Web authentication on WLC fails to redirect when we enter URL i browser

Similar Messages

• SNMP web authenticated users wlc 5508

  Hello everyone,
  I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
  I am using an external web server and my client are authenticated with ldap.
  I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
  Can anyone help me ?
  Thanks a lot for your answers.

  Hello Julien,
  Thank you for the info. +5 for solving your own problem.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ISE wireless web authentication for guest management not redirecting

  Hi forumers'
  I face the problem that after connecting to the wireless guest network, it won't redirect me to the ISE guest portal . This happen on my iPhone. The iPhone is running on iOS 5.0.1
  Whilst on workstation it's working well.
  attach the snapshot of what happen on the iPhone.
  Any clue to torubleshoot? Thanks
  Noel

  Hi
  I still fail whilst i testing on my iPhone.
  I'm not using ISE self-signed certificate, i create CSR and signed by root CA server. So once i try to connect it won't prompt me the "accept ceritficate"
  My WLC local auth certificate verdor certificate is signed by the same root CA server as well.
  So i test on desktop to run safari broswer, it able to redirect to ISE guest portal.
  Can please suggest more troubleshooting guide?
  Thanks
  This is how the outcome for the safari broswer
  Noel

• Having trouble with web authentication in 5504

  Hi everybody,
  We´re experiencing a trouble with our Wireles LAN solution. We have a WLC 5504, a ACS 4.2 and APs 1131AG.
  After deploying the solution and doing some tests we noticed when a user attempted to connect by wireless network there was too much delay since they clicked ie (internet explorer) until web authentication into WLC was shown. the delay was around 3 minutes. This issue also ocurrs despite of doing a test from my laptop that was next to one access point, then, I moved to another access point and the result was the same, a laptop problem is ruled out.
  Has anybody ever had this kind of trouble? , How could I reduce this time?, is it possible?, Which part of configuration shoud I check?
  Regards,
  Manuel

  Friends,
  I´ve made a mistake. Our WLC is a 4404.  
  Regards,
  Manuel

• Central web authentication

  I have downloaded the new Cisco ISE, I've managed to configure 802.1x and MAB succesfully but I want to configure wired centralized web authentication, but I cannot find any documentation how to configure ISE and Cisco Catalyst (IOS) switches to use this feature (I only find (limited) documentation about local web auth on the switch).
  I want to achieve the following authentication order on a switchport:
  802.1x
  MAB
  central web authentication
  So if a guest user comes with his laptop, 802.1x is not configured on his laptop and he's not in the Mac Bypass DB, he should "failover" to web auth and get the ISE guest portal webpage with his web browser. There he enters a guest username and password (which is of course already in the ISE DB) and he should get web access.
  I've configured the switchport with the following commands
  switchport access vlan 99
  switchport mode access
  switchport voice vlan 50
  authentication event no-response action authorize vlan 32
  authentication host-mode multi-domain
  authentication order dot1x mab webauth
  authentication port-control auto
  authentication violation protect
  authentication fallback webprofile
  mab
  dot1x pae authenticator
  dot1x timeout quiet-period 2
  dot1x timeout tx-period 2
  spanning-tree portfast
  spanning-tree bpduguard enable
  the web-profile with access-list to permit DHCP traffic between the attached device and any DHCP server in the vlan 99, and communications with ISE (also in vlan 99) at the moment "fallback webprofile" is triggered (I don't know if this should be configured with central webauth?)
  SW01T#sh fallback profile webprofile
  Profile Name: webprofile
  Description : webauth profile
  IP Admission Rule : NONE
  IP Access-Group IN: 133
  FYI, the access list:
  Extended IP access list 133
  10 permit ip any host 10.175.0.29
  30 permit udp any any eq bootps
  40 permit udp any eq bootpc any
  In the ISE, I configured DOT1x and MAB. In the MAB profile, I configured "continue" if user is unknown, and then an authorization profile for the web authentication:
  (attributes of the profile):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&portal=https://10.175.0.29:8443/guestportal/gateway?sessionId=SessionIdValue&portal=http&action=cwa&action=cwa
  But it doesn't work. If I attach a device, it tries 802.1x, it tries MAB, then it fails over to "web authentication" but immediately fails with "no-response" message:
  001420: Jul 1 12:09:19: %AUTHMGR-5-START: Starting 'webauth' for client (0011.2
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  5d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B69
  from 'webauth' for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0
  AAF003E000000582E866B69
  001422: Jul 1 12:09:19: %AUTHMGR-7-FAILOVER: Failing over from 'webauth' for cl
  ient (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003E000000582E866B
  69
  001423: Jul 1 12:09:19: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication
  methods for client (0011.25d7.6c6c) on Interface Fa1/0/3 AuditSessionID 0AAF003 001420:
  Is there some configuration guide or steps available in order to make this work please?
  kind regards

  Hi Tarik,
  thank you for the fast reply.
  I've configuried the extra settings you told me (although I thought the ip admission configuration was only for local web authentication (where the switch acts as a http server).
  But it still doesn't work. The pc is getting the ip address from the dhcp server but if I open a browser session, I do not get redirected to the ISE portal in order to log me in with a Guest account.
  If I look at the authentication session of the port, it looks like the ISE has correctly sent the redirect acl and redirect url to the switchport:
  Switch# show auth sessions int fa 1/0/3
             Interface:  FastEthernet1/0/3
           MAC Address:  0011.25d7.6c6c
            IP Address:  10.175.0.229
             User-Name:  001125d76c6c
                Status:  Authz Success
                Domain:  DATA
       Security Policy:  Should Secure
       Security Status:  Unsecure
        Oper host mode:  multi-domain
      Oper control dir:  both
         Authorized By:  Authentication Server
            Vlan Group:  N/A
      URL Redirect ACL:  webauth
          URL Redirect:  https://ISE.onemrva.priv:8443/guestportal/gateway?session
  Id=0AAF003E0000175A43004FE3&action=cwa
       Session timeout:  N/A
          Idle timeout:  N/A
     Common Session ID:  0AAF003E0000175A43004FE3
       Acct Session ID:  0x000018CF
                Handle:  0xEF00075B
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
         webauth  Not run
  As you can see, the "web authentication" is the result of a "succesful MAB". This is because I had to configure ISE to continue on MAB if the user was not found (I found that somewhere in documentation). Then I have configured a default authorization profile where the "web authentication" is triggered. This is where I've configured the redirect-url and so on and this is of course sent to the switch as a succesfull MAB:
  authorization profile "webauthentication" with the "centralized web authentication" settings configured (see attributes output):
  Access Type = ACCESS_ACCEPT
  cisco-av-pair = url-redirect-acl=webauth
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  Actually, I really have no idea if I have correctly configured ISE to handle central web authentication...
  If I check the "show ip admission cache", nothing is seen in there.

• Question about dot1x & Web Authentication

  I'm not sure if what I want to do is possible so hopefully someone can set me straight.
  Right now when a user doesn't have a 802.1x capable machine, they are assigned to the guest VLAN. Then using the dot1x fallback command we could force them to use authenticate using the web if we so choose. At least this is how I understand web-auth to work. Please correct me if I'm wrong.
  But what about when someone is using an 802.1x capable machine but fails auth? Like say a user logging in locally on a domain machine or a vendor using his companies laptop. Currently those ports go into an unauthorized state and are not active. If I use the dot1x auth-fail-vlan command, it authorizes the ports for that vlan just fine.
  What I'd like to do in those cases is to put them in a restricted vlan and then force them to use web authentication to gain access to the network.
  Is that possible? I can't seem to find a way to use web authentication after a failed dot1x auth. Or is that it, a failure is a failure and there is no way to try and reauthenticate a different way?

  Hi,
  dot1x authentication and mac-authentication bypass are layer 2 authentication mechanism and webauth is a layer 3 authentication mechanism.
  u can set multiple authentication profiles and set the priority as well.
  like u can have dot1x authentication first and second webauth and third as mac-authentication bypass.
  remember the other authentication mechanism will only come into place if the first authentication is not possible that is the client is not having a suplicant for dot1x.
  if a user doesn;t have dot1x supplicant and u have configured guest vlan then the user will be put into the guest vlan otherwise the user will be in the access vlan in which the port is configured.
  if u have configured auth-fail vlan and the user gives wrong credentials the user will be put into the auth-fail vlan.
  if a user is a dot1x client and dot1x is configured then the user must pass the dot1x authentication .
  the fallback mechanism is only when the dot1x authentication cannot be executed because the client is not having dot21x supplicant. then the next mode of authentication will be triggered that is either webauth or MAB.
  if a user fails the dot1x authentication dues to wrong credentials then he cannot be prompted for a another authentication mechanism. this is to avoid security breaches.
  hope this helps.
  regards
  Sushil

• Web Authentication Catalyst 2960

  Hi,
  I am trying to configure fallback Web Authentication on a catalyst 2960 switch. The goal is to authenticate clients via web authentication who are not 802.1x compliant (the 802.1x part is working fine) and allow them restricted access to the network. The problem is that the web authentication seems to fail.
  The equipment regarding my question : catalyst 2960 switch (version : 122-37.SE) and a FreeRadius.
  Here's what happens :
  The authentication window pops up in my browser and the Access-Request is sent to the RADIUS.
  The RADIUS in term responds with a Access-Accept. The debugs running on the switch show that all this information arrives correctly at the switch and the Authentication debug outputs a 'status = PASS' and the Authorization debug outputs a 'status = PASS_ADD'. In spite of this the browser on the client outputs a 'Authentication failed' message.
  I've read the manual and the Cisco-attribute Value pairs were mentioned : 'priv-lvl=15' and 'proxyacl ...'. Are these mandatory for it to work? Since I'm not configuring any switch login authentication via RADIUS.
  Any suggestions ?
  Thanx in advance

  Yes, they are mandatory.
  If priv-lvl=15 is not returned to the switch, the user will see ?Authentication Failed? and the access-list will not be applied. If the source field in the proxyacl statements is not ?any? or there are other syntax errors, the user will see ?Authentication Successful? but the access-list will not be applied and the user will be denied access to the network.
  Not sure about the specific FreeRADIUS config, but you need to setup the ?[026\009\001] cisco-av-pair VSA. It would look something like:
  priv-lvl=15
  proxyacl#10=permit ip any any
  Let me know if this gets you squared away,

• Users with a https home page are not redirected when using web-passthrough on WLC 5508

  I have a Cisco 5508 running version 7.0.116.0.  This controller hosts an open public wifi that requires users to accept a terms agreement via a Web-Passthrough setup that redirects them to the terms splash page.  For most people this works without any issue.  However, if a user has their homepage for their default browser set to a https site, such as https://www.google.com, then they are never redirected to the terms splash page.  The page will just spin and spin until finally they get a timeout error.
  Has anyone else had this experience?  If so did you find a solution or is this some sort of short coming of the controller?
  Any and all comments/information is appreciated!
  Thanks,
  Jim

  This is a known issue (see bug ID CSCar04580).
  CSCar04580 Bug Details
  web auth (redirect) doesn't work when client users a https url
  Symptom:A client whose home page is an HTTPS (HTTP over SSL, port 443) one will never
  be redirected by Web Auth to the web authentication dialog. Therefore, such
  a client will not know to authenticate, and will fail to connect to the
  network.
  Workaround:The client should attempt to open any HTTP (port 80) web page.

• WLC Client excluded - web authentication failed 3 times

  Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
  An example of the alert generated in the event of an excessive authentication failure is as follows:
  Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
  E-mail will be suppressed up to 30 minutes for these alarms.
  I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
  - What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
  - If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
  - If necessary could e-mail suppression be turned off - for this alert only?
  Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
  BR
  Rockford

  There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
  http://support.microsoft.com/kb/883619

• Central Web Authentication Fail - This device has not been registered.

  Dear All,
  I have problem when apply the cwa. i have wlc and ise,
  I want all user (all type device) that want access to my network by Wifi, will authenticated by AD.
  but user cant connect to network evenly only authenticate.
  My ISE Authorization rule:
  if
  (Wireless_MAB AND AD1:ExternalGroups EQUALS example.com/Users/Domain Users)
  Anyone, have experience like this before, please share..
  nb : my ise licese is Base Package
  Thanks!!

  I had follow the configuration guide from here:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  but, my authentication always fail with redirect to device registration,
  when user connect the ssid and input the username and password based on active directory,
  then browser will show up like this :
  1. Access with Windows :
  Device Registration
  This device has not been registered.
  You need to manually configure your device. Contact your system administrator for assistance.
  Your device configuration is not supported by the setup wizard.
  Device ID        : my-workstation-mac-address- 
  Description     :
  2. Access with Android
  Device Registration
  This device has not been registered.
  You need to manually configure your device. Contact your system administrator for assistance.
  Unsopported operating system type encountered.
  Device ID        : my-android-mac-address- 
  Description     :
  Thanks,

• Repeated wlc 5508 client web authentication

  I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface.  the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
  I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC.  For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
  I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
  The WCS screenshot shows a good example of how often this occurs!  Is the client actually re-associating with the AP (which in turn would require a web reauth)?  Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
  I do have a TAC case opened up, but was wondering if anyone has experienced this before?
  Sorry for the rambling...

  Rene,
  I did several things and at least one of them seemed to resolve the issue:
  These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
  1.       Upgrade WLC to 7.0.98.218 [self explanatory]
  2.       Upgrade WCS to 7.0.172.0 [current version, as of this note]
  3.       Increase DHCP scope time on ASA from default (30 minutes) to 4
  days [DHCP running external from the WLC]
  4.       Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
  5.       Increased session timeout from 14400 seconds to 64800 seconds
  (4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
  I think that the TKIP and/or DHCP setting was integral as part of the resolution.  I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
  Good Luck,
  Rob.

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• WLC web authentication ACL to allow internet surfing only

  Hi forumers'
  I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
  according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
  i also try on this ACL at my core switch but seem not success.
  ip access-list extended ACL-VLAN-20
  permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 any eq 80
  permit tcp 172.16.20.0 0.0.0.255 any eq 443
  deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
  deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
  int vlan 20
  ip access-group ACL-VLAN-20 in
  any problem with it?
  well, as long as can block web authenticaiton user only goto internet then serve my purpose
  thanks
  Noel

  This should work
  deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31    (deny all IP traffic from guest to internal)
  permit udp 172.16.20.0 0.0.0.255 any eq 53              (or list the specific servers you want them to use)
  permit tcp 172.16.20.0 0.0.0.255 any eq 80               (allows HTTP but only outside as the deny stops internal)
  permit tcp 172.16.20.0 0.0.0.255 any eq 443             (allows HTTPS but only outside as the deny stops internal)
  but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above.  I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers.  If you want to allow that, it's better to permit the explicit servers
  You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
  When you do the ACL on the WLC, you need to do the inverse ACL as well.  So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
  But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
  HTH,
  Steve

• Redirect to web authentication not working on Cisco 5508 Wireless Controller

  Hi,
  I have a wlan with web authentication:
  http://i55.tinypic.com/w145zk.png
  and
  http://i51.tinypic.com/344sfm0.png
  When I connect to  the SSID (I get correct IP from the Cisco 5508 Controller) and try to  surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
  The virtual interface is 1.1.1.1.
  Here is a screenshot of interface and internal dhcp:
  http://i52.tinypic.com/2vkm1d2.png
  Any idea why clients are not redirecting?
  Thanks!

  Thanks for the reply dmantil!
  When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
  I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users.

• WLC MOBILITY GROUP SINGLE WEB AUTHENTICATION

  Hi.
  I have installed two AIR-WLC2112 with mobility group configured and authentication web.
  I want to know if you can create user / password web authentication only in one  WLC.
  Now, when I create a new user / password , I have to create in two WLC.
  Thanks

  Inorder to validate a site issuing a certificate , client should be loaded with a certificate from same Certificate Authority. Else ignore the warning and continue to the site. If you want to know if the site is valid , click on View certificate on the warning page and see if it belongs to the website.