Web authentication on WLC fails to redirect when we enter URL i browser
I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble .....
The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web-browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this:
https://cisco6a19c4/login.html?redirect=nyttintranet.sem10.se/
I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems.
A little more info:
2x WLC5508 runnnig r7.0.116.0 and APs are 1142
WLCs connected to Cat4503 via LAG
Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.
DHCP to guest-users from separate broadband-router which is def gwy and "DNS".
On the virtual interfaces no hostname is configured.
ANY ideas??!?!?!???
Best Regards
Göran Blomqvist
Ooop.... waddyaknow.... As it turned out, one of the WLC _did have_ a name configured under the virtual interface, of course it was NOT the one that "our" AP was associated with....
That has now been corrected and the guest access is working as intended......
(Oh, yes we tried with 3 PCs and 2 smartphones when we discovered the 'malfunction'....)
Thanx for the mental push Stefan!!
Regards
Göran
Similar Messages
-
SNMP web authenticated users wlc 5508
Hello everyone,
I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
I am using an external web server and my client are authenticated with ldap.
I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
Can anyone help me ?
Thanks a lot for your answers.Hello Julien,
Thank you for the info. +5 for solving your own problem.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
ISE wireless web authentication for guest management not redirecting
Hi forumers'
I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
Whilst on workstation it's working well.
attach the snapshot of what happen on the iPhone.
Any clue to torubleshoot? Thanks
NoelHi
I still fail whilst i testing on my iPhone.
I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
Can please suggest more troubleshooting guide?
Thanks
This is how the outcome for the safari broswer
Noel -
Having trouble with web authentication in 5504
Hi everybody,
We´re experiencing a trouble with our Wireles LAN solution. We have a WLC 5504, a ACS 4.2 and APs 1131AG.
After deploying the solution and doing some tests we noticed when a user attempted to connect by wireless network there was too much delay since they clicked ie (internet explorer) until web authentication into WLC was shown. the delay was around 3 minutes. This issue also ocurrs despite of doing a test from my laptop that was next to one access point, then, I moved to another access point and the result was the same, a laptop problem is ruled out.
Has anybody ever had this kind of trouble? , How could I reduce this time?, is it possible?, Which part of configuration shoud I check?
Regards,
ManuelFriends,
I´ve made a mistake. Our WLC is a 4404.
Regards,
Manuel -
I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
I want to achieve the following authentication order on a switchport:
802.1x
MAB
central web authentication
So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
I've configured the switchport with the following commands
switchport access vlan 99
switchport mode access
switchport voice vlan 50
authentication event no-response action authorize vlan 32
authentication host-mode multi-domain
authentication order dot1x mab webauth
authentication port-control auto
authentication violation protect
authentication fallback webprofile
mab
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 2
spanning-tree portfast
spanning-tree bpduguard enable
the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
SW01T#sh fallback profile webprofile
Profile Name: webprofile
Description : webauth profile
IP Admission Rule : NONE
IP Access-Group IN: 133
FYI, the access list:
Extended IP access list 133
10 permit ip any host 10.175.0.29
30 permit udp any any eq bootps
40 permit udp any eq bootpc any
In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
(attributes of the profile):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
AAF003E000000582E866B69
001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
69
001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
Is there some configuration guide or steps available in order to make this work please?
kind regardsHi Tarik,
thank you for the fast reply.
I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
Switch# show auth sessions int fa 1/0/3
Interface: FastEthernet1/0/3
MAC Address: 0011.25d7.6c6c
IP Address: 10.175.0.229
User-Name: 001125d76c6c
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: webauth
URL Redirect: https://ISE.onemrva.priv:8443/guestportal/gateway?session
Id=0AAF003E0000175A43004FE3&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0AAF003E0000175A43004FE3
Acct Session ID: 0x000018CF
Handle: 0xEF00075B
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
webauth Not run
As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
Access Type = ACCESS_ACCEPT
cisco-av-pair = url-redirect-acl=webauth
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
If I check the "show ip admission cache", nothing is seen in there. -
Question about dot1x & Web Authentication
I'm not sure if what I want to do is possible so hopefully someone can set me straight.
Right now when a user doesn't have a 802.1x capable machine, they are assigned to the guest VLAN. Then using the dot1x fallback command we could force them to use authenticate using the web if we so choose. At least this is how I understand web-auth to work. Please correct me if I'm wrong.
But what about when someone is using an 802.1x capable machine but fails auth? Like say a user logging in locally on a domain machine or a vendor using his companies laptop. Currently those ports go into an unauthorized state and are not active. If I use the dot1x auth-fail-vlan command, it authorizes the ports for that vlan just fine.
What I'd like to do in those cases is to put them in a restricted vlan and then force them to use web authentication to gain access to the network.
Is that possible? I can't seem to find a way to use web authentication after a failed dot1x auth. Or is that it, a failure is a failure and there is no way to try and reauthenticate a different way?Hi,
dot1x authentication and mac-authentication bypass are layer 2 authentication mechanism and webauth is a layer 3 authentication mechanism.
u can set multiple authentication profiles and set the priority as well.
like u can have dot1x authentication first and second webauth and third as mac-authentication bypass.
remember the other authentication mechanism will only come into place if the first authentication is not possible that is the client is not having a suplicant for dot1x.
if a user doesn;t have dot1x supplicant and u have configured guest vlan then the user will be put into the guest vlan otherwise the user will be in the access vlan in which the port is configured.
if u have configured auth-fail vlan and the user gives wrong credentials the user will be put into the auth-fail vlan.
if a user is a dot1x client and dot1x is configured then the user must pass the dot1x authentication .
the fallback mechanism is only when the dot1x authentication cannot be executed because the client is not having dot21x supplicant. then the next mode of authentication will be triggered that is either webauth or MAB.
if a user fails the dot1x authentication dues to wrong credentials then he cannot be prompted for a another authentication mechanism. this is to avoid security breaches.
hope this helps.
regards
Sushil -
Web Authentication Catalyst 2960
Hi,
I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.
The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.
Here's what happens :
The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.
The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.
I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.
Any suggestions ?
Thanx in advanceYes, they are mandatory.
If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.
Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:
priv-lvl=15
proxyacl#10=permit ip any any
Let me know if this gets you squared away, -
Users with a https home page are not redirected when using web-passthrough on WLC 5508
I have a Cisco 5508 running version 7.0.116.0. This controller hosts an open public wifi that requires users to accept a terms agreement via a Web-Passthrough setup that redirects them to the terms splash page. For most people this works without any issue. However, if a user has their homepage for their default browser set to a https site, such as https://www.google.com, then they are never redirected to the terms splash page. The page will just spin and spin until finally they get a timeout error.
Has anyone else had this experience? If so did you find a solution or is this some sort of short coming of the controller?
Any and all comments/information is appreciated!
Thanks,
JimThis is a known issue (see bug ID CSCar04580).
CSCar04580 Bug Details
web auth (redirect) doesn't work when client users a https url
Symptom:A client whose home page is an HTTPS (HTTP over SSL, port 443) one will never
be redirected by Web Auth to the web authentication dialog. Therefore, such
a client will not know to authenticate, and will fail to connect to the
network.
Workaround:The client should attempt to open any HTTP (port 80) web page. -
WLC Client excluded - web authentication failed 3 times
Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
An example of the alert generated in the event of an excessive authentication failure is as follows:
Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
E-mail will be suppressed up to 30 minutes for these alarms.
I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
- What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
- If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
- If necessary could e-mail suppression be turned off - for this alert only?
Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
BR
RockfordThere is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
http://support.microsoft.com/kb/883619 -
Central Web Authentication Fail - This device has not been registered.
Dear All,
I have problem when apply the cwa. i have wlc and ise,
I want all user (all type device) that want access to my network by Wifi, will authenticated by AD.
but user cant connect to network evenly only authenticate.
My ISE Authorization rule:
if
(Wireless_MAB AND AD1:ExternalGroups EQUALS example.com/Users/Domain Users)
Anyone, have experience like this before, please share..
nb : my ise licese is Base Package
Thanks!!I had follow the configuration guide from here:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
but, my authentication always fail with redirect to device registration,
when user connect the ssid and input the username and password based on active directory,
then browser will show up like this :
1. Access with Windows :
Device Registration
This device has not been registered.
You need to manually configure your device. Contact your system administrator for assistance.
Your device configuration is not supported by the setup wizard.
Device ID : my-workstation-mac-address-
Description :
2. Access with Android
Device Registration
This device has not been registered.
You need to manually configure your device. Contact your system administrator for assistance.
Unsopported operating system type encountered.
Device ID : my-android-mac-address-
Description :
Thanks, -
Repeated wlc 5508 client web authentication
I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface. the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC. For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
The WCS screenshot shows a good example of how often this occurs! Is the client actually re-associating with the AP (which in turn would require a web reauth)? Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
I do have a TAC case opened up, but was wondering if anyone has experienced this before?
Sorry for the rambling...Rene,
I did several things and at least one of them seemed to resolve the issue:
These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
1. Upgrade WLC to 7.0.98.218 [self explanatory]
2. Upgrade WCS to 7.0.172.0 [current version, as of this note]
3. Increase DHCP scope time on ASA from default (30 minutes) to 4
days [DHCP running external from the WLC]
4. Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
5. Increased session timeout from 14400 seconds to 64800 seconds
(4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
I think that the TKIP and/or DHCP setting was integral as part of the resolution. I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
Good Luck,
Rob. -
Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)
Hello,
I have configured a Guest SSID with web authentication (captive portal).
wlan XXXXXXX 2 Guest
aaa-override
client vlan YYYYYYYYY
no exclusionlist
ip access-group ACL-Usuarios-WIFI
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
mobility anchor 10.181.8.219
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth parameter-map global
session-timeout 65535
no shutdown
The configuration of webauth parameter map is :
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
redirect on-success http://www.google.es
I need to login on web authentication on HTTP instead of HTTPS.
If I login on HTTP, I will not receive certificate alerts that prevent the users connections.
I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
Web Authentication on HTTP Instead of HTTPS
You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
Thanks in advance.
Regards.The documentation doesn't provide very clear direction, does it?
To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page. -
WLC web authentication ACL to allow internet surfing only
Hi forumers'
I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
i also try on this ACL at my core switch but seem not success.
ip access-list extended ACL-VLAN-20
permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
permit tcp 172.16.20.0 0.0.0.255 any eq 80
permit tcp 172.16.20.0 0.0.0.255 any eq 443
deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
int vlan 20
ip access-group ACL-VLAN-20 in
any problem with it?
well, as long as can block web authenticaiton user only goto internet then serve my purpose
thanks
NoelThis should work
deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31 (deny all IP traffic from guest to internal)
permit udp 172.16.20.0 0.0.0.255 any eq 53 (or list the specific servers you want them to use)
permit tcp 172.16.20.0 0.0.0.255 any eq 80 (allows HTTP but only outside as the deny stops internal)
permit tcp 172.16.20.0 0.0.0.255 any eq 443 (allows HTTPS but only outside as the deny stops internal)
but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above. I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers. If you want to allow that, it's better to permit the explicit servers
You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
When you do the ACL on the WLC, you need to do the inverse ACL as well. So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
HTH,
Steve -
Redirect to web authentication not working on Cisco 5508 Wireless Controller
Hi,
I have a wlan with web authentication:
http://i55.tinypic.com/w145zk.png
and
http://i51.tinypic.com/344sfm0.png
When I connect to the SSID (I get correct IP from the Cisco 5508 Controller) and try to surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
The virtual interface is 1.1.1.1.
Here is a screenshot of interface and internal dhcp:
http://i52.tinypic.com/2vkm1d2.png
Any idea why clients are not redirecting?
Thanks!Thanks for the reply dmantil!
When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users. -
WLC MOBILITY GROUP SINGLE WEB AUTHENTICATION
Hi.
I have installed two AIR-WLC2112 with mobility group configured and authentication web.
I want to know if you can create user / password web authentication only in one WLC.
Now, when I create a new user / password , I have to create in two WLC.
ThanksInorder to validate a site issuing a certificate , client should be loaded with a certificate from same Certificate Authority. Else ignore the warning and continue to the site. If you want to know if the site is valid , click on View certificate on the warning page and see if it belongs to the website.
Maybe you are looking for
-
I'm implementing a custom authorization provider for WebLogic 7. In my Access Decision isAccessAllowed method I need to check values of the parameters passed to an EJB method. Now, if an EJB method I have two parameters of the same type, for example
-
Can I use the iPhone 4s as is in Europe?
Can you use a iPhone 4s as is in Europe?
-
Only 1/2 the files add to library
New to itunes. Have an existing 3500 song mp3 folder of songs. When I add the folder to the iTunes library only ~1500 songs show up. No errors or other indications of a failure appear. Any suggestions as to what might keep a song/file from being adde
-
I think my dedicated graphics card has failed or is failing?
I think about this weekend is when my issues started. I would be watching youtube videos and then out of the blue the computer just locks up with horizontal bars going across the screen and requires a hard reset to get it back working. I haven't inst
-
Nuance Dragon PC and/or Mac on Intel Macs???
The Nuance advisory relative to system requirements is that Dragon Dictate works on any Mac with an Intel processor. A rep I spoke with at Nuance, assured me that this is the case and applies to booting into Windows on a Mac to use Dragon Naturally.