth client sleep timer feature

                     The 7.5 release advertises the ability to configure a timeout value so that guest clients which go to sleep are not re-prompted for web-auth.  Does anyone know if 7.5 would only be required on the anchor WLC or must it also be on the foreign?  We utilize web-auth for a guest WLAN and anchor it to a WLC in the DMZ.  Preference would be to NOT load 7.5 on every WLC we have and only upgrade our guest anchor.
  Thanks!
  Anthony

  Hi Scott ( and all ),
  I was making some tests with sleeping client with a infrastructure like this:
  - 2 foreign ( 5508 ) with the APs and client association
  - 2 anchor ( 4402 ) on the DMZ
  - radius for client auth
  From my understand the :
  - clients are associated to the foreign but
  - the authentication is forwarded to the anchor
  ( I can see the request on the radius with the anchor NAS IP address and, before the client is authenticated, i get the status as REQ_D state on the anchor )
  So I suppose the sleeping client feature should be on the anchor ( or on both wontroller ) and not only on the foreign. I'm wrong ?
  If You've some Idea to let it works with only sleeping config on the foreign i will solve one big issue because my anchors are 4402 without sleeping feature available.
  All is working fine on the foreign if I remove the anchor configuration ( by the way, like this isn't anymore a foreign )

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• Enable Session Timeout - Guest web-auth

  Hi All,
  Just a quick one. If this timer expires when using web-auth on a guest wlan in the following way
  PC --Ap -- WLC (campus) -- Anchor WLC (DMZ) --- www
  Does the web session break and the user will be redirected to the web authentication page?
  Many thx indeed,
  Ken

  Hi there.
  http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html#wp1048408
  Thanks for the doc above. It has the info in there. Many many thx for your help.
  Ken
  The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences a recurring session timeout that requires reauthentication.

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• 5760 guest network not receiving IP address

  I'm testing a pair of 5760s for a near-term production rollout.  I have the dot1x employee wlan working, but am having trouble with the guest web-auth wlan.  We have a foreign controller with connected APs and an anchor controller in the DMZ.  We're using an external redirect to the ISE guest portal.  ISE is working with our production equipment and hasn't been changed.  However, I'm not able to get an IP address assignment to test the ISE redirect.  When I remove all of the web-auth configuration, I'm getting an IP address without issues.  My configuration is attached below, and would appreciate an extra set of eyes.
  !! Anchor controller
  aaa group server radius ISE
   server name iseservername
  aaa authentication login ISE-MethodList group ISE
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 x.x.127.1 virtual-host guest-redirect.domain.com
  parameter-map type webauth Guest-param-map
   type webauth
   redirect for-login https://guestportal.domain.com:8443/guestportal/portal.jsp
   redirect portal ipv4 x.x.164.35
  ip access-list extended Guest-preauth
   permit udp any any eq domain
   permit udp any eq domain any
   permit udp any any range bootps bootpc
   permit tcp any any eq 8443
   permit tcp any any established
  ip access-list extended Guest-redirect-acl
   permit tcp any any eq www
  radius server iseservername
   address ipv4 x.x.164.35 auth-port 1812 acct-port 1813
   key [verysecretkey]
  wlan Guest 1 Guest
   client vlan 330
   ip access-group web Guest-preauth
   mobility anchor
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth authentication-list ISE-MethodList
   security web-auth parameter-map Guest-param-map
   no shutdown
  !! Foreign Controller
  wireless management interface Vlan60
  wlan Guest 1 Guest 1
   client vlan 60
   mobility anchor x.x.60.160
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   no shutdown

  Have you tried this by enabling DHCP snooping for the vlan 330 on your 5760  & trust 5760 uplink ? In the below I have assume 10G port of 5760 is map to a etherchannel (Po1). Otherwise trust the physical interface.
  ip dhcp snooping
  ip dhcp snooping vlan 330
  interface Port-channel x
   switchport trunk native vlan x
   switchport trunk allowed vlan x,y,z
   switchport mode trunk
   ip dhcp snooping trust
  HTH
  Rasika
  **** Pls rate all useful responses ****