Webauth redirect issue

Similar Messages

• Webauth Redirect Issue WLC 7.2

  We have been using Passthrough with Email input on our Guest network for a while.  We use the Internal (Default) Web Authentication Type with a URL redirection after login and a custom Headline/Message and Logo on the login page.  This worked fine, I even made a few changes recently, until we attempted to switch from https: to http: on the login page today.  This was done using the config network web-auth secureweb disable command in the Command Line.  After making this change and rebooting the controller, the login/redirect page loads using http: (it redirects after entering an email address) but the graphics (banner at the top and logo) do not.  Looking at the source code, everything looks the same.  I am sure that it is using the Internal login page, as I tried using Customized and External, neither of which worked.  Has anyone run into this problem before?  Thanks.

  In order to have the web page load properly, it is not sufficient to set the web-authentication type as customized globally in the Security > Web Auth > Web login page. It must also be configured on a particular WLAN . In order to do this, complete these steps:
      Log into the GUI of the WLC.
      Click on the WLANs tab, and access the profile of the WLAN configured for Web-authentication.
      On the WLAN > Edit page, click the Security tab. Then, choose Layer 3.
      On this page, choose None as the Layer 3 Security.
      Check the Web Policy box, and choose the Authentication option.
      Check the Over-ride Global Config Enable box, choose Customized (Downloaded) as the Web Auth Type, and select the desired login page from theLogin Pagepull down menu. Click Apply

• CT5760 - virtual-host in parameter-map not used in webauth redirect

  Hi all.
  I'll try posting my issue here before I post a TAC on this:
  Cisco CT5760 wireless controller running IOS-XE version 3.6.0.
  This issue is related to web authentication on an SSID with external web portal. It seems that the statement "virtual-host" in "parameter-map type webauth global" is not used as intended. I'll try to explain:
  When a user connects to an SSID with external web authentication enabled and the user opens a web browser, the user will get redirected to the external web portal for authentication. In this redirect URL we see the parameter "switch_url=http://1.2.3.4/login.html". The IP address 1.2.3.4 is, in this example, our virtual IP. But we have also configured "virtual-host" to be webauth.example.com. And in my opinion the "switch_url" parameter should be "switch_url=http://webauth.example.com/login.html". This is how it works on our old Cisco WiSM1 implementation.
  The reason why this is a problem is that the clients web browser will not accept the certificate installed on "http://1.2.3.4" because it is not issued with that IP address, only the hostname webauth.example.com. I know that it is possible to get certificates issued with an IP address (as long as it's not an RFC1918 IP address), but rumors say that many Certificate Authorities will stop issuing these soon, even with "real IPs". Therefore it is important that the redirect URL gets corrected.
  Does anyone disagree with me that this is a bug?

  Hi and thank you for your response.
  I feel that I need to clarify a few things. Here is my parameter-map config (a bit edited):
  parameter-map type webauth global
  virtual-ip ipv4 1.1.1.1 virtual-host webauth.example.com
  intercept-https-enable
  parameter-map type webauth webauth_external
  type webauth
  redirect for-login https://webauth-external.example.com/v2/login.html
  redirect portal ipv4 x.x.x.x
  So the problem here is that a web browser of the client gets the following redirect URL:
  https://webauth-external.example.com/v2/login.html?switch_url=https://1.1.1.1/login.html&redirect=http://www.cnn.com
  Then after a successful login on the external portal, the user gets redirected back to https://1.1.1.1/login.html. Here is the core of my problem. I think that the parameter "switch_url" should be with the name webauth.example.com since I configured it as the "virtual-host". This is the behavior we see with our old Cisco WiSM1.
  When the redirect goes to https://1.1.1.1/login.html the client complains about the certificate, because it is not issued to that IP address but to the hostname.
  I can verify that the client does not complain about this if I manually edit the redirect URL on the client to the following:
  https://webauth-external.example.com/v2/login.html?switch_url=https://webauth.example.com/login.html&redirect=http://www.cnn.com
  Then the redirect after authentication goes to https://webauth.example.com/login.html and the client accepts the certificate and everything is peachy.
  Do you see my problem? And yes, the virtual IP resolves to the name in DNS.

• Guest Anchor - Web Passthrough - Apple device web redirect issue

  Hi All,
  I've setup a Guest Mobility Anchor at DMZ with 5508 WLC. I've setup the EoIP mobility tunnel and everything works so far.
  Now, I was testing multiple clients to connect to the Guest SSID and observed that Apple devices are not redirecting url, resulting unsuccessful connection.
  I looked Cisco docs and added the command "config network web-auth captive-bypass enable" on the Anchor as recommended.
  Even after executing the command, I'm still facing web redirect issue with Apple Devices. I don't have any issues with other devices, except Apple.
  My controller running code AirOS 7.6.130.0. I'm using DMZ controller as DHCP server for Guests and public DNS servers as 8.8.8.8 & 8.8.4.4
  How to solve this web redirect issue? Will a Third-party generated CSR solves the problem?
  Thanks,
  CJ

  Hi All,
  The issue was with WISPr Protocol with iOS Clients. After upgrading the AirOS Code on the controller to 8.0.100.0; the issue with Web Redirect is resolved.
  Jagan

• WebAuth redirect DNS Host not resolving

  Hello,
  I'm trying to get my WebAuth redirect for guest to resolve a hostname, not an IP address.  If I delete the hostname information it redirect's fine to the IP address (but has a cert error).  I'd like to have to redirect to a hostname so it will match the CN of the cert i've loaded on the controller.  We're using OpenDNS for the public DNS so I cannot put an A Record on there associating 192.168.254.1 to washcoguest.co.washington.mn.us. 
  Right now when I connect to the SSID, it try's to direct me be cannot resolve the hostname and I get a page cannot be displayed.
  Any help would be great.
  Pete

  Pete,
  You can host that A record inside, but that would mean your guest need to have access to your inside DNS. Not ideal, but some people do that ...
  Correct, you can host it with your ISP and it would need to match your domain. Which means you need a new cert.
  For this very reason, I own "guestnetwork.org" and I host and provide certificates to get around all the confusion customers have. I can host XXXXXX.guestnetwork.org and its published in a few minutes and ready to go..
  As for your NAT question. The Virtual IP should not be routable, which in your question its not, but  just want to mention it. The client will need to reslove the name to the virtual IP. Adding all these extra steps only adds confusion.
  I might suggest, redo the cert, publish it with yout ISP.

• Https redirection issue for Wireless Guest CWA - ISE 1.3

  Our Setup is
  ISE 1.3 (Patch level 2) running on ACS 1121
  2 nodes clustered with Admin, monitoring, policy service enabled ( Primary and Secondary ).
  Configured SSID Guest for Centralized web authentication with ISE.
  We have issues in web redirection with chrome . It is not redirecting to the ISE page but rather showing " Page cannot be displayed".
  By default chrome is pointing to https. For example if we type https://google.com it is not redirecting to ISE page. But when I specify the same as http://google.com it works.
  There is no issue with IE, Firefox as it is redirecting to ISE page with default https and i can see it is hitting our rule.
  Please advice.

  Hi Neno
  They are using a third party certificate (digi cert) for client auth. They have confirmed even if they use a self-signed-cert the result is same.
  So basically none of the https page is not loading. If we manually browse some https site from Firefox, IE the result is same showing " page cannot be displayed".
  Redirection to https is the problem which i have never faced with my other customer. This is the upgraded version of ISE from 1.2 to 1.3.

• Acrobat 9.0 Runtime Error Vista SBS 2003 Folder Redirection Issue

  I just got off of a two hour phone call with Adobe. They are unable to resolve my issue.
  After installing Acrobat 9.0, we receive the following error:
  "Microsoft Visual C++ Debug Library
  Runtime Error!
  Program: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
  The application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
  I have tried the recommend fix without success: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb404597
  Someone please help. The user is an Administrator of the machine. The typical AppData path is \\servername\direct\username\Application. I changed it to x:\username\application to no avail.
  This is a Vista machine, all updates, with Small Business Server 2003 with File Redirection.

  Try http://www.adobe.com/go/kb401589
  Especially solution 4.

• Button URL Redirect - Issue passing %null% from LOV

  I have issue when attempting to pass %null% from a LOV to a subsequent target page. The URL Redirect works fine when a value in selected in the LOV but passes gibberish "?ll" when no value is selected from the LOV. Can anyone shed some light on what's is going on?
  Redirect looks like this:
  f?p=112:411:508326687872582::NO:RP,411:P411_AGENCY,P411_CATEGORY,P411_BUDGET_YEAR,P411_OIT_OFFICE,P411_DESCRIPTION:002,%null%,2012,1665,webJeff
  Edited by: jwellsnh on Jun 2, 2010 4:42 PM

  svk1965,
  Thank you for your response, I read many other threads and you are definitely on the right track. Got impatient though and took my project on a different track which ended being a better solution for me after all.
  Jeff

• Oracle Apps R12 iRec URL Redirection issue

  Dear Friends,
  We have configured R12 i-Rec in an server and placed in DMZ.
  we have made this server as external and we have made the irec responsibilities to external and using the DMZ Server URL we were able to work without any issue.
  Now to publish this URL to Interner users with https and Port masking , we have mapped this URL http://abc.com:8020 to https://xyz.com using Microsoft UGC Firewall 2010.
  Now from Internet we were able to hit the URL https://xyz.com and could login as oracle application user with the same url https://xyz.com
  But when we click any of the irec responsilities (irecruitmnt agency (or) others) which is made external, the page is redirected to the Real DMZ Server URL http://abc.com:8020/OA_HTML/...
  and it shows error:
  The page cannot be displayed.
  I believe it should not happen , throughout the session it has to maintain the same new URL
  Please let us know the Fix.
  Regards,
  DB

  Hi;
  What is error in apache log file?
  Regard
  Helios

• CWA redirect issue and access across the WAN

  Hello,
  I am trying to get CWA working on my wireless ISE setup and am having an issue where the guest portal redirect is pointing to the wrong port.  My setup is as follows:
  The PSN has two connections - Gig 0 is on our management VLAN 172.24.x.x  Gig 1 is on our guest network VLAN 10.190.x.x
  Using a laptop I connect to the guest ssid and guest portal times out as it is pointing to 172.24.x.x instead of the guest vlan 10.190.x.x
  We do not want guest traffic on the corp network for obvious reasons.
  One more question - Is it possible to have guest access work across the WAN?  For example, we have the admin box in Detroit and a PSN in Chicago.  Detroit's guest network is routed through a tunnel to Chicago currently.
  Some more info:
  Here is from the radius authentication details -
  cisco-av-pair=url-redirect=https://172.24.24.41:8443/guestportal/gateway?sessionId=ac18180a000024a45151d92d&action=cwa
  How do I force it to 10.190.x.x and how does ISE get 172.24.24.41 for the redirect address? DNS? I guess I am unfamiliar with how cisco-av-pair attribute is determined.  Any help will be greatly appreciated.

  Have you ran anything such as MTR on a Linux box (or WINMTR equivalent on PC)?  If so, can you find a trend in loss or high latency on a specific hop on the path? I would ensure you adjust the ICMP payload size to a higher size such as 1000Bytes and adjust the ping interval to every two seconds or so.  This ensures you are not running into an issue where the provider is rate limiting your pings, which is not uncommon for some providers, if the pings (ICMP messages) are terminating on their endpoints.
  Do you have QoS policies applied on interfaces on either end of these pings / traces?  If so, do you have assurance that ICMP messages will not be impacted by queue based dropping or shaping latency?  One solution is, move traffic from your ICMP traffic with the source or destination of your ICMP ping and trace endpoint in a priority queue with adequate bandwidth (should be a very low requirement).  This may not make sense since your bandwidth utilization is low, but shaping of busy flows can actually occur long before congestion, depending on your design. 
  Another item that may give you better insight is running and monitoring / graphing IP-SLA probes between your routers on each end.  You could then trend issues and give graphed evidence to your provider.  They could then compare your lossy  and high latency periods to their appliance interface, memory, and CPU loads to see if they can find a correlating trend.  It can be a hard battle to get ISPs to not only admit they have issues, but allocate resources to isolate and resolve these issues.  Good SLA probe data showing that their paths are not meeting delivery standards speak much louder that pings to them.

• Virtual page redirection issue - VWLC

  Hello All,
  I am using ISE for external web authentication. Once client enter the UN and PWD in the ISE guest portal, the client must redirect to 1.1.1.1 that is the local web page. But i get a blank page..? And also if i use local web page for the redirection also it is not working ..?
  Any idea..
  KVS

  Symptoms or Issue
  The URL redirection page in the client machine's browser does  not correctly guide the end user to the appropriate URL.
  Conditions:
  This issue is most applicable to 802.1X authentication sessions  that require URL redirection and Guest Centralized Web Authentication  (CWA) login sessions.
  Possible Causes:
  There are multiple causes for this issue. See the Resolutions descriptions that follow for explanation.
  Please check the below link for URL Redirection Resolutions:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_troubleshooting.pdf

• WebAuth Redirect URL Duplication

  Hello
  I have WLC2106 with sw 4.2.205.0 and have enabled webauth, such that any users first attempt to connect to the internet will be intercepted as expected.
  This works fine if going direct to a link with NO proxy, and it works fine if adding ":8080" to the end of the url as well.
  I have the following problem though if I specify a proxy server in my IE settings (IE7).
  I go to open a web page
  http://192.168.1.1
  get redirectected to
  https://10.1.1.1 of the WLC, correctly so, however, the actual URL appears like this:
  https://10.1.1.1/login.html?redirect=192.168.1.1http://192.168.1.1
  so, once authenticated, which works fine, the redirect will try to pass the user to the website
  http://192.168.1.1http//192.168.1.1   (note the obvious duplicate in the address, but also the missing : in the second url)
  This does not happen when the proxy server setting is turned off and I have put the WLC virtual address in the proxy bypass list.
  I have also tried both with and without an address in the "Redirect URL after Login" text box.
  Has anyone experienced this, or, does anyone have any idea what it might be?
  Thanks in advance
  Anthony

  So the portal woks, but the user goes to their page on their iPhone. Have you tried to add the redirect in the HTML code instead? I have not had problems the way you have it setup on the wlc. On the iPhone are you using the browser to log in or are you joining the SSID and letting the iPhone pop up the login.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Fix for Bass Redirection issue in sig

  Hi everybody,
  I have just ordered a Teufel Concept E 5. Speaker System. For that reason I'm now also dealing with the purchse of a 5. sound card. At first my favourite was the Audigy 2 ZS, but now I'm hesitating because I've read on several forums that the Teufel System also suffers from the Audigy series' malfunctioning driver-implemented Bass Redirection (an issue firstly reported 3 years ago, January 2002!!!) when it comes to upmix a stereo source to 5..
  Just to remember: If Bass Redirection is unchecked in the drivers, the whole frequency spectrum of the stereo source will be directly sent to the front left/right channels (and no other channels), and the connected speaker system will have to split the frequency bands and feed its subwoofer with low-pass signals and the sats with high-pass signals (For example this is the case with Creative's own speaker systems which have internal crossovers). But most non-Creative 5. Systems don't have this internal functionality of mixing a stereo input up to subwoofer and sats. For such systems Creative implemented the "Bass Redirection" in their drivers: sub frequencies of the stereo source are low-pass filtered and sent to the discrete subwoofer output of the sound card. The issue is that this signal from the subwoofer output is too weak, forcing users to find workarounds to get bass when they're listening to stereo sources (such as Music in Winamp).
  This issue, although known for 3 (three!!!) years now, has not yet been fixed by Creative. In late November 2004, Cat has replied to the Monster thread dealing with this issue on the old forums (http://uk.europe.creative.com/support/forums/thread.asp?thre=396&foru=5&page=34) (scroll down), promising to forward the issue to the driver dev team, but since that day nothing has happened anymore.
  My question to the mods: is there a chance that this driver issue will be fixed in the near future? Otherwise I'll have to reconsider my options concerning my sound card purchase.
  gre-ez
  mcgyvrMessage Edited by mcgyvr8 on 0-20-2005 0:08 PM

  I have the same thing with this option -and I asking for fix (again....)
  I have Audigy 2 ZS OEM, Yamaha RXV-440 Home Cinema Recei'ver and big 5. home cinema speakers. Audigy 2 ZS is connected to Yamaha by 3 analog outputs (connecting it by spdif cause no CMSS stereo to surround upmix and only stereo sound for all none DD/DTS sound sources like MP3, games, mpg/DivX/XviD films...thats why I must connect them by annalog outputs/inputs).
  When I disable bass redirection then speakers have full frequency response (20Hz - 20kHz) but there is no any signal on sub output (when I play stereo sound with CMSS Stereo Surround enabled).
  When I enable bass redirection and set cutoff frequency to 70Hz then there is signal on analog sub out but speakers have bass cutted off (20Hz - 70Hz) and playing only frequencies from 70Hz to 20kHz
  This option causing waste of basse from speakers (they have beatyful basse but no with this drivers).
  Even when bass redirection is enabled, signal from sub output is very weak - I don't have so high sub volume regulation to turn it sound loud enough
  I have this problems on SB Li've, I have this problem on Audigy 2 ZS and this problem still exist on Audigy 4 !!! (I'am using now modded Audigy 4 drivers to work on all Audigy series but there is the same problem as in orginal A2 ZS drivers).
  I'am requesting only 2 fixes in drivers that is satisfy me completly (not only me - many people have the same problem):
  . Add an option that will disable bass cutting from speakers when bass redirection is enabled or make bass redirection working only for subwoofer without any speakers frequency cutting.
  2. Make signal from analog sub out louder because this volume level is not acceptable !!!
  Please...
  This problems causing that I starting to think about some other sound card from other producent...because that can't be Message Edited by FPPfan on 02-0-2005 08:52 PM

• Getting Redirect issue when clicked on CR controls after session expiry

  Dear Experts,
  I have a issue in my ASP.NET and crystal reports and the scenario is as follows:
  I have implemented some reports in my my ASP.NET page. If the page is left alone for 15 mins (assuming 15 mins is configured as session time out), and then click on any buttons in the crystal report control tool bar (like export, navigate and etc), I am getting the following error.
  Response.Redirect from inside an asynchronous callback method
  I get this error beacuse in my base class I check for validity of the session and do a redirect to home page using Response.Redirect() when the session in invalid. This code apparently fails as crystal report make a asynchronous call to the page when the toolbar is clicked.
  I got some links from other sites suggesting to add some java scripts to the response stream and etc. It did not work for me.
  I am sure some one would have faces this issues and got a fix for this. If so, please share with me
  TIA,
  Prem

  Not sure.  The only thing that comes to mind is to check for the session variable to see if its still alive in the Page_Init.  You might be able to trap it early enough there.
  Other than that, I doubt this can be resolved in these forums and I'd recommend creating a phone case here:
  http://store.businessobjects.com/store/bobjamer/DisplayProductByTypePage&parentCategoryID=&categoryID=11522300
  Ludek

• Servlet Redirection issue

  Hi,
  We have an web Application which uploads and Parses Excel File and redirects to an 1.jsp Page. We are facing an issue in redirection after Parsing Large Excel file greater than 15 MB, Tomcat is not able to redirect to 1.jsp. If we upload a Small Execl file, in this case redirection works fine. but we are facing issue with large Excel files. Browser does not show 1.jsp page. We are using RequestDispatcher to forward request to 1.jsp.
  Is there any issue with the connection timeout. our application is in tomcat which is beyond Apache. All our request go through Apache.
  I missed one more thing. from debugging we found out that tomcat is redirecting properly to 1.jsp but we are not able to see that page in the browser. The Entire process takes around 20 mins. We tried by sending direct request to tomcat on port 8080 bypassing apache in this case it works fine for large Excel files i.e. redirection works fine if we bypass the apache.
  Please help.
  Thanks.

  I tried changing it in Tomcat server.xml and also in apache configurations. Also i tried by setting timeout in jsp page. Timeout was set for 30 minutes.
  Nothing worked.