Web-Auth with 802.1x
Environment is WLC 2106 with 4 LWAPP access points. Currently running 2 WLANs: 1 using 802.1x authentication with a Windows IAS (RADIUS) server for Active Directory authentication; 1 using basic WEP for guest access that drops the user in it's own secure VLAN.
I am trying create a 3rd WLAN that uses Web-Authentication using 802.1x RADIUS that passes the username/password to the Windows IAS server. I can see the request being passed to the IAS server, but it is being logged on the IAS server as:
An Access-Request message was received from RADIUS client WLAN Controller without a message authenticator attribute when a messages authenticator attribute is required. Verify the configuration of the RADIUS client in the Internet Authentication Service snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.
I already have the one WLAN using 802.1x where the RADIUS client on the IAS server has the "Request must contain the Message Authenticator attribute" checkbox checked and it works jsut fine. It is just the Web-Auth using 802.1x where it seem the authentication isn't being passed properly to the RADIUS server. I cannot figure out what I am doing wrong or missing.
Hi,
I don't know if you have resolved the problem or not, But I will propose my solution anyway,
There are two ways to solve this problem, either to make the controller send the radius request with md5 or make the windows reply to the radius requests that does not contain a md5 hash
Microsoft Solution:
When you add the Radius Client using the wizard there are certain options that don't show; for instance the md5 attribute that is causing the IAS to drop the web auth requests. So what you need to do is after you use the wizard, you right click on the client that you added (in our case the WLC) and uncheck the box that says "Access-Request message must contain the Message-Authenticator attribute" (attached is a screenshot).
That should make the IAS respond to the web auth requests.
WLC Solution:
I haven't tested this solution, but I think it will work. if you did test it, please let me know how it turned out.
By default, the Web Radius Authentication is set to "PAP" (can be found in the Controller Tab @ the WLC GUI), you need to set it to MD5-CHAP. (attached is another screenshot).
Hope that solves your problem, and please let me know how the problem was solved.
Similar Messages
-
Web auth with , intenal web page of WLC and ISE as radius server
Hi All ,
We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server. AD is integrated with ISE .
When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
"ise has problems communicating with active directory using its machine credentials " and authentication getting failed .
When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
Only for L3 web auth it is not happening..
Any clue on this ..???
Thanks,
Regards,
Vijay.Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
5760 Central Web Auth with ISE
Hi,
I am having problems with getting central web auth to work on the 5760, I cant seem to find any documentation for the 5760-Central Web Auth.
The setup is with a Cisco 5760 and Cisco ISE, for guest users to be re-directed to ISE guest portal to authenticate. Has anyone configured this or have any advice, that would be great.
ThanksHi Roger,
I have gotten CWA running on the 5760 with ISE, below is the config for the guest SSID:
wlan Guest 1 TEST-guest
aaa-override
ip dhcp required
mac-filtering cwa_macfilter
mobility anchor 10.1.1.100
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list ISE_Auth_Group
session-timeout 14400
no shutdown
! ***You will need the following commands as well:
ip http server
ip http authentication local
ip http secure-server
aaa authentication login ISE_Auth_Group group ISE
aaa authorization network cwa_macfilter group ISE
Hope it helps =) -
How to generate CSR on switches for web auth with NGS
Hello
I am doing a dot1x solution with web auth on cisco 3750 switches.
Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
Is there any way to solve this?
Greetings
StevenHi Steven,
The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
This document goes into a little more detail on all the indivual commands and what they do:
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
Thanks,
Nate -
Web Auth with AAA (RAIDUS) Failure
Hi Guys,
We are having an issue with out Web Auth Using AAA Servers. We get the following error: AAA Authentication Failure for UserName:14t.park User Type: WLAN USER, This error is from the Web Interface, I have been looking at the debug settings to see if there is anything that might give me more detail of what is going on but I can see anything under the Web-Auth Debug for AAA Authentication.
I have checked on our RAIDUS Servers and I can't find any errors relating to Authentication with the NPS.
Does anyone have any suggestions?Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
I want the automatic redirection to the login page work when a proxy is configured in the IE parameters.
I used the command "config network web-auth-port 8080", but when I open IE, I'm not redirected to the login page (the DNS request works).
When I do a "telnet www.google.com 8080" and then "get http", I get the page.
Any idee?In my experience it does not work with a proxy. If you disable the proxy you will get the login and then get redirected, which will then fail until you enable the proxy settings. WLC will try to resolve the homepage of that user, which of course will fail since it doesn't know of the proxy. You will have to either use a term and condition on a custom WebAuth page or implement a content filter application like WebSense.
-
I am trying to setup a scenario where a user logs in via Web Auth and witha successfull connection the Mac Address is remembered for 7 days. That way if the user connects again during the course of 7 days they aren't required to authenticate via web auth again they just get access. After 7 days they will need to login again through the web auth. Similar scenario to what you see at a Hotel wireless network. Anyone know how I would go about setting up the dyanmic mac filtering and set the timer for 7 days? With that said I want it to be for a single SSID.
well, it's not possible with just the WLC.
You can do it, but you need to have a way to pull the MAC address from the webauth page, and insert that into a LDAP db, which you control the age out process in.
Then on a subsequent visits they get mac-authed instead of having to re-accept the page.
in the webauth config you would check the On MAC filter failure box.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Central Web Auth with Anchor Controller and ISE
Hi All
I have a 5508 WLC on the corporate LAN and another 5508 sat in a DMZ as an anchor controller.
I also have an ISE sat on the corporate LAN.
Authenticate is working fine to the ISE and the client tries to re-direct to the ISE Portal but doesn't get there.
DNS is working fine and the client can resolve the URL of the ISE to the correct IP address.
I have a redirect ACL configured on the foreign controller which permits DNS, DHCP and traffic to and from the ISE.
My questions are:
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL - I don't believe it does.
4. Is ICMP still blocked by the WLC until the web authentication is complete?
Thanks.
Regards
RogerHi Roger,
Thanks for your brief explanation here are the answers for your queries.
1. Do I need to re-direct ACL to be present on both the foreign and anchor controllers?
The only catch is that since this web authentication method is Layer 2, you have to be aware that it will be the foreign WLC that does all of the RADIUS work. Only the foreign WLC contacts the ISE, and the redirection ACL must be present also on the foreign WLC.
2. Since the Radius requests originate from the foreign controller do I need to configure the ISE server address on the WLAN on the anchor?
Yes, you have to configure the ISE server address on the anchor WLC.
3. Does the re-direct ACL need to be enabled on the advanced page of the WLAN on the foreign to over-ride the interface ACL
Yes, you should override AAA under advanced tab of WLAN as ACL will be present on the foreign WLC.
4. Yes, ICMP will work only after the sucessful web auth is complete.
Please do go through the link below to understand the Anchor-Foreigh Scenario.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11
Regards
Salma -
Where are the registered users email addresses stored when using the default internal web authentication page with email input option?
Hey Jason,
Are you in healthcare ? -
WLC 5508- how to setting up with Web auth with 2 profile
Hi Guys,
I wanted to control the 2 different profile to access internet with Cisco default landing page is that possible??
Example:
When connnected the SSID will redirect to Cisco landing pages
Cisco landing pages will differentiate there is member or guess with the password key in.
Member can access internet for 30 minute
guess only can access internet for 15 minuteJust some notes on WebAuth in the WLC. The timeout is specified per SSID so there would be no way to set a timeout unless you use a radius server and send a radius attribute to the WLC to set the session timeout.
So we really need to know if you have a radius server, is the radius server tied to Active Directory or is the plan just using the WLC for everything.
Sent from Cisco Technical Support iPhone App -
Dot1x (Switch) Question with MAC bypass & Web Auth
Is it possible to configure dot1x with MAC Auth bypass along with web authentication?
The goal is to first try dot1x
If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
Help is much appreciated.
Thanks,
JasonIs it possible to configure dot1x with MAC Auth bypass along with web authentication?
The goal is to first try dot1x
If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
Help is much appreciated.
Thanks,
Jason -
WLC Web-auth fail with external RADIUS server
I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
WLC 4402 version 4.1.171.0
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.htmlHi,
I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below
: Authentication failed for gcasanova. When I set the controller to Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
Can someone tell me what's wrong?
*radiusTransportThread: Oct 26 11:02:13.975: proxyState...................... .............00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:13.975: Packet contains 0 AVPs:
*emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
*aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
*aaaQueueReader: Oct 26 11:02:29.985: Callback.....................................0x8576720
*aaaQueueReader: Oct 26 11:02:29.985: protocolType.................................0x00000001
*aaaQueueReader: Oct 26 11:02:29.985: proxyState...................................00:24:D7:40:E5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.986: Packet contains 11 AVPs (not shown)
*aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
*aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20 1d ef be 29 e6 3a 61 6d .V...H.....).:am
*aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63 61 73 61 6e 6f 76 61 3c +..$..gcasanova<
*aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a a5 35 af 7c ef 83 c7 58 .<.....z.5.|...X
*aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26 6d ab 49 ea da 7c 5a 8e ...(.Z.&m.I..|Z.
*aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00 00 01 04 06 0a 02 00 06 ..pi............
*aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a 50 41 52 2d 57 4c 43 31 ........PAR-WLC1
*aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c 00 00 37 63 01 06 00 00 =.........7c....
*aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32 2e 30 2e 31 35 36 1e 0a ....10.2.0.156..
*aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36 50 12 7f 86 5a c5 61 ad 10.2.0.6P...Z.a.
*aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16 9e 10 .T..B.....
*radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84 83 00 87 83 b9 10 64 e1 .V............d.
*radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e f..^
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
*radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
*radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
*radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
*radiusTransportThread: Oct 26 11:02:29.989: structureSize................................32
*radiusTransportThread: Oct 26 11:02:29.989: resultCode...................................-4
*radiusTransportThread: Oct 26 11:02:29.989: protocolUsed.................................0xffffffff
*radiusTransportThread: Oct 26 11:02:29.989: proxyState...................................00:24:D7:40:E5:00-00:00
*radiusTransportThread: Oct 26 11:02:29.989: Packet contains 0 AVPs: -
Hello all!
I have a Cisco WLC 2500 running software version 7.0.220.0 and one of its WLANs it´s configured to Web Auth with LDAP (Microsoft AD) and it´s working fine.
Now i need to figure out how to list all the authenticated users, they IP Address, AP Name and some other informations located in the Clients > Detail page.
Is there any CLI command that will show the information I need? Or even another way to retrieve that information?
Thanks in advance.
Valdecir
São Paulo, Brazil.The only way you can see this detail is from the CLI of the WLC:
show client summary
Find the mac address of the user
show client detail <mac address> -
Web Auth logout windows shows IP address as URL vs DNS
We are using Web Auth with DNS name which works fine. We did notice however that upon successful login that the logout popup page displays the logut url with the IP address and not the DNS.
Is this a bug?
Runnig WCS 4.2.62.0 WLC 4.2.112.0See steps below. It might be clearer this way.
Guest user gets an IP address via DHCP with DNS information.
Guest user goes to website www.cisco.com
Guest User is redirected to Web auth page https://webauth.xyz.com/login.html?redirect=www.cisc.com/
Guest User logs in
Guest User receives POPUP page indicating successfull login and is reminded to either minimize this window or remember the URL to retrieve this window to logout.
It is here the the URL indicates the IP address http://1.1.1.1/logout.html and not the DNS name http://webauth.xyz.com/logout.html -
Guest Anchor with web auth using ISE guest portal
Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS
Maybe you are looking for
-
How can I attach a picture to an email in file format not as a picture
how can I attach a picture to an email in file format,
-
Itunes not recognising gen 5 ipod touch on windows 8
Connecting my new gen 5 ipod to windows 8, recognised by laptop but itunes does not show any devices connected,This is first time. any suggestions.
-
I am going to encode some videos of a Dr.'s office I shot with a Canon xh-a1 in widescreen sd to the web. I am thinking 320x240 but do not know what the best type of file to use for the web. Also I have noticed that there are black borders at the to
-
Computer shuts down and reboots when downloading ios 5
my friend its trying to update his ipod touch 4th gen 64gb to ios 5 but both his i mac pro and windows 7 computer shuts down and reboots with the download gets to 50%
-
Why when i shut down the iphone 4s the social networks fail? s.o.s.
Facebook, Twitter ans WhatsApp stop working if i shut down the iphone. I must to restore each time in order to fix it.