WiSM 7.0.116 Web-Auth Fail & GUI Management Fail

Similar Messages

• WEB AUTH problem on WISM

  HiGuys We are facing issue in authenticating guest user via web authentication on WiSM.We have WiSM with 270 APs. We have guest ssid with web-auth enabled.we are running 4.2.061 code. It was working fine till last week, now suddenly it keeps getting off. Users are not getting web-auth login page. We had to disable the web-auth & reenable it then it again starts working. I dont know wht to do in this case. didnt find any log..whts going on in background.
  need help to resolve it.
  Thanks
  NK

  I had the same basic issue and after reseaching found caveat CSCsk54969 which is a pretty close match. This caveat has been fixed in release 4.2.130. I have just upgraded to this release over the week end so to soon to tell yet.... fingers crossed...

• Web Auth FAIL on guest wlan

  We have a 2100 Wlan controller set up with multiple wlans.
  We are having problems on the Guest VLAN in that everytime a user tries to authenticate via Web Auth, they fail and are redirected to the username/password page.
  Local accounts have been added and the WLAN has been set up to use web auth but each time a user tries to authenticate the following message is in the log:-
  NOV 21 09:47:21.852 pem_api.c:4513 PEM-1-WEBAUTHFAIL : Web Authentication Failure for station aa:bb:cc:dd:ee:ff
  If the box is rebooted it works for around an hour, then begins to fail again.
  Any ideas?

  Here is the configuration guide for the Webauthentication for WLC with example it may help you to troubleshoot and configuration
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• Auto login with web auth?

  I have a guest WLAN on a mobility anchor that uses web auth for access. There is a small set of local users, but the majority of the auth comes from a Radius server. Question is, can I setup some type of policy that will auto login users based on MAC address so they don't have to web authenticate?
  Thanks!
  Edit: I have seen where you can enable mac filtering on the WLAN and specify individual mac addresses to permit. This would work, but I still want web auth for the majority of users. Only a few users should be automatically connected. The rest should still authenticate via web auth.

  Well I have some fantastic news.... and then some horrible news at the same time...
  In 7.0.116.0 a new feature was introduced called web auth on mac-filter failure.  Basically it does exactly what I think you are asking. Right?   You mac filter your wlan, and then if anyone fails the mac filter, they can web authenticate. 
  Unfortunately, it doesn't work in an Anchored scenario  as the Mac filter is L2 performed on the Foreign WLC, and the Anchor does L3 with no knowledge the Foreign was good to bypass webauth....   CSCts54424 is tracking this behavior for Anchor scenario, but I don't think it is planned to go into 7.0......

• Web-Auth Admin Page not loading

  I have a WLC 2504 Controller which is set up for guest wireless using the Web-Auth feature / Lobby Ambassador.
  When I web browse to the Controller and enter my credentials no page is displayed.
  The log file displays the following error:
  #CLI-3-LOGIN_FAILED: cliutil.c:632 Login failed. User:lobby-admin, Service type:11. unknown service type.
  However when I run a debug aaa events I see the following event that the user passed authentication.
  *emWeb: Mar 17 18:54:53.120: Authentication succeeded for lobby-admin
  The wireless controller version 7.6.130.0
  There is genuinely nothing fancy about the set up and done these loads of times.
  I have tried this with Google Chrome, IE and Firefox using both HTTPS and HTTP and it's still exactly the same problem.
  Regards
  Greg

  Which authentication protocol do you want use and does the request from the WLC hit the correct policy on the authentication server?
  If you want to use radius as the authentication protocol you need to return the radius "Service-Type" attribute with value "Callback Administrative" for a lobby admin user. If you go with tacacs you need to use role based authentication. For example "role1=ALL" gives the user access to all the tabs in the GUI.

• How to tweak Web-Auth Policy timeout on WLC?

  Hello,
  Is it possible to change Web-Auth Policy timeout? Currently I am talking about 5508, but it could be WiSM also.
  Thank you.

  You need to be clear on what thing though, the webauth policy timeout has nothing to do with authenticated users.
  This is time we will wait on a client to perform a Webauthentication and move to a RUN state.
  If a user is hitting webauth timeout, they are going to be removed because they aren't a working client anyhow.
  The only exception to this pre-auth ACL I suppose where you want users do webauthenticate if they go outside of a specific webpage, but have unlimited access to that one page.
  Either way, I agree the timer needs to modifiable, but you need to make sure you're fighting for the right timer.
  If your clients are going to sleep and they Dissasocciate, of course they will have to reauth, the disassociate removed them from the enterprise network entirely.
  If they are sleeping though, and timing out because of a normal IDLE timeout (not web policy timeout), that is modifed on the Controller TAB of the GUI for "User Idle Timeout".

• "Auth type not supported by External DB" error for web-auth SSIDs

  Hello
  We're having a problem with web-authentication on our 4404/WisM controllers since we moved to software rev 5.x (currently running 5.1.151.0).
  With software rev 4.x our web-auth SSIDs would send the authentication requests to a Cisco ACS4.0 which would then authenticate the users against MS Active directory.
  Now (with rev 5.x) the same SSIDs cannot authenticate users against AD, the error in the ACS is:
  Auth type not supported by External DB
  Found the following Cisco Doc regarding the problem: Cisco Secure ACS and Windows AD EAP/802.1x port authentication fails with the Auth type not supported by External DB error message - Case Number K24308566. Done a packet capture on ACS to see authentications coming in and the ones that fail with above error are using CHAP - from the Cisco documentation, MS AD doesn't support CHAP.
  Any ideas on how I can get the web-auth working again with software rev 5.x ?
  Thanks
  Andy

  my apologies - theres a setting under Controller - General for Web Radius Authentication. changed this from CHAP to PAP and its now working ok.

• Web-Auth with 802.1x

  Environment is WLC 2106 with 4 LWAPP access points. Currently running 2 WLANs: 1 using 802.1x authentication with a Windows IAS (RADIUS) server for Active Directory authentication; 1 using basic WEP for guest access that drops the user in it's own secure VLAN.
  I am trying create a 3rd WLAN that uses Web-Authentication using 802.1x RADIUS that passes the username/password to the Windows IAS server. I can see the request being passed to the IAS server, but it is being logged on the IAS server as:
  An Access-Request message was received from RADIUS client WLAN Controller without a message authenticator attribute when a messages authenticator attribute is required. Verify the configuration of the RADIUS client in the Internet Authentication Service snap-in (the "Client must always send the message authenticator attribute in the request" checkbox) and the configuration of the network access server.
  I already have the one WLAN using 802.1x where the RADIUS client on the IAS server has the "Request must contain the Message Authenticator attribute" checkbox checked and it works jsut fine. It is just the Web-Auth using 802.1x where it seem the authentication isn't being passed properly to the RADIUS server. I cannot figure out what I am doing wrong or missing.

  Hi,
  I don't know if you have resolved the problem or not, But I will propose my solution anyway,
  There are two ways to solve this problem, either to make the controller send the radius request with md5 or make the windows reply to the radius requests that does not contain a md5 hash
  Microsoft Solution:
  When you add the Radius Client using the wizard there are certain options that don't show; for instance the md5 attribute that is causing the IAS to drop the web auth requests. So what you need to do is after you use the wizard, you right click on the client that you added (in our case the WLC) and uncheck the box that says "Access-Request message must contain the Message-Authenticator attribute" (attached is a screenshot).
  That should make the IAS respond to the web auth requests.
  WLC Solution:
  I haven't tested this solution, but I think it will work. if you did test it, please let me know how it turned out.
  By default, the Web Radius Authentication is set to "PAP" (can be found in the Controller Tab @ the WLC GUI), you need to set it to MD5-CHAP. (attached is another screenshot).
  Hope that solves your problem, and please let me know how the problem was solved.

• Web auth with , intenal web page of WLC and ISE as radius server

  Hi All ,
  We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .
  When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as
  "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .
  When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .
  Only for L3 web auth it is not happening..
  Any clue on this ..???
  Thanks,
  Regards,
  Vijay.

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Guest WLAN and Web Auth?

  Hi Guys,
  Maybe someone can help me out?
  I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
  "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
  What I tried so far is..
  add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
  changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
  changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
  I've attached some screenshots of our configuration.

  Troubleshooting Web Authentication
  After you configure web authentication, if the feature does not work as expected, complete these
  troubleshooting steps:
  Check if the client gets an IP address. If not, users can uncheck
  DHCP Required
  on the WLAN and
  give the wireless client a static IP address. This assumes association with the access point. Refer to
  the
  IP addressing issues
  section of
  Troubleshooting Client Issues in the Cisco Unified Wireless
  Network for troubleshooting DHCP related issues
  1.
  On WLC versions earlier than 3.2.150.10, you must manually enter
  https://1.1.1.1/login.html
  in
  order to navigate to the web authentication window.
  The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
  connects to a WLAN configured for web authentication, the client obtains an IP address from the
  DHCP server. The user opens a web browser and enters a website address. The client then performs
  the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
  website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
  authentication login page.
  2.
  Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
  Windows, choose
  Start > Run
  , enter
  CMD
  in order to open a command window, and do a  nslookup
  www.cisco.com" and see if the IP address comes back.
  On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
  address comes back.
  If you believe the client is not getting DNS resolution, you can either:
  Enter either the IP address of the URL (for example, http://www.cisco.com is
  http://198.133.219.25)
  ♦
  Try to directly reach the controller's webauth page with
  https:///login.html. Typically this is http://1.1.1.1/login.html.
  ♦
  Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
  be a certificate problem. The controller, by default, uses a self−signed certificate and most web
  browsers warn against using them.
  3.
  For web authentication using customized web page, ensure that the HTML code for the customized
  web page is appropriate.
  You can download a sample Web Authentication script from Cisco Software Downloads. For
  example, for the 4400 controllers, choose
  Products > Wireless > Wireless LAN Controller >
  Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
  LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
  Bundle−1.0.1
  and download the
  webauth_bundle.zip
  file.
  These parameters are added to the URL when the user's Internet browser is redirected to the
  customized login page:
  4.
  ap_mac The MAC address of the access point to which the wireless user is associated.
  ♦
  switch_url The URL of the controller to which the user credentials should be posted.
  ♦
  redirect The URL to which the user is redirected after authentication is successful.
  ♦
  statusCode The status code returned from the controller's web authentication server.
  ♦
  wlan The WLAN SSID to which the wireless user is associated.
  ♦
  These are the available status codes:
  Status Code 1: "You are already logged in. No further action is required on your part."
  ♦
  Status Code 2: "You are not configured to authenticate against web portal. No further action
  is required on your part."
  ♦
  Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
  already logged into the system?"
  ♦
  Status Code 4: "You have been excluded."
  ♦
  Status Code 5: "The User Name and Password combination you have entered is invalid.
  Please try again."
  ♦
  All the files and pictures that need to appear on the Customized web page should be bundled into a
  .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
  login.html. You receive this error message if you do not include the login.html file:
  Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
  Authentication Configuration Example for more information on how to create a customized web
  authentication window.
  Note:
  Files that are large and files that have long names will result in an extraction error. It is
  recommended that pictures are in .jpg format.
  5.
  Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
  Other browsers may or may not work.
  6.
  Ensure that the
  Scripting
  option is not blocked on the client browser as the customized web page on
  the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
  7.
  Note:
  The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
  messages for the user.
  Note:
  If you browse to an
  https
  site, redirection does not work. Refer to Cisco bug ID CSCar04580
  (registered customers only) for more information.
  If you have a
  host name
  configured for the
  virtual interface
  of the WLC, make sure that the DNS
  resolution is available for the host name of the virtual interface.
  Note:
  Navigate to the
  Controller > Interfaces
  menu from the WLC GUI in order to assign a
  DNS
  hostname
  to the virtual interface.
  8.
  Sometimes the firewall installed on the client computer blocks the web authentication login page.
  Disable the firewall before you try to access the login page. The firewall can be enabled again once
  the web authentication is completed.
  9.
  Topology/solution firewall can be placed between the client and web−auth server, which depends on
  the network. As for each network design/solution implemented, the end user should make sure these
  ports are allowed on the network firewall.
  Protocol
  Port
  HTTP/HTTPS Traffic
  TCP port 80/443
  CAPWAP Data/Control Traffic
  UDP port 5247/5246
  LWAPP Data/Control Traffic
  (before rel 5.0)
  UDP port 12222/12223
  EOIP packets
  IP protocol 97
  Mobility
  UDP port 16666 (non
  secured) UDP port 16667
  (secured IPSEC tunnel)
  10.
  For web authentication to occur, the client should first associate to the appropriate WLAN on the
  WLC. Navigate to the
  Monitor > Clients
  menu on the WLC GUI in order to see if the client is
  associated to the WLC. Check if the client has a valid IP address.
  11.
  Disable the Proxy Settings on the client browser until web authentication is completed.
  12.
  The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
  RADIUS server for this to work. In order to check the status of client authentication, check the
  debugs and log messages from the RADIUS server. You can use the
  debug aaa all
  command on the
  WLC to view the debugs from the RADIUS server.
  13.
  Update the hardware driver on the computer to the latest code from manufacturer's website.
  14.
  Verify settings in the supplicant (program on laptop).
  15.
  When you use the Windows Zero Config supplicant built into Windows:
  Verify user has latest patches installed.
  ♦
  Run debugs on supplicant.
  ♦
  16.
  On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
  > Run > CMD:
  netsh ras set tracing eapol enable
  netsh ras set tracing rastls enable
  In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
  will be located in C:\Windows\tracing.
  17.
  If you still have no login web page, collect and analyze this output from a single client:
  debug client
  debug dhcp message enable
  18.
  debug aaa all enable
  debug dot1x aaa enable
  debug mobility handoff enable
  If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
  Service Request Tool (registered customers only) in order to open a Service Request.
  debug pm ssh−appgw enable
  debug pm ssh−tcp enable
  debug pm rules enable
  debug emweb server enable
  debug pm ssh−engine enable packet

• Having trouble with custom web auth page on 4404

  Hi all
  I am having trouble with a custom web auth page on my controller, we have edited the original file, but when we click login it goes to page cannot be displayed and it doesnt redirect to the page I want, however when I close the window and reopen it has already authenticated me.
  Has anyone got a copy of some working html code I can use ?
  cheers

  There is sample Web Authentication bundle avaiable for download from cisco.com. if you go to the software download page and go to Wireless->Standalone Controllers->4404 you should see a link for Wireless Lan Web Authentication Bundle.
  Its the same bundle whether you have a WiSM, 4404 or 2100

• Loading web auth bundle for pass through

  I have created a web page using the web auth template that I downloaded from Cisco.  Am I just supposed to upload the TAR file that I created from the wap folder or do I have to upload the entire bundle that I downloaded from Cisco created as a TAR file?
  Thank you.
  I have attached the files I am using and cannot get them to load on the web browser when I click on preview.  The login.tar file loads onto the controller with no problem and reports succesful installation.
  Seth

  You need to use a Linux/unix box or else on windows you can use 7-zip, pico zip or power archiver.
  Per this doc
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_user_accts.html#wp1183650
  Note
  If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller cannot extract the files in the bundle and the following error messages appear: "Extracting error" and "TFTP transfer failed." Therefore, we recommend that you use an application that complies with GNU standards, such as PicoZip, to compress the .tar file for the webauth bundle.
  Sent from Cisco Technical Support iPhone App

• Customized Web-Auth Bundle

  Hi
  I am trying to upload a customized web-auth bundle to a WLC 5508 and having some issues.
  I have downloaded the web-auth bundle from Cisco and used this as a template to create the web pages.
  I seem to recall that there is only a couple of Windows tools that you can use to TAR the file such as TUGZIP and IZARC. Anyway I have tried both and I still cannot get the file to extract. I have tried to strip the file out so that I only send up the login.html page and even this does not work.
  I am using a software release 7.0.220.0
  The error message I receive when I do a TFTP is
  Error extracting webauth files.
  Any help would be appreciated
  Thanks
  Greg

  Hi Greg:
  I hope you find the answer here:
  You can compress the page and image files used for displaying a web authentication login page into a.tar file for download to a controller. These files are known as the webauth bundle. The maximum allowed size of the files in their uncompressed state is 1 MB. When the .tar file is downloaded from a local TFTP server, it enters the controller's file system as an untarred file.
  Note If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller cannot extract the files in the bundle and the following error messages appear: "Extracting error" and "TFTP transfer failed." Therefore, we recommend that you use an application that complies with GNU standards, such as PicoZip, to compress the .tar file for the webauth bundle.
  Reference: http://tiny.cc/rbqbfw
  So double check the size and tarring utility.
  Try to use WinRar or 7Zip if the tarring format is the issue.
  HTH
  Amjad

• Web auth with proxy

  I want the automatic redirection to the login page work when a proxy is configured in the IE parameters.
  I used the command "config network web-auth-port 8080", but when I open IE, I'm not redirected to the login page (the DNS request works).
  When I do a "telnet www.google.com 8080" and then "get http", I get the page.
  Any idee?

  In my experience it does not work with a proxy. If you disable the proxy you will get the login and then get redirected, which will then fail until you enable the proxy settings. WLC will try to resolve the homepage of that user, which of course will fail since it doesn't know of the proxy. You will have to either use a term and condition on a custom WebAuth page or implement a content filter application like WebSense.