WLC 2504 - French characters for guest web login page

Similar Messages

• No Guest web Login Page

  I have setup an E1000 with no errors. Using a Win7 laptop, I can access both connections. Using  XP laptops people cannot use my guest account. They connect but the Cisco welcome screen asking for the password never displays. What am I doing wrong?

  With an E1500 and the guest account enabled: when guest (using MAC) connects to the Guest account, no login screen pops up after opening Safari. There is a message of "can't  access server" (or something like that).
  Have checked the Guest account settings and they appear correct.
  The same MAC machine can access the secure account without a problem. Have also tried using an iTouch, same results.
  These device do get an IP address assigned (192.168.33.xx) but we do not see a DNS or GW assignment. I assume the DNS/GW addresses don't get assigned till the password is entered, correct?

• WLAN Guest Acces login Page Http vs Https

  Hello,
  today i had made some Tests with the Guest Access Feature on an WLC 4402 Release 4.2.
  During the Test i have noticed that the Login Page only opens when i use a http Adress. By using a https Adress the login Page was not shown. Is this a normal behavior?
  Thank you and best Regards

  It might be that you have http:// enabled for admin access to your controller. Make the admin access https:// only, and your guest web auth page will also be https://

• Web Login Page - User Password Bug  -  11.1.2.1

  This may be covered in one of the thousand readme documents or elsewhere; however, I thought I'd share this here just in case it isn't or you don't want to search various PDF documents.
  We recently had a user complain that he could not login to FDM anymore. He used to be able to login with no issues; however, recently it would not let him in.
  To rule out system issues, we checked the following:
  - Verified others could authenticate FDM with no issue (OK)
  - Verified account unlocked in Active Directory (OK)
  - Tested logging in to FDM on other machines (Fail on all machines ruling out cookies, browsers, etc)
  - Checked Shared Services provisioning (To ensure he was indeed still provisioned for FDM)
  - Attempted logging in through Workbench (Failed, but good fail. Did not state unable to authenticate, but properly noted he was not an Admin and therefore could not use Workbench. Wonder why it "works" here but not web....)
  Since it was obviously not some type of system/account issue, we then checked:
  - What end user changes happened recently? (Password change)
  As the only recent change was the user's password change, I asked the user what the password changed to. The new password was pretty vanilla, though I did notice one potential issue in that it including the & character.
  As many here will note, the & character doubles as a concatenation character in VB/VBscript. As programs should be escaping any strings they attempt to process, this should not matter; however, if FDM isn't properly escaping via the web login page this may be causing the issue. After resetting the user's password without the & character, everything worked fine.
  So the moral of the story here is that apparently the FDM web login code behind doesn't escape the password string. The bad part is that it may prevent someone from logging in. The worse part is that this is a potential security problem since it may lead to code injection attacks.
  If you want to prevent end user issues, you may want to remove the & character from your domain's password policy.

  You may also be interested to know that using special character in the internal administrator id will cause issues on 11.1.2.1 and 11.1.2.2 actually documented the characters you should NOT use. See http://docs.oracle.com/cd/E17236_01/epm.1112/epm_deploy_guide_1112200.pdf
  I have also seen issues with the internal admin password when it was > 25 characters which caused the shared services migration utility to fail.
  The moral of the story is "secure" passwords dont' always play well with software. Which I could see being a problem in the 1980's. With the advent of Unicode and it's ilk it's sad to see that arbitrary text is not properly escaped. I know I"m ranting to the choir though Charles ;).
  Regards and Happy New Year!
  John A. Booth
  http://www.metavero.com

• WLC 2504 Guest Wifi login Page

  Hi
  Need some help. I have setup guest access on the controller and this is not working at the moment.
  DHCP server setup on the controller for the Guest users.
  You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
  Need to know how to fix this.
  Regards
  Chris

  George:
  Thank you for the ratiing.
  For this issue, they are getting the web-page and after providing the credentials it is redirecting to the original page.
  If there is no DNS available so how the host will resolve the URL IP in order to open the web-page?
  This is why I suggested to check DNS.
  From the link I posted above I quote:
  ...........The next step in the process is DNS  resolution of the URL in the web browser. When a WLAN client connects to  a WLAN configured for web authentication, the client obtains an IP  address from the DHCP server. The user opens a web browser and enters a  website address. The client then performs the DNS resolution to obtain  the IP address of the website. Now, when the client tries to reach the  website, the WLC intercepts the HTTP Get session of the client and  redirects the user to the web authentication login page.Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On Windows, choose Start > Run, enter CMD in order to open a command window, and do a “nslookup www.cisco.com" and see if the IP address comes back. ........
  If you are using a URL for the virutal interface then lack of DNS will not show you the credentials page at the first place.
  If no URL for virutal interface and you get auth page but after entering the credentials it does not successfully redirect one of the main reasons is DNS problem.
  You can still comment on this if you see it not accurate.
  Regards,
  Amjad

• WLC to ISE authentication for Guest

  Hi Experts,
  Hope if you could guide me with our setup for Guest users. Below is what we are doing
  a)     Guest connects to SSID
  b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
  c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
  The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
  'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
  Appreciate your help

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• E4200 Guest SSID Login page fails

  Config:
  Netgear ProSafe Gigabit Router is my DHCP Server -- The entire home net work is on the same subnet (192.168.15.xxx)
  Linksys E4200 configured as an access point ONLY -- wired connection -- static IP assigned -- DHCP server turned off
  Linksys WRT610N configured as an access point ONLY  -- wired connection -- static IP assigned -- DHCP server turned off
  3 -- 5 port gigabit switches
  1 -- 8 port gigabit switch
  No more than two switches between any two wired devices
  Both Linksys access points have the same SSID and WPA2 security phrase -- total of 4 radios
  Nonoverlapping channels are selected on both the 2.4Ghz and 5.0Ghz radio to minimize interference
  All computers are running Windows 7 Professional 64bit with all the latest updates
  Two iPhones and one iPad also access the network
  All LAN and WAN connectivity is working as designed
  Problem:
  guest SSID is turned on
  password is established
  All devices will connect to the guest SSID and the E4200 is assigning an ip address to the device in the 192.168.33.xxx range which is what it's supposed to do.
  When I open a web browser, I am not automatically redirected to the Cisco Login Page. If I enter 192.168.33.1 as the URL, the login screen is presented. I enter the password I have created in the guest admin page on the wireless guest tab.  I then see a blank page and a URL of 192.168.33.1/guestnetwork.asp. THIS IS WHERE I GET STUCK. THE ONLY WAY TO EVER SEE THE LOGIN PAGE AGAIN IS TO REBOOT THE E4200, otherwise you just get unable to connect messages when opening web browsers and the wireless status icon in the system tray shows a yellow exclamation mark.
  I successfully connect to the guest SSID but I do not get access to the internet. When I type ipconfig, I see that the DNS is set to 192.168.33.1 which does not exist on my network. I assume there's some internal NAT magic that is supposed to happen in the E4200 to bridge me over to my 192.168.15.xxx network but it doesn't seem to be happening.
  At the beginning of the call I specifically asked them if the E4200 must be the DHCP server in order for the guest SSID feature to work and they said no. 1.5 hours later they had no answers so they told me that it wasn't working because the E4200 was not the DHCP server. The documentation says nothing about a DHCP requirement for guest AP service. Linksys support further could not answer what you would do if you needed more than one AP with guest service enabled.
  It seems like this is a firmware issue but it may be the guest SSID service requires the E4200 to also act as the DHCP server. Can anyone shed any light on whether this is a bug or if the router/AP is working as designed?
  Thanks,
  (Mod note: Edited for guideline compliance.)

  Yes the E4200 must have DHCP turned on in order to pass out IP's to your Guest Network.  No DHCP, no Guest Network.

• Web Authentication - Web login page not displayed

  Cisco 4402 WLC running version 5.2.193.0
  Access Points: AIR-LAP1142N
  I have configured an SSID for WebAuthentication. When a wireless client logs into the WLAN the PC will associate to the AP but will then stop at the WEBAUTH_REQD stage.
  Internet Explorer will show the attmept to redirect to the virtual port at 1.1.1.1 but will not bring up the login page.
  IE shows : https://1.1.1.1/login.html?redirect=www.google.co.ukhttp://www.google.co.uk/
  The network is a flat network so this SSID is using the management interface.
  DHCP is being provided by the controller for this WLAN.
  I know the classic design should be for this to be implemented on a separate VLAN but my customer has not VLANed his network yet and this is planned at a later stage. I have implemented this on a flat network before and it has worked.
  Any suggestions would be much appreciated.

  I faced exactly the same problem as you have described above. The following is what fixed it for me, i am sure u try it to might fix it for u as well.
  In my scenario i found that my WLC controller had cipher-option sslv2 disabled. I enabled it and that resolved the issue for me.
  This is what needs to be done in order to do it :-
  It's best to enable it on the WLC and this is done from the CLI. It requires a reboot.
  ssh to the WLC
  enter the following command:-
  WLC>config network secureweb cipher-option sslv2 enable
  and then reboot.
  Once the WLC reboots u can check the status by issuing the following command:-
  WLC>show network summary
  The output should look similar to the following
  RF-Network Name............................. GTCR-CH-RF-GA
  Web Mode.................................... Enable
  Secure Web Mode............................. Enable
  Secure Web Mode Cipher-Option High.......... Disable
  Secure Web Mode Cipher-Option SSLv2......... Enable
  As u can see the Secure Web Mode Cipher-Option SSLv2 is now enabled.
  This should work.
  Hope this helps and all the best.

• Changing the default layout , theme for the default login page

  Hi All,
  I am new to the Portal development.
  I would like to change the default themes , and layout of the portal login page,
  How to do it. Required to Add or display  some News or FAQ's to the  unauthenticated users before login itself.Can any body tell me , what is the procedure, How to implement these above functionality
  Regards
  Vijay

  Hi,
  Now that the anonymous access solution has been provided, you may like to refer to these links for changing the logon screen and the themes.
  Talking about the login page, it depends on what kind of customization do you want to do.
  1) Do you want to change it entirely ?
  2) Or you want to keep the same layout but change the images ?
  Incase you wan to change it entirely, then refer to this weblog : Modifying The Logon Par(or customising the Logon Screen)
  And incase you want to change just the images, then go to System Administration -> System Configuration -> UM Configuration -> Direct Editing and change the following paramaters:
  ume.logon.branding_image
  ume.logon.branding_text
  To change the themes and applying them, refer to this document:
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/8d9d9c90-0201-0010-e9a4-ed82031e1908
  Hope this helps.
  Cheers,
  Sunil
  PS: Reward points for helpful answers.

• Does anyone have the source code for doing a login page?

  I need to do a login page with capture the input from the username and password's textbox on webpage then validate the username and password in the database. If correct then direct the user to the main page, if not, will display a error page.

  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <html>
  <head>
  <title>Untitled Document</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  </head>
  <body bgcolor="#ccff99">
  <form name="form1" method="post" action="customercheck.jsp" target="_self">
  <p align="center"><strong><font size="5"><U>Customer Login</U></font></strong></p>
  <table width="75%" align="center" cellpadding="0" cellspacing="0">
  <tr >
  <td width="38%" rowspan="2" border="2" bordercolor="#000000" ><div align="center"><strong>New
  User? Click here.</strong></div></td>
  <td width="21%"><strong>User Name : </strong></td>
  <td width="41%"><input type="text" name="username"></td>
  </tr>
  <tr>
  <td><strong>Password :</strong> </td>
  <td><input type="password" name="password"></td>
  </tr>
  <tr>
  <td width="38%" bordercolor="#000000"> </td>
  <td colspan="2"><div align="center">
  <p> </p>
  <p>
  <input type="submit" name="Submit2" value="Login">
  </p>
  </div></td>
  </tr>
  </table>
  </form>
  </body>
  </html>
  <%@ page contentType="text/html; charset=iso-8859-1" language="java" import="java.sql.*" errorPage="" %>
  <%@ include file="Connections/conn1.jsp" %>
  <%
  String Recordset1__username = "%";
  if (request.getParameter("username") !=null) {Recordset1__username = (String)request.getParameter("username");}
  %>
  <%
  String Recordset1__password = "%";
  if (request.getParameter("password") !=null) {Recordset1__password = (String)request.getParameter("password");}
  %>
  <%
  Driver DriverRecordset1 = (Driver)Class.forName(MM_conn1_DRIVER).newInstance();
  Connection ConnRecordset1 = DriverManager.getConnection(MM_conn1_STRING,MM_conn1_USERNAME,MM_conn1_PASSWORD);
  PreparedStatement StatementRecordset1 = ConnRecordset1.prepareStatement("SELECT cust_id,username, password FROM customer WHERE username='" + Recordset1__username + "' AND password='" + Recordset1__password + "'");
  ResultSet Recordset1 = StatementRecordset1.executeQuery();
  boolean Recordset1_isEmpty = !Recordset1.next();
  boolean Recordset1_hasData = !Recordset1_isEmpty;
  Object Recordset1_data;
  int Recordset1_numRows = 0;
  if(Recordset1_isEmpty) response.sendRedirect("loginagain.html");
  String hi = Recordset1.getString(1);
  session.setAttribute("id",hi);
  session.setAttribute("right","hello");
  session.setAttribute("emp_right","tt");
  response.sendRedirect("availability.jsp");
  //response.sendRedirect("vacancytemp.jsp");
  %>
  <html>
  <head>
  <title>Untitled Document</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  </head>
  <body>
  </body>
  </html>
  <%
  Recordset1.close();
  StatementRecordset1.close();
  ConnRecordset1.close();
  %>

• 2504 WLC on edge network for guest wifi

  I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch.
  I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.
  I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.
  Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added
  ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.
  I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.
  I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access.
  Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?
  Thanks for any help you can provide.

  right, and how does a 'normal/current' user access the internet?  Somwhere going to your ISP there should be some sort of NAT statement when you send interwebs traffic.
  if your ISP is taking care of all of that for you, you probably need to let them know you added the subnet so they can do the NAT.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC 2006 INTERNAL DHCP FOR GUESTS CLIENTS

  I would like to use the internal DHCP to issue ipaddress to the guest wireless clients.
  However; when i setup the wlc internal DCHP scope and try to connect to the wireless guest vlan the WLC debug DHCP reads ...forwarding to 192.168.255.2 which i have listed as the gateway to the pix
  any examples on how to do this would be great.
  here is what i have for the dhcp scope:
  Dhcp Scope Info
  Scope: Guest.Data.DHCP
  Enabled.......................................... Yes
  Lease Time....................................... 86400 (1 day )
  Pool Start....................................... 192.168.255.17
  Pool End......................................... 192.168.255.30
  Network.......................................... 192.168.255.0
  Netmask.......................................... 255.255.255.0
  Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
  DNS Domain.......................................
  DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
  Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0
  Here is what i have for the wlan
  WLAN Identifier.................................. 2
  Network Name (SSID).............................. Guest.Data
  Status........................................... Disabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. Infinity
  Interface........................................ guest.data
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Enabled
  Quality of Service............................... Silver (best effort)
  WMM.............................................. Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  --More-- or (q)uit
  Radio Policy..................................... All
  Security
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  IP Security Passthru.......................... Disabled
  Web Based Authentication...................... Disabled
  Web-Passthrough............................... Disabled
  Auto Anchor................................... Disabled
  H-REAP Local Switching........................ Disabled
  Management Frame Protection................... E

  when i try to assocate the dhcp scope to wireless.guest.data interface using 192.168.255.1 which is the ip of the that interface it will not let me. I would have thought since i was using the interal dhcp that the .1 address would be the dhcp scope address also. i can assign 192.168.255.0 or 192.168.255.2(gateway)if i use .0 or .2 the dhcp request (discovery) process starts and then will forward to .2 (gateway) and never assign an address. the only thing that happens is that the client wireless interface will get 255.255.255.255 for a few seconds then go away.
  what i am trying to accomplish is to connect the wlc port 2 directly to a pix 506 which goes to the internet so the guest traffice is not on our vlan.
  any other suggestions on guest vlans would be appricated....
  Tom
  Interface Name................................... wireless.guest.data
  IP Address....................................... 192.168.255.1
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 192.168.255.2
  VLAN............................................. 150
  Quarantine-vlan.................................. no
  Physical Port.................................... 2
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  AP Manager....................................... No
  Scope: wireless.guest.data.dhcp.server
  Enabled.......................................... Yes
  Lease Time....................................... 86400 (1 day )
  Pool Start....................................... 192.168.255.17
  Pool End......................................... 192.168.255.30
  Network.......................................... 192.168.255.0
  Netmask.......................................... 255.255.255.0
  Default Routers.................................. 192.168.255.2 0.0.0.0 0.0.0.0
  DNS Domain.......................................
  DNS.............................................. 0.0.0.0 0.0.0.0 0.0.0.0
  Netbios Name Servers............................. 0.0.0.0 0.0.0.0 0.0.0.0

• WLC in a DMZ for guest access

  I have one internal 4400 and one in a DMZ. I want to configure the DMZ WLC to provide Guest Internet access. I am unable to find much information on doing this. I have a WLAN called Guest defined on both controllers. And both controllers are defined in as mobility anchors. What I don't under stand is how to configure the interfaces. Do both interfaces for the WLAN Guest need to be in the same VLAN and subnet? Example:
  On the internal WLC WLAN Guest to tied to an interface named Guest with an IP address of 172.26.254.5/24 What does the interface need to look like on the DMZ WLC?

  This should get you on the right track:
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html
  Brad

• JSF/JAAS j_security_check for role-based login pages

  I'm looking for a way to take the login request after j_security_check is through and invoke logic in a backing bean somewhere to redirect the user (using Faces) to the appropriate view (via an outcome defined in the faces-config.xml, of course) based on the user's role. Is there a "JSF" (i.e. non-filter) way to do this that I'm missing? If not, I suppose I could try a filter if it will work.
  I've thought of just going to the same page and displaying different components, but I don't like that a lot, even using subviews. I thought about having two web apps, but find that to be a poor option. I really don't like trusting the user to remember/get a URL right beyond http://xyz.com or something similarly simple, as much to save them from frustration as anything else.
  Any ideas would be appreciated. I've scoured forums and Googled all day without much success, so I apologize if this is posted somewhere already. This seems like something that should be pretty simple and I may want to kick myself when I see the answer.

  Hi Brian,
  I do not believe it is j_security_check's job to check for blank
  passwords.
  In many security realms, it is "legal" for a user to have a blank
  password. j_security_check forwards whatever password was entered so that
  even users with blank passwords can be authenticated by the realm on the
  backend. For this reason I believe that j_security_check is "doing the
  right thing" by just forwarding whatever is presented to it, rather than
  having its own logic. It is best if j_security_check just acts as a very
  dumb middle man.
  If behavior was altered, it is true that your particular problem would be
  solved, but then many other people would have a problem with their users
  with blank passwords authenticating properly...
  Try looking into how to disable anonymous logins on the LDAP end of
  things. Hope this helps.
  Cheers,
  Joe Jerry
  brian wrote:
  I am using the LDAP Security Realm to authenticate against an iPlanet
  Directory Server. All works as expected when a user-id and password
  are entered for form-based authentication.
  However, when a userid is entered but no password, j_security_check
  logs the user in successfully. Aparently, this is correct LDAP
  behaviour as anonymous login to the LDAP server is permitted. It seems
  that the j_security_check servlet should check for blank passwords
  before trying to authenticate against the LDAP server and fail
  authentication if this is the case.
  Has anyone else experienced this problem?

• NAC 4.7 CAS web login page url generation

  We have had third part certs generated for the CAS and the CAM and these have installed OK, along with the relevant root and intermediate certificates, and the CAS/CAM are communicating fine.
  However when a user is redirected to the authentication page, the url generated is using the CN from the certificate..
  https://al-nac.sitename.local.companyname.co.uk/auth/perfigo.......etc.
  However the machine cannot resolve the url.
  We cannot add dns entries for this url, we only administer the sitename.local domain.
  Is there a way for the CAS to request the user to access a URL via an IP address?
  If I requested a new certificate, but use the IP address instead of the machine name, would the auhentiation page be referenced by this?
  Regards
  Tony

  I'll give our certificate issuer a call this morning,however I'm sure they mentioned in the past they need a resolvable name to generate the certificate?
  As when we asked for certificates for al-nam.sitename.local they have been unable to generate them, hence the CN=al-nac.sitename.local.company.co.uk
  Is this the same for generating certificates against IP addresses?
  Regards
  Tony