WLC 4400 web auth issues

Hello,
I am experiencing an issue with my model 4404 Wireless controllers that has plagued me for some time now. I have two controllers with 106 AP's split evenly between the two controllers. One of my SSID's is setup with web authentication.  I have one Radius server (Cisco ACS v 4.1). The problem only exists for the SSID that uses web authentication. Reports begin to come in that students cannot login to the wireless using the student SSID that uses web authentication. The student can get to the web authentication page, but when they put in their username and password both fields go blank. You can do this over and over with no errors, and the logs in the controller show nothing to indicate any issues (you don't even see the attempted login). I obtain one of the student logins for testing and here is what I have found. I attempt to login to the student wireless with this account and recieve the same results as the student. I have an AP in my office that I use for testing so I force it on to the other controller. At that point the account in question works. I can login without any issues. I force the AP back to the initial controller and experience the same issue, I cannot login. No error of bad username and password, just login fields that go blank. More reports come in that students cannot login and I find that all issues are related to this controller. The next morning I reboot the controller and everything works for a week or more and then it all starts over again. The next time it may be the other controller that is experienceing this issue. A reboot of the controller always fixes the issue for the short term. The issue appears to be controller related but I cannot pin it down.  I recently upgraded my controller code from 4.2.61.0 to 6.0.188.0 at Cisco's recommendation. Unfortunately the issue still exists. Scouring the forums produces a few other people encountering the same issue but none seem to have found a fix. Does anyone know if this is a known issue with this model controller?
Thanks much for any help.

Thank you for your response Dennis, it is greatly appreciated. I do not find any mount errors in the crash log. However I did finally find something in the message logs that I was unable to find before. I did not copy this message so it is not verbatim. The error message states that the user cannot be logged in possibly due to being logged in somewhere else. At that point I pour over every client on the controller even filtering by mac address. I see no evidence of the client being associated or authenticated. On a side note I can see the client as associated if the wireless card is enabled. Checking the ACS does not show a failed authentication. Again, rebooting the controller seems to clear some sort of radius accounting on the controller that I am unable to clear manually without a reboot. Thanks again for your response.

Similar Messages

  • PALM with WLC 4400 (Web Auth Portal)

    We cannot get the Web Portal splash page to display on wireless Palm units....the site simply hangs. Is there any fixes out there for this problem. Thanks for all replies!!

    Has anyone else seen this Palm/WebAuth issue or found a fix? I am seeing this on our Palm devices too. Running 4.x code with internal guest auth, laptops work just fine with the https://1.1.1.1 redirect, but the Palm just hangs. Could it be the certificate is not valid and the Palm has no way to prompt for that message like a laptop. Any ideas?

  • WLC 5508 Web Auth and EAP / PEAP

       Morning all, I'm looking for some clarification.
    Current setup:
    I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
    This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
    Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
    Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
    In line with child protection policies I need an 'auditable' trail when students access wireless resources.
    Planned setup:
    I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
    There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
    Clarification:
    With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
    Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
    Many thanks.

    If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
    But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
    or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
    Check the following link which contain couple of EAP config examples:
    http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
    Please make sure to rate correct answers

  • WLC 4402 web auth Internal login page

    Hi,
    We recently upgraded our code on our wlc and now our internal web auth page has a nice teal colored L shaped bar in the right upper part of the screen.
    Is there a way to edit the internal web auth page other than just uploaded a new bundle to the box?
    When I view the source of the preview page I can see the exact coding that is causing the issue.
    Thanks for any ideas.
    Code 4.1.185.0
    Craig

    The only way is to customized the code and then upload it to the wlc as a tar file. Of course, you will have to set the wlc to custom webauth and not internal webauth.

  • WLC Custom Web Auth Bundle sample .tar file is not on WCS

    The WLC documentation would make it appear (or maybe previously) you should download a sample web auth bundle code from the WCS Templates. I was never able to find a sample .tar file on the WCS 7.0.172.0 templates.
    However I found on Cisco.com under Support > Downloads > Products >Wireless> Wireless LAN Controller Standalone Controllers> Cisco 5500 Series Wireless Controllers > Cisco 5508 Wireless Controller > Wireless Lan Controller Web Authentication Bundle-1.0.2  > webauth_bundle-1.0.2.zip
    It was updated in June 2011, some pretty good sample html code.
    The readme.html in the sample webauth_bundle-1.0.2.zip file has been very helpful , almost as good as the suppport community web page on custom web auth.
    https://supportforums.cisco.com/docs/DOC-13954

    WCS config guide 7.0.172 is correct
    http://www.cisco.com/en/US/docs/wireless/wcs/7.0MR1/configuration/guide/temp.html#wp1129979
    The bundle in WCS is downloaded through :
    configure->controller
    "select a command"-> download customized webauth bundle.
    Just tested it and it was there.
    The one on cisco.com is better though

  • WLC 5508 Web Auth Splash Page: Is it possible to place a download?

    Hi,
    I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
    Thanks
    Michael

    It could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe).  This shouldn't be a problem considering a .doc size, but I have to ask the same question.   Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html?  Maybe there is a good reason, but I can't really think of any scenario.  Feel free to elaborate.

  • WLC Customized Web Auth

    can i have a customized web auth portal loaded into the WLC? or i need to have an external server and load the customized web auth.                  

    Here is a link
    http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest

  • WLC 4400/Web Authentication and proxy autodiscovery

    We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
    We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
    My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
    Regards,
    Rutger

    The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
    The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
    Lots of documentation about how to achieve this via CCO.
    Regards,
    Richard

  • Client Excluded ReasonCode on WLC for Web Auth

    Hi.
    I wonder if you can point me at a table that defines the Reason Code(s) for Client Exclusion Failure? See the example event log entry below from a Guest Controller for Web Authentication failure (that was resolved - Internet router down) but I was wondering if the Reason Codes would be useful in troubleshooting. Many thanks in advance.
    Tue Aug 28 10:45:31 2007 Client Excluded: MACAddress:00:16:6f:b3:20:0a Base Radio MAC :00:00:00:00:00:00 Slot: 0 Reason:Web Authentication failed 3 times. ReasonCode: 4

    I haven't tried it recently. But I'm afraid of this one :
    CSCsy88149 Chained certificate can not have Wildcard * character in hostname
    Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.
    again, I didn't verify it mysefl

  • Anchor WLC web-auth secure web issue

    Hi all,
    I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue...Has anyone ran into this before and any idea how to fix it?
    Thanks in advanced for your input!
    Robin

    The custome page might be from Cisco web auth page sample by the look of the webpage. I don't know how to verify whether or not it was hard coded for HTTPS...
    Do I also need to diable the web-auth secure web on the main controller?
    This anchor is running in production and has to reboot after hour, will do the test and let you know how it goes.
    Thanks!
    Robin

  • Cisco WLC 5508 simultaneous Web Auth Users logins?

    Hi there,
    We have 2 WLC5508 (7.2.111.3) with several SSID's.
    One of them is configured as Passthrough with an external splash server. Works fine.
    Now we want to use the "On MAC Filter failure".
    If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
    If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
    To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
    So, every client WebAuth uses the same username&password for authentication against the WLC.
    User Login Policies is set to unlimited.
    So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
    The two WLC's have abount 100-170 clients connected.
    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information wolud be great.
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    Thanks for the answers ;-)
    Kind regards,
    Norbert

    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information would be great.
    > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • WLC 4402 - only present guest with web auth page once every (x) days

    Hi all,
    I am looking to migrate our guest wireless from a third-party system to the WLC.  Currently, we change our guest password (WPA2 PSK) every (x) days.  Each time the guest password is changed and connections are made with the new PSK, guests are redirected to a terms and conditions page which they must accept.  The MAC address is then cached and the page is not displayed again until we clear the MAC cache and change the PSK.
    I can almost replicate this with web auth in passthrough mode on the WLC, but it presents the guest with the terms and conditions page each time they reconnect to the WLAN, whether it be from roaming offsite or turning the wireless radio off then on.
    Is there any way to have the WLC replicate our current system, where a MAC is cached and the page is not displayed until some other event takes place (changing the PSK or clearing the cache?)
    Thanks!
    -P

    Wait ... Shaoqin, will the 7.5 code be released for the 4400 series controllers?  The current release is 7.0.240.0 - I see releases up to 7.4 on the 5500 series controllers
    Thanks
    -P

  • WLC 4400 : some of the clients are stuck in 802.1x REQD ( Auth - no but status is Associated ) in PEM process

    Hi ,
    I have wlc 4400 with 1010 AP's wireless set-up.
    Everything is working fine but unfortunately , I am coming across with one issue that, clients are not getting authenticated.
    If I see the status of respective client  in WLC :
    status : Associated
    Auth : No
    Policy manager : 802.1X REQD
    I read about PEM ( Policy enforcement Module ) , as it is going through same procedure but policy manager should in " RUN " condition , Unfortunately it is not.
    how do i resolve this issue ?

    Hi Vinod,
    The 802.1X_REQD state would suggest that the client cannot complete L2 authentication.
    If possible, it would be helpful to collect the following debugs from the WLC while trying to connect the client:
    debug client
    debug aaa event enable
    Also, please attach the full text output of the command "show run-config" and let us know the WLAN through which the client should be connecting.
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Web Auth page not working on WLC

    I have a WLC 4402 and I upgraded the s/w from 4.1 to 4.2.176 since I did the web auth on my Guest wlan does not work. I can connect to the wireless ok and when I type in a web address I should get the web auth page but I just get "This page cannot be displayed". However if i type in the ip address of the WLC in the addrsss bar I get the web auth page and it work fine form then on. The web auth page worked fine on ver 4.1. Any ideas?

    I opened a TAC case this morning on this same problem, and my solution is what is listed above (config network secureweb cipher-option sslv2 enable)
    Basically, SSLv2 is disabled in 4.2. The Default is now SSLv3.
    Depending on your Internet settings, if IE is configured to use SSLv2, the webpage will not work.
    So in internet explorer, tools, internet options, advanced, There will be a checkbox next to Use SSLv2. (Even if Use SSLv3 is enabled, you still have the https issue).
    Basically, my issues was that a select few users could not Web authenticate and a select few admins couldn't HTTPS manage the GUI. Turns out in all cases, the computers that were all able to work, did not have SSLv2 enabled.
    By enabling SSLv2, all affected users now work (I think).

  • WLC Web-auth fail with external RADIUS server

    I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
    My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
    WLC 4402 version 4.1.171.0
    http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

    Hi,
    I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
    In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
    : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
    Can someone tell me what's wrong?
    *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
    *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
    *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
    *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
    *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
    *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
    *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
    *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
    *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
    *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
    *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
    *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
    *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
    *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
    *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
    *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
    *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
    *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
    *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
    *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
    *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
    *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
    *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
    *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
    *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
    *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
    *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
    *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

Maybe you are looking for

  • Converting .pptx file to .pdf Error...... Please Help!?

    I am trying to convert a relatively large powerpoint 2007 presentation into a pdf document using the - right click> Convert to Adobe PDF - function. I have only managed to carry this out on one file so I know it can work, but refuses to convert any o

  • I thought the NEW DVR's were supposed to be able to record more than 2 shows at 1 time

    I was told that the New DVR which is what i have, i guess its called a media center or something like that was supposed to record more than 2 shows simultaneously but found out last night that not to be true. I had 3 scheduled and 1 of them did not r

  • SAP-PS

    Pre-requisites of Project Delivery: What is the pre-requisites of a Project Delivery, of the business process is as mentioned below? 1.     Production Controller will do product confirmation. – (PP module) 2.     Inspection lot will be created after

  • Access to Analytics Catalog Charts in XI 3.0

    Hi,      Do we need to install anything u2018extrau2019 to get Analytics Catalog charts working for Business Objects XI 3.0?      Keep getting the following error message when accessing Analytics Catalog-> Metric Analytics section via Infoview.      

  • Find dialogue in toolbar

    With new Reader the Find dialogue is a small window with tiny Next and Previous buttons. It also moves around so I have to check and move the mouse pointer for every Next when I want to use the mouse to press the button. Do anyone know how to place t