WEB Authentication Certificate on WLC4400 - Guest Access

Similar Messages

• Central web authentication

  I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
  I want to achieve the following authentication order on a switchport:
  802.1x
  MAB
  central web authentication
  So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
  I've configured the switchport with the following commands
  switchport access vlan 99
  switchport mode access
  switchport voice vlan 50
  authentication event no-response action authorize vlan 32
  authentication host-mode multi-domain
  authentication order dot1x mab webauth
  authentication port-control auto
  authentication violation protect
  authentication fallback webprofile
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 2
  dot1x timeout tx-period 2
  spanning-tree portfast
  spanning-tree bpduguard enable
  the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
  SW01T#sh fallback profile webprofile
  Profile Name: webprofile
  Description : webauth profile
  IP Admission Rule : NONE
  IP Access-Group IN: 133
  FYI, the access list:
  Extended IP access list 133
  10 permit ip any host 10.175.0.29
  30 permit udp any any eq bootps
  40 permit udp any eq bootpc any
  In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
  (attributes of the profile):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
  But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
  001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
  AAF003E000000582E866B69
  001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
  ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
  69
  001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
  methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
  Is there some configuration guide or steps available in order to make this work please?
  kind regards

  Hi Tarik,
  thank you for the fast reply.
  I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
  But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
  If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
  Switch# show auth sessions int fa 1/0/3
             Interface:  FastEthernet1/0/3
           MAC Address:  0011.25d7.6c6c
            IP Address:  10.175.0.229
             User-Name:  001125d76c6c
                Status:  Authz Success
                Domain:  DATA
       Security Policy:  Should Secure
       Security Status:  Unsecure
        Oper host mode:  multi-domain
      Oper control dir:  both
         Authorized By:  Authentication Server
            Vlan Group:  N/A
      URL Redirect ACL:  webauth
          URL Redirect:  https://ISE.onemrva.priv:8443/guestportal/gateway?session
  Id=0AAF003E0000175A43004FE3&action=cwa
       Session timeout:  N/A
          Idle timeout:  N/A
     Common Session ID:  0AAF003E0000175A43004FE3
       Acct Session ID:  0x000018CF
                Handle:  0xEF00075B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
         webauth  Not run
  As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
  authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
  If I check the "show ip admission cache", nothing is seen in there.

• ISE Web Authentication with Profile

     Hi,
     I'm using Web Authentication with Cisco ISE 1.2.1 without problems.
     The Cisco ISE didn't find the endpoint in my internal endpoint store and continue with Web Authentication
     But when I enable the PSN with the Profile Server, the Cisco ISE populate dynamically the internal endpoint store and I cannot use
     the Web Authentication cause the endpoint is already in the internal endpoint store.
     What's the better way to solve this problem ?
     Thanks in Advanced
     Andre Gustavo Lomonaco

      Hi Neno, let me clarify my question
      I'm already using my internal endpoints to permit authenticate via MAB my IP Phones, Access Points and Printers.  I'm using Profile to be able to populate this ISE internet database.
      Now imagine that I wanna use the Web Authentication to permit authenticate guest workstations without 802.1x.If the profile put the guest workstation mac in the endpoints database, those workstation always will be authenticate using the MAC authentication and not the Web Authentication. Remember that for the Web authentication works we need to configure the continue options if the mac are not found in the endpoints database. But when the profile is on, the news (guest workstations) macs are inserted in endpoints database before I have chance to use the Web Authentication.

• Is dynamic VLAN assignment supported with web-authentication?

  The 7.6.130.0 WLC configuration guides says this:
  "Dynamic VLAN assignment is not supported for web authentication from a controller with Access Control Server (ACS)"
  How should we interpret this, exactly? Does this mean that dynamic VLAN assignment is supported with web authentication from a controller if some other RADIUS server is used (Eg: FreeRadius, ISE)?

  It is not supported with any kind of radius server. The radius attributes ACS uses for pushing those settings (64,65,81) are the same for every other radius implementation. Pushing a QoS profile does work.

• Guest access web authentication issue

  Hello experts-
  we have a problem concerning secure guest access. One controller 4402 is installed in DMZ and is working as guest anchor WLC. The guest user terminates as this anchor wlc. From this controller the client will get the ip address but when the user will open the browser and insert the url like www.cisco.com, there is no redirect to the web authentication page. If we try to reach the virtual IP via Web browser the authentication page will not be seen. Proxy setting in browser are deactivated. DNS works, if no authentication is configured Internet access is working well. But if we configure "Pass Thru", the client is in status "Authentication required" again.
  Has anybody any ideas?
  Thanks a lot, Martin

  First of all, when you configure the wlan to open, do you see that device on the anchor controller or the foreign wlc? You should see the user authenticated on the anchor. If not, then your mobility between the foreign and anchor is not working. Mping and Eping between the foreign and anchor wlc. Verify that the ssid has mobility anchor configured. Also you must make sure that your ssid on the foreign and on the anchor wlc. The webauth page will need to be installed on the anchor wlc along with the 3rd party certificate if you use one.

• External Web authentication server for Guest access

  I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
  Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
  I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
  Hotels do this type of web authentication for example.
  Any help would be great.

  Hi Patrick,
  I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
  thanks!
  Claudio

• ISE 1.2 Guest Access for EAP(Dot1x) Authentication

  Hi.
  I want to use encryption for guest access. 
  In order to use the "RADIUS-NAC" in the WLC, you can not use or "Open + MAC" only "WPA + dot1". 
  (Specification of the WLC) 
  When the "Open + MAC", return from the ISE at the time of the "Web Authentication" in the "Session-Timeout Attribute", I was able to forcibly disconnect the radio. 
  (Attribute is the same value as the (ISE TimeProfile) time the guest user can use) 
  If you connect to a wireless terminal to forced disconnect after screen of Web authentication is displayed, you can not login. 
  (Because the account has been revoked) 
  I want to make even dot1x this environment. 
  However, because it becomes the "re-authentication time" If dot1x, as long as the terminal is connected to the radio, it is not cut. 
  In addition, even in the setting of "Attribute Termination-Action = Default", does not return until the Web authentication. 
  (Status of the WLC remains "Auth Yes") 
  (Session of the ISE remains "Started") 
  Use the (EAP) Dot1x, Can I "is allowed to forcibly disconnected," "to match the time of TimeProfile" in the same way as "Open + MAC" thing? 
  Thank you.

  Note：
  Cisco ISE:Version1.2.0.899-8
  Cisco WLC(5508):Version 7.6.120

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Guest Access - Layer 2 security WPA PSK - Layer 3 security web auth

  I am not able to test this.
  Has anybody configured the CUWN guest access with WPA PSK layer 2 and Web authentication layer 3
  If so are there any problems that I should expect
  Mark

  Mark,
  I have setup wireless in two other compainies related to Rail... The biggest issue will be who will support the guest users and will they take the responsibility. Their security team didn't want that and were fine with tunneling the users to either a dmz or seperate Internet connection. Will dhco release the address... Not right away. You can play around with the lease tim and see if your laptop keeps getting the same address or one higher. If the isue is with dhco being used up from association, then don't broadcast the ssid and have the receptionist hand out the ssid with username and password. My clients use a default username and passowrd but changes that every week. They seem to prefer that over changing it every day or have a username passeor for every guest user. They use wcs to print out the guest credentials. Again, the network team has the recepionist doing this, so they made sure that they are not making too much extra work for them or else they would have to be responsible for guest users.
  Hope this helps.

• WCS and Guest account / limited usage web authentication

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Here my problem I need to be able to limit my AD users to a 10min access to the WLAN.  I see you can do this for guest accounts, but you have to manually enter a username and password.  I would like the web authentication to use our ACS which is tied in to our AD.   Is there a way to do this? 

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Weterry,
  Here the whole story.  I have a bookstore that going to have “Demo” pc for students to buy.  The want to show the internet on these devices, but our security guy require all users to logon.  I was hoping to find a way to let user logon quickly to test these devices.
  I have already figure out the web auth and that great feature, but you have to manually enter each user.   If I could get that to use AD and limit each to 10min that would be great. I would like to setup a SSID for the demo devices and limit users to 10 min.
  I have 2 WiSM controllers running 6.0 also have WCS .
  Thanks
  Chappy

• Anchor Guest 3.2.171.6 Web Authentication page issue

  Hi folks,
  I'm having issues with our Anchor controller here running 3.2.171.6. Using a chain certificate for our Web authentication re-direct Page to a WEB-server. sometimes the Guest Clients are not re-directed to the WEb authentication page. After I reboot the Anchor this resolves the issue. I need to use this code to support the ipsec vpn module. any ideas would be appreciated.

  you need to try to find a non-chained certificate. I know that most CA do not use these anymore, but need to find one. WLC does not support chained-certificate until 5.2. It may work, but it is not supported.
  HTH,
  Steve

• How do I disable guest access in the advanced web controls? E2000

  Due to cisco connect not connecting and my rouer having some problems I have reset it and gone straight into the advanced web control panel. I have everything set up and running, but I see no way to turn off guest access. I do not want any "guests" to be able to access my  E2000 router, how do I disable that in the advanced web control panel?

  sabertooth is correct. The Guest network is managed by Cisco connect software only.
  You can reset the router and reconfigure it manually.
  Press and hold the reset button on the router for 30 seconds. Release the reset button and wait for 30 seconds. Power cycle the router and reconfigure it manually.

• Guest Parameter for Web Authentication

  Hi Forum,
  Just to find out a little more detail in regards to the guest account created for web authentication using Ambassador account.
  1) If the authenticated guest did not perform a proper logout, what action will the WLC take?
  2) As such, is there any timeout involved?
  Where can i tune the timeout?
  Rdgs,
  Kelvin

  Hi I just wanted to add what I have found regarding WCS and the guest feature.
  -There are two ways to configure a "local net user". The first is a static guest ID that has the "guest" flag off. This means that the client's session will not timeout. The second is to specify the "guest" user checkbox and give it a timeout value in seconds.
  This should let you control how long a user is logged in.
  From the WLC login, go to SECURITY --> LOCAL NET USERS --> then click on NEW. From there you can specify a user ID and also set that optional guest user box. If you click on the Guest User box then you will see a timeout field.
  With my guest account set to not be a guest user (no timeout value), I have noticed the following.
  1. If a guest gets disconnected, usually they will reassociate and still be able to log in.
  2. If a guest has problems, I usually tell them to disable their wireless card, close all browser windows, and then reassociate to the network.
  The steps above have worked well for my setup...

• Locally switched Guest WLAN with Web Authentication

  I have a remote location that has its own internet pipe.  I have set up a new guest SSID and set to switch locally and changed the AP mode to Flex connect. When I connect to the new SSID, I get an IP address from the local LAN, but the Web redirection page will not load. Is this because the local LAN does not have a route to the WLC virtual interace of 1.1.1.1? Is there a way to tunnel just the web authentication portion of traffic and locally switch everything else?

  You are close in your understanding.
  If you want to use the web portal services on the WLC then you need to bring that traffic back to the WLC.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WiSM and GUEST web authentication

  I have a WiSM and we use Cisco open web
  authentication with a user email address.
  When performing  this command via CLI:
  >config network secureweb disable
  >save config
  > reset system
  Will this make the web authentication come up HTTP instead of HTTPS ?

  That command is in order that you manage the unit.
  However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
  Let me know if it works for you