WLAN Web Authentication

I'm trying to set up web authentication for our guest wlan.  We have a WLC 5508 and I was able to get LDAP working sucessfully.  Does anyone know if there is a way to read user accounts from a group instead of an OU?  I was hoping to allow individual departments the ability to change the password for their guest account. 

Well Ravinder, I'm afraid that your problem is clearly on the Ruckus Controller then if the problem only happens with web authentication.
I understand that the network becomes slow right ? It's not the ACS response time that is slow ? that would just affect the login page submit time.
Nicolas
===
don't forget to rate answers that you find useful

Similar Messages

  • WLAN Controller Displays Interface IP in Web Authentication URL Instead of FQDN

    Hi,
    Can someone offer any help with the issue below please?
    I have a guest wlan configured on a Cisco 2106 WLAN controller. Guest users are redirected to a Web Authenticaion page when they try to access the internet through a web browser, and can only proceed by succesfully authenticating with the controller.
    The problem I have is that the guest users are presented with an SSL certficate error before they hit the web authentication page. I have installed an SSL certificate from Verisign on the controller, and have configured an FQDN for the interface that is used for the guest wlan. However, the certificate error still persists because when the user is re-redirected to the web auth page, the URL in the address bar is presented as the IP address of the interface instead of the FQDN, For example, when a user is redirected, the address bar in their web browser displays; https://1.1.1.5/ instead of https://guestwifi.domain.com/ The SSL certificate that is installed on the controller is securing the FQDN of the interface.
    I'm not sure if i'm missing something here, but i'm struggling to find how to get the FQDN to display instead of the IP.
    Thanks,
    Paul

    I'm not following what you mean when you sayd "FQDN for the interface that is used for the guest wlan"......
    I assume you configured the Virtual Interface  to have the dns entry as guestwifi.domain.com but clients are still being redirected to the virtual IP itself and not the dns name? 
    The only reason I can think of for that happening was if the WLC had not been rebooted since applying the DNS name to the Virtual Interface (it takes a reboot to modify client redirect stuff, the same goes for http vs https).
    so guestwifi.domain.com should have a DNS entry resolving to 1.1.1.5, that entry should be on your virtual interface, and upon reboot you should always redirect to guestwifi.domain.com unless you manually type https://1.1.1.5 in the browser.

  • Locally switched Guest WLAN with Web Authentication

    I have a remote location that has its own internet pipe.  I have set up a new guest SSID and set to switch locally and changed the AP mode to Flex connect. When I connect to the new SSID, I get an IP address from the local LAN, but the Web redirection page will not load. Is this because the local LAN does not have a route to the WLC virtual interace of 1.1.1.1? Is there a way to tunnel just the web authentication portion of traffic and locally switch everything else?

    You are close in your understanding.
    If you want to use the web portal services on the WLC then you need to bring that traffic back to the WLC.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Wlc flexconnect wlan local authentication and central web authentication maximum rtt

    Hi
    From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
    Is this limitation refer to web authentication also?
    Thanks
    Anyone???

    Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
    If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
    Also, the version of code that you are running in ISE and your controller. 
    Thank you for rating helpful posts!

  • Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

    Hello,
    I have configured a Guest SSID with web authentication (captive portal).
    wlan XXXXXXX 2 Guest
     aaa-override
     client vlan YYYYYYYYY
     no exclusionlist
     ip access-group ACL-Usuarios-WIFI
     ip flow monitor wireless-avc-basic input
     ip flow monitor wireless-avc-basic output
     mobility anchor 10.181.8.219
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security web-auth
     security web-auth parameter-map global
     session-timeout 65535
     no shutdown
    The configuration of webauth parameter map  is :
    service-template webauth-global-inactive
     inactivity-timer 3600 
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     voice vlan
    parameter-map type webauth global
     type webauth
     virtual-ip ipv4 1.1.1.1
     redirect on-success http://www.google.es
    I need to  login on web authentication on HTTP instead of HTTPS.
    If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
    I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
    Web Authentication on HTTP Instead of HTTPS
    You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
    For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
    For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
    On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
    Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
    Thanks in advance.
    Regards.

    The documentation doesn't provide very clear direction, does it?
    To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

  • No Web Authentication - but excluded client with reason code 4

    Hello,
    we are using a WLC 4400 with Software Version 5.0.148.0 and WCS Version 5.0.56.2.
    Access Points are AIR-LAP1131AG-E-K9.
    We have problems with one client (Windows XP SP3). The computer loses the wireless connection all the time, but we don't know why. Duration of the connections are different.
    So there are a lot of minor alarms saying “Client which was associated with AP, interface '0' is excluded. The reason code is '4(Web Authentication failed 3 times.)'.”
    But the wireless lan which is used by the client is not configured with Web Authentication!! It is only using MACFilter. That's very strange! (There is another wireless lan configured with Web Authentication.)
    The minor alarms are created by different Access Points, amongst others by the Access Point where the client is connected to! (All Access Points radiate all wireless lans.)
    Regarding to this client the SyslogServer often says:
    Sep 17 16:01:57.187 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M1 retransmissions exceeded for client LOCAL USE 0 ERROR CONDITION
    Sep 17 16:02:07.885 1x_ptsm.c:511 DOT1X-3-PSK_CONFIG_ERR: Client may be using an incorrect PSK LOCAL USE 0 ERROR CONDITION
    Last week I tried the trouble shooting of the WCS with the following effect:
    Time :09/18/2009 19:01:39 Message :Controller association request message received.
    Time :09/18/2009 19:01:39 Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
    Time :09/18/2009 19:01:39 Message :Received reassociation request from client.
    Time :09/18/2009 19:01:39 Message :The wlan to which client is connecting requires 802 1x authentication.
    Time :09/18/2009 19:01:39 Message :Client moved to associated state successfully.
    Time :09/18/2009 19:01:39 Message :802.1x authentication message received, static dynamic wep supported.
    Time :09/18/2009 19:01:39 Message :802.1x authentication was completed successfully.
    Time :09/18/2009 19:01:39 Message :Client has got IP address, no L3 authentication required.
    I think the problem is hidden at the client but I don't know what it could be. The PSK can not be incorrect because the client is able to connect to the wireless lan but later loses the connection.
    Does somebody has an idea or knows the error messages?!
    Greetings lydia

    Hi,
    I'm exactly with the same problem! Can you please tell me if you were able to solve this?
    Thank you!
    Best regards,

  • Redirect to web authentication not working on Cisco 5508 Wireless Controller

    Hi,
    I have a wlan with web authentication:
    http://i55.tinypic.com/w145zk.png
    and
    http://i51.tinypic.com/344sfm0.png
    When I connect to  the SSID (I get correct IP from the Cisco 5508 Controller) and try to  surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
    The virtual interface is 1.1.1.1.
    Here is a screenshot of interface and internal dhcp:
    http://i52.tinypic.com/2vkm1d2.png
    Any idea why clients are not redirecting?
    Thanks!

    Thanks for the reply dmantil!
    When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
    I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users.

  • Cisco Auto Anchor Web Authentication - NAS IP Address

    Hi,
    I've setup auto anchor web authentication for my guest network. I want my Web Authentication requests to be authenticated by ISE however need the authenticating device to be the Anchor Controller.
    I setup the WLAN to authenticate against ACS4.2 and it works correctly, the NAS IP address is the Anchor controller. When changing the WLAN to auth again my ISE 1.2 server, authentications are sourced from the foreign controller.
    Has anyone come across this or know why ISE is seeing the NAS IP Address as the foreign wireless controller?
    Thanks,

    Hi,
    I've setup auto anchor web authentication for my guest network. I want my Web Authentication requests to be authenticated by ISE however need the authenticating device to be the Anchor Controller.
    I setup the WLAN to authenticate against ACS4.2 and it works correctly, the NAS IP address is the Anchor controller. When changing the WLAN to auth again my ISE 1.2 server, authentications are sourced from the foreign controller.
    Has anyone come across this or know why ISE is seeing the NAS IP Address as the foreign wireless controller?
    Thanks,

  • Profiling Problem & Web Authentication Proxy

    Dear All,
    I am facing problem with profiling of workstation over wireless network as ISE is marking these workstations as 'Unknown'. Whereas if I connect same workstation using wired connection then it gets profiled in the right category.
    Profiling for wireless network was working fine initially but as soon as I pointed AAA towards ISE in the employee SSID then ISE started marking any new workstation as 'Unknown'. Before enabling AAA in the WLAN (SSID) the profiling was working fine using 'Radius NAC' setting in advanced tab of the same SSID. Becasue of the unknown category, workstation gets authorization rejection as per the authorization policy.
    I have another query reagrding enabling 'web authentication proxy' on Cisco WLC. I have guest wireless setup using dedicated anchor controller and ISE is providing the guest sponsor and guest portal services. So when a guest user comes in and if the user already has some proxy configured in the browser then url redirection for guest portal doesn't work and guest user must remove the proxy.
    So this requires someone to enagage with guest user but the client want this process to be automatic. I have gone through following document,
    http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b8a909.shtml
    but I am not sure if this solution will also work if the guest portal service is through ISE instead of WLC itself ??
    Thanks & Regards,
    Mujeeb

    Not a problem the reason your profiling is failing for wireless users is that the profiling information for dhcp isnt hitting the ise nodes. For the wired devices are you using the dhcp probe to profile the users? If so, then your issue is with the dhcp proxy setting on the controller. Even through you have the ip helper statement on the svi, essentially your controller is proxying the dhcp broadcasts from the client straight to the dhcp server, so even you enable the ip helper statements on the svi for the ISE nodes it will not work.
    You are correct for the guests, typically if a guest has enabled proxy settings before they should know that they should probably disable this setting when the connect to a new network.
    Also I can not remember but arent the proxy settings configured under the network settings tab? Meaning the only time you would experience this issue is if the ssid you are broadcasting is the same as the ssid they have connected to previously?
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Web Authentication with MS IAS Server

    I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
    I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
    Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
    I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?

    I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
    I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
    The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 9/3/2008
    Time: 11:00:55 PM
    User: N/A
    Computer: DC1
    Description:
    User SCOTRNCPQ003.scdl.local was denied access.
    Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
    NAS-IP-Address = 10.10.10.10
    NAS-Identifier = scohc0ciswlc
    Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
    Calling-Station-Identifier = 00-90-4B-4C-92-B7
    Client-Friendly-Name = WLAN Controller
    Client-IP-Address = 10.10.10.10
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 29
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server =
    Policy-Name =
    Authentication-Type = EAP
    EAP-Type =
    Reason-Code = 8
    Reason = The specified user account does not exist.
    The policy is the default connection policy created when installing IAS.
    In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
    I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
    In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
    It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished.

  • Web authentication with Radius server problem

    Hello,
    I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
    *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
    *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
    *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
    *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
    *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
    *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
    *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
    *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
    *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
    *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
    *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
    *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
    *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
    *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
    *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
    *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
    *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
    *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
    *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
    *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
    *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
    *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
    *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
    That was pretty clear for me that Radius is refusing to give user access.
    Fully-Qualified-User-Name = NMEA\aaaaaa
    NAS-IP-Address = 10.xx.9.20
    NAS-Identifier = xxxxx-lwc10
    Called-Station-Identifier = 10.xx.9.20
    Calling-Station-Identifier = 192.168.1.61
    Client-Friendly-Name = YYY10.xx
    Client-IP-Address = 10.xx.9.20
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 13
    Proxy-Policy-Name = Use Windows authentication forall users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Users
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
    That output is from WLC 5508 version 7.0.235
    What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
    this is output from working client connection from old WLC
    NAS-IP-Address = 10.xx.9.13
    NAS-Identifier = xxxxx-lwc03
    Client-Friendly-Name = YYY10.46
    Client-IP-Address = 10.xx.9.13
    Calling-Station-Identifier = 192.168.19.246
    NAS-Port-Type = <not present>
    NAS-Port = <not present>
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Guest Access
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
    Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
    Is it maybe problem of version 7.0.235?
    Any toughts would be much appriciated.

    Scott,
    You are probably right. The condition that is checked for the first policy name (we have 2) is to match
    NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
    as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
    As I said before.
    WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
    WLC 4402 ver. 4.2.207 is not.
    The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

  • Repeated wlc 5508 client web authentication

    I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface.  the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
    I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC.  For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
    I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
    The WCS screenshot shows a good example of how often this occurs!  Is the client actually re-associating with the AP (which in turn would require a web reauth)?  Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
    I do have a TAC case opened up, but was wondering if anyone has experienced this before?
    Sorry for the rambling...

    Rene,
    I did several things and at least one of them seemed to resolve the issue:
    These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
    1.       Upgrade WLC to 7.0.98.218 [self explanatory]
    2.       Upgrade WCS to 7.0.172.0 [current version, as of this note]
    3.       Increase DHCP scope time on ASA from default (30 minutes) to 4
    days [DHCP running external from the WLC]
    4.       Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
    5.       Increased session timeout from 14400 seconds to 64800 seconds
    (4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
    I think that the TKIP and/or DHCP setting was integral as part of the resolution.  I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
    Good Luck,
    Rob.

  • Radius server web authentication using ISE

    Hi,
    Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
    I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
    The following link explains "Radius Server Web Authentication" using ACS.  I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html  
    Thanks,

    Hi,
    Please check these:
    Central Web Authentication on the WLC and ISE Configuration Example
    http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
    Regards
    Dont forget to rate helpful posts

  • Does this support EAP? LEAP? PEAP? Web Authentication?

    I am trying to access my college network at Baruch, and its not letting me get pass the authentication. Safari just freezes. Is the iPAD EAP compliant? The iPhone works fine. If its not, is Apple working on a fix?
    Honestly for a an app to promote keynotes, logging into a clients network before a presentation, I see huge problems with this. What if the client uses web authentication to have to access Wifi. Is there a fix around this?
    Thanks

    i assume eap types are supported just like on an iphone. if you manually configure to connect to a wireless network are wpa/2 enterprise choices listed? if so that implies eap support.
    i believe i saw other complaints about web auth not working. i assume that's an issue with ipad safari not being able to interpret the web auth page coming from the wireless access point/controller.
    i'm unclear on what your trying to connect to. a wlan using web auth or leap/peap/etc? they are usually not used together.

  • Local Web Authentication Started after Central Web Authentication

    Hi everyone,
    We have a DMZ based anchor WLC for a guest WLAN. I have this WLAN configured for central web authentication using ISE 1.2, this works correctly and can login using the guest portal.
    However, after logging when browsing to a website everything is redirected to the local web authentication page and the policy manager state for the client goes in to a WEBAUTH_REQD state. I currently don't have any layer 3 security configured for this WLAN, so from my understanding it should just be using the central authentication provided by ISE.
    Thanks for your help.
    Mark

    Hi Mark,
    Thanks - that looks very similar to ours, though I'm doing the 3850 via the CLI as the web UI keeps dying when I click into things.
    I've realsed that I unticked the Authentication servers box instead of the Accounting as I miss-read the WLC page, however while the LWA no-longer kicks in, I'm unable to pass anything except DNS traffic.  The Anchor says that the client is in "Webauth" state so it looks like it's expecting something, but ISE says it's all ok and I can see the 3850 traffic going through the process flow.
    If I attach an AP to the WLC directly and have the accounting box ticked, then it all works exactly as I'd expect - this is just, well, odd....
    Warmest
    Kev

Maybe you are looking for