WiSM and GUEST web authentication

Similar Messages

• ISE and central web authentication

  Hello all,
  I have followed the steps in this document in detail:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
  however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
  but then the "second" MAB authenticatino doesn't happen.
  In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
  this is a red line with the error message "11213 No response received from Network Access Device".
  (i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
  Any ideas ?
  regards,
  Geert

  By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
  I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

• Wlc flexconnect wlan local authentication and central web authentication maximum rtt

  Hi
  From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
  Is this limitation refer to web authentication also?
  Thanks
  Anyone???

  Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
  Also, the version of code that you are running in ISE and your controller. 
  Thank you for rating helpful posts!

• FlexConnect VLAN Central Switching and guest WEB Auth

  Hi,
  I have a senario where all my AP's are flexconnect AP's, that is because og WVoIP.
  In most loacation I have a local intenet connection for guests, and beacuse of that the Guest SSID is locally sitched.
  I have a few small locations that do not have a local subnet for guests and on those locations I would like to centrally switch the guest trafic.
  I was looking at FlexConnect VLAN Central Switching to solve my problem, but as far as I can see this only works with 802.1x SSID's and aaa override.
  Is there no way to do FlexConnect VLAN Central Switching on SSID's with WEB auth or PSK?
  Hope some one can answer me.
  Thanks
  Aksel

  So create a new WLAN, the WLAN profile will be different that the original guest WLAN and assign it a WLAN ID of 16 or higher. This new WLAN will have the same setting as the original guest SSID except that local switching is not enabled.
  You now need to create AP Groups so you can specify site with local guest vlan's will use the original SSID and the sites with no guest local clan will use the new SSID you created.
  Here is a doc regarding AP Groups
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  Sent from Cisco Technical Support iPhone App

• Guest Web Authentication Passthrough Policies

  Without having to go to a NAC appliance or run 3rd party software, is there the capability inside a 5508 to enhance the passthrough policy to allow for user time-limits, download limits etc.?

  thanks for your prompt reply.
  the solution is to be a simple passthrough where users agree to some terms and conditions and are then limited to several hours and capped at 100mb of data. I dont want to create guest logins (potentially over 1000 users) and Im quite happy to allow them to have full bandwidth, just capped at 100mb.
  if I have to add another box can someone provide some examples? ie amigopod perhaps?

• Guest web redirect with redundant ISE

    Dears,
  I have redundant ISE configured (primary and secondary) and integrated cisco WLC 5508.
  I already configured SSID for Guest Web authentication.
  With primary ISE the redirect link is working fine but when I power off the primary ISE the redirect link stop working even if I changed the Role of the secondary to primary.
  Please I need your support,
  Regards,                

  Thank you for your reply,
  - Yes on the same nodegroup.
  - Yes resolved correctly in the DNS.
  - I will recheck it but I already create an ACL for redirect.
  - Yes the both ISE defined on the Radius Auth. on the WLC.
  Now I will check the ACL and back to you.
  Regards,

• WCS and Guest account / limited usage web authentication

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Here my problem I need to be able to limit my AD users to a 10min access to the WLAN.  I see you can do this for guest accounts, but you have to manually enter a username and password.  I would like the web authentication to use our ACS which is tied in to our AD.   Is there a way to do this? 

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Weterry,
  Here the whole story.  I have a bookstore that going to have “Demo” pc for students to buy.  The want to show the internet on these devices, but our security guy require all users to logon.  I was hoping to find a way to let user logon quickly to test these devices.
  I have already figure out the web auth and that great feature, but you have to manually enter each user.   If I could get that to use AD and limit each to 10min that would be great. I would like to setup a SSID for the demo devices and limit users to 10 min.
  I have 2 WiSM controllers running 6.0 also have WCS .
  Thanks
  Chappy

• Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

  Hello,
  I have configured a Guest SSID with web authentication (captive portal).
  wlan XXXXXXX 2 Guest
   aaa-override
   client vlan YYYYYYYYY
   no exclusionlist
   ip access-group ACL-Usuarios-WIFI
   ip flow monitor wireless-avc-basic input
   ip flow monitor wireless-avc-basic output
   mobility anchor 10.181.8.219
   no security wpa
   no security wpa akm dot1x
   no security wpa wpa2
   no security wpa wpa2 ciphers aes
   security web-auth
   security web-auth parameter-map global
   session-timeout 65535
   no shutdown
  The configuration of webauth parameter map  is :
  service-template webauth-global-inactive
   inactivity-timer 3600 
  service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   voice vlan
  parameter-map type webauth global
   type webauth
   virtual-ip ipv4 1.1.1.1
   redirect on-success http://www.google.es
  I need to  login on web authentication on HTTP instead of HTTPS.
  If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
  I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
  Web Authentication on HTTP Instead of HTTPS
  You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
  For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
  For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
  On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
  Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
  Thanks in advance.
  Regards.

  The documentation doesn't provide very clear direction, does it?
  To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

• OSX 10.10.1 with Cisco ISE guest portal using (CWA) central web authentication issue

  We have Cisco Wireless with ISE (Identity Service Engine) to provide guest access with CWA (central web authentication). The idea is to provide guest access with open authentication, so anyone can connect. Then when the guest trying to browse the internet it will be redirected to guest protal for authentication. So only corporate guest with valid password can pass the portal authentication. This is been working fine for windows machine, android, and apple devices with earlier OS version (working on OSX 10.8.5). For clients that's been upgraded to OSX 10.10.1 or IOS 8 they can no longer load the CWA redirection page.
  Please let us know if there's any setting under the OSX to solve the issue, or plan from apple to fix the issue on the next OSX/IOS release ?
  thanks - ciscosx

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Aironet 1140 FLEXCONNECT External Web Authentication and Apple Devices

  Hi!
  I'm having an issue with this Access Point.
  I've configured this access point with WLC in mode FlexConnect with web authentication.
  It's all right, i'm connecting with my PC in wireless, i open my web browser in windows, then the Access Point redirect me to External Web Authentication Page,
  i put my credentials, and  i'm redirected to my access point ( https:/1.1.1.1/login.html i accept the certificate) and then the Access Point redirect me to Internet.
  I do this with my android phone, it's all right again.
  I try to connect with iphone or ipad , i'm  redirected to External Web Authentication Page, i put my credentials, and i'm  redirected to https://1.1.1.1/login.html where the web browser don't ask me anything and i'm not redirected to Internet.
  Have you any idea?

  Thx you Scott, i understand what are you talking about, but my problem is different.
  I try to explain..
  I see the wireless network, i associate the iphone to this network, so i'm  redirected to Login page,
  as i use the "Apple Login" or i Open a Web Page .
  In this page , that i reach with all devices i put my credentials, then i will be redirected with all devices
  back to Access Point (https://1.1.1.1/login.html).
  In this page i should be   redirected to internet after Radius Authentication, but with Apple Devices this doesn't work.
  This is thw WEB AUTHENTICATION from Cisco Documents.
  The user associates to the web authentication SSID.
  The user opens their browser.
  The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
  The user authenticates on the portal.
  The guest portal redirects back to the WLC with the credentials entered.
  The WLC authenticates the guest user via RADIUS.
  The WLC redirects back to the original URL.

• Guest Parameter for Web Authentication

  Hi Forum,
  Just to find out a little more detail in regards to the guest account created for web authentication using Ambassador account.
  1) If the authenticated guest did not perform a proper logout, what action will the WLC take?
  2) As such, is there any timeout involved?
  Where can i tune the timeout?
  Rdgs,
  Kelvin

  Hi I just wanted to add what I have found regarding WCS and the guest feature.
  -There are two ways to configure a "local net user". The first is a static guest ID that has the "guest" flag off. This means that the client's session will not timeout. The second is to specify the "guest" user checkbox and give it a timeout value in seconds.
  This should let you control how long a user is logged in.
  From the WLC login, go to SECURITY --> LOCAL NET USERS --> then click on NEW. From there you can specify a user ID and also set that optional guest user box. If you click on the Guest User box then you will see a timeout field.
  With my guest account set to not be a guest user (no timeout value), I have noticed the following.
  1. If a guest gets disconnected, usually they will reassociate and still be able to log in.
  2. If a guest has problems, I usually tell them to disable their wireless card, close all browser windows, and then reassociate to the network.
  The steps above have worked well for my setup...

• Locally switched Guest WLAN with Web Authentication

  I have a remote location that has its own internet pipe.  I have set up a new guest SSID and set to switch locally and changed the AP mode to Flex connect. When I connect to the new SSID, I get an IP address from the local LAN, but the Web redirection page will not load. Is this because the local LAN does not have a route to the WLC virtual interace of 1.1.1.1? Is there a way to tunnel just the web authentication portion of traffic and locally switch everything else?

  You are close in your understanding.
  If you want to use the web portal services on the WLC then you need to bring that traffic back to the WLC.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Guest access web authentication issue

  Hello experts-
  we have a problem concerning secure guest access. One controller 4402 is installed in DMZ and is working as guest anchor WLC. The guest user terminates as this anchor wlc. From this controller the client will get the ip address but when the user will open the browser and insert the url like www.cisco.com, there is no redirect to the web authentication page. If we try to reach the virtual IP via Web browser the authentication page will not be seen. Proxy setting in browser are deactivated. DNS works, if no authentication is configured Internet access is working well. But if we configure "Pass Thru", the client is in status "Authentication required" again.
  Has anybody any ideas?
  Thanks a lot, Martin

  First of all, when you configure the wlan to open, do you see that device on the anchor controller or the foreign wlc? You should see the user authenticated on the anchor. If not, then your mobility between the foreign and anchor is not working. Mping and Eping between the foreign and anchor wlc. Verify that the ssid has mobility anchor configured. Also you must make sure that your ssid on the foreign and on the anchor wlc. The webauth page will need to be installed on the anchor wlc along with the 3rd party certificate if you use one.

• WLC 4400/Web Authentication and proxy autodiscovery

  We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
  We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
  My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
  Regards,
  Rutger

  The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
  The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
  Lots of documentation about how to achieve this via CCO.
  Regards,
  Richard

• External Web authentication server for Guest access

  I have a guest wireless wlan setup. When guest users attach to our guest wireless they are prompted by the built in web security on the WLC's.
  Cisco talks about how to setup the WLC to route web authentication to an external web server, but they don't say what kind of web server to use or examples.
  I need some help on getting an external web server to do web authentication. With the server we would like to get some basic info from the user. name, email, pupose of using wlan, and some background info they don't see like, computer name, mac address. This is all for tracking purposes.
  Hotels do this type of web authentication for example.
  Any help would be great.

  Hi Patrick,
  I'm having the same problem here. I configured my WLC that redirect the login page to WEB Server, but I don't know how configure the Web Server to back the credentials to WLC. Did you can solve this problem?
  thanks!
  Claudio