WLC 4400/Web Authentication and proxy autodiscovery

We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
Regards,
Rutger

The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
Lots of documentation about how to achieve this via CCO.
Regards,
Richard

Similar Messages

  • WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

    Hi All,
    I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
    Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
    Thanks,
    Kashif

    Hi,
    if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
    Lemme know if this answered ur question!!
    Regards
    Surendra

  • Problems with re authentications in a wireless with WLC working with web authentication and a radius server

    Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
    When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

    A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
    I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
    Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
    You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • WLC 5508 Web Auth and EAP / PEAP

       Morning all, I'm looking for some clarification.
    Current setup:
    I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
    This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
    Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
    Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
    In line with child protection policies I need an 'auditable' trail when students access wireless resources.
    Planned setup:
    I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
    There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
    Clarification:
    With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
    Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
    Many thanks.

    If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
    But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
    or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
    Check the following link which contain couple of EAP config examples:
    http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
    Please make sure to rate correct answers

  • Aironet 1140 FLEXCONNECT External Web Authentication and Apple Devices

    Hi!
    I'm having an issue with this Access Point.
    I've configured this access point with WLC in mode FlexConnect with web authentication.
    It's all right, i'm connecting with my PC in wireless, i open my web browser in windows, then the Access Point redirect me to External Web Authentication Page,
    i put my credentials, and  i'm redirected to my access point ( https:/1.1.1.1/login.html i accept the certificate) and then the Access Point redirect me to Internet.
    I do this with my android phone, it's all right again.
    I try to connect with iphone or ipad , i'm  redirected to External Web Authentication Page, i put my credentials, and i'm  redirected to https://1.1.1.1/login.html where the web browser don't ask me anything and i'm not redirected to Internet.
    Have you any idea?

    Thx you Scott, i understand what are you talking about, but my problem is different.
    I try to explain..
    I see the wireless network, i associate the iphone to this network, so i'm  redirected to Login page,
    as i use the "Apple Login" or i Open a Web Page .
    In this page , that i reach with all devices i put my credentials, then i will be redirected with all devices
    back to Access Point (https://1.1.1.1/login.html).
    In this page i should be   redirected to internet after Radius Authentication, but with Apple Devices this doesn't work.
    This is thw WEB AUTHENTICATION from Cisco Documents.
    The user associates to the web authentication SSID.
    The user opens their browser.
    The WLC redirects to the guest portal (such as ISE or NGS) as soon as a URL is entered.
    The user authenticates on the portal.
    The guest portal redirects back to the WLC with the credentials entered.
    The WLC authenticates the guest user via RADIUS.
    The WLC redirects back to the original URL.

  • WLC 4400 web auth issues

    Hello,
    I am experiencing an issue with my model 4404 Wireless controllers that has plagued me for some time now. I have two controllers with 106 AP's split evenly between the two controllers. One of my SSID's is setup with web authentication.  I have one Radius server (Cisco ACS v 4.1). The problem only exists for the SSID that uses web authentication. Reports begin to come in that students cannot login to the wireless using the student SSID that uses web authentication. The student can get to the web authentication page, but when they put in their username and password both fields go blank. You can do this over and over with no errors, and the logs in the controller show nothing to indicate any issues (you don't even see the attempted login). I obtain one of the student logins for testing and here is what I have found. I attempt to login to the student wireless with this account and recieve the same results as the student. I have an AP in my office that I use for testing so I force it on to the other controller. At that point the account in question works. I can login without any issues. I force the AP back to the initial controller and experience the same issue, I cannot login. No error of bad username and password, just login fields that go blank. More reports come in that students cannot login and I find that all issues are related to this controller. The next morning I reboot the controller and everything works for a week or more and then it all starts over again. The next time it may be the other controller that is experienceing this issue. A reboot of the controller always fixes the issue for the short term. The issue appears to be controller related but I cannot pin it down.  I recently upgraded my controller code from 4.2.61.0 to 6.0.188.0 at Cisco's recommendation. Unfortunately the issue still exists. Scouring the forums produces a few other people encountering the same issue but none seem to have found a fix. Does anyone know if this is a known issue with this model controller?
    Thanks much for any help.

    Thank you for your response Dennis, it is greatly appreciated. I do not find any mount errors in the crash log. However I did finally find something in the message logs that I was unable to find before. I did not copy this message so it is not verbatim. The error message states that the user cannot be logged in possibly due to being logged in somewhere else. At that point I pour over every client on the controller even filtering by mac address. I see no evidence of the client being associated or authenticated. On a side note I can see the client as associated if the wireless card is enabled. Checking the ACS does not show a failed authentication. Again, rebooting the controller seems to clear some sort of radius accounting on the controller that I am unable to clear manually without a reboot. Thanks again for your response.

  • Web Service authentication and PROXY Issue

    HI All,
    Recently I developed an application in Flex 2 which uses
    webservices to access remote data.One more point to be noted, that
    these webservices are secured( i.e they need username and password
    to access)
    I got a production server ( say
    myProduction server) and all my webservices are deployed on
    it. We have a SAP portal running on this server. I have created a
    PAR file of my applications .SWF file and hosted it on the portal.
    When I run my application from myProduction, it runs fine, no
    issues with it.
    Now, I have a proxy server ( say
    myProxy server), which is used to make my application
    available on the internet.
    This proxy redirects all the requests to myProduction server.
    When I try to run my application from myProxy Server, I am
    getting the following error:
    [RPC Fault faultString="Security error accessing url"
    faultCode=
    Channel.Security.Error"
    faultDetail="Unable to load WSDL". If currently online,
    please verify the URI and/or format of the WSDL (
    http://myProduction:50000/WS_Resource/Config1?wsdl&style=rpc_enc)"
    at mx.rpc.soap::WSDLParser/::dispatchFault()
    at mx.rpc.soap::WSDLParser/
    http://www.adobe.com/2006/flex/mx/internal::httpFaultHandler()
    at
    flash.events::EventDispatcher/flash.events:EventDispatcher::dispatchEventFunction()
    at flash.events::EventDispatcher/dispatchEvent()
    at mx.rpc::AbstractInvoker/
    http://www.adobe.com/2006/flex/mx/internal::dispatchRpcEvent()
    at mx.rpc::AbstractInvoker/
    http://www.adobe.com/2006/flex/mx/internal::faultHandler()
    at mx.rpc::Responder/fault()
    at mx.rpc::AsyncRequest/fault()
    at ::DirectHTTPMessageResponder/securityErrorHandler()
    at
    flash.events::EventDispatcher/flash.events:EventDispatcher::dispatchEventFunction()
    at flash.events::EventDispatcher/dispatchEvent()
    at flash.net::URLLoader/flash.net:URLLoader::redirectEvent()
    Do I need any configuration files to be maintained? How do I
    resolve this proxy issue??
    myProxy server is not able to load the WSDL from
    myProduction.I am not usinfgFlex Data Services. I am directly
    accessing the services.
    If anyone knows about this issue please help me. Any help
    would be greatly appreciated.
    This issues has been unresolved since 15 days now.
    Thanks in advance

    Hi,
    I am not sure if what I am suggesting may be the source for
    the problem, but it could be that you will need a
    crossdomain.xml file deployed on your production server, so
    that it can accept the requests from the Portal. Also, I guess you
    will be using a
    flex-config.xml or
    services-config.xml. Just make sure that all server paths
    have been properly mapped to the values entered in the destination
    attributes of the WebService tags.
    I hope that helps.

  • Web conferencing and proxy

    Hi,
    is there an option to define a proxy while using beehive web conferencing? I don't see this option in the conferencing.cfg.
    Thanks,
    Stephane.

    Well, I am still right in what I'm saying :) : the question has not been labelled "external attendees access" or "is HTTPS tunneling available" !
    If you are ready to use a DMZ instance and open some ports, you don't need a proxy to open your web conference server to people on the internet. That's a usage of web conferencing that makes sense.
    And more that that, and this is my opinion, considering HTTPS is the
    universal solution for network security is a mistake. it's a door open
    to anything that's encrypted, and people consider it's safe because of
    that. Some engineers invented protocols to make sure that the trafic is
    properly identifed, the "all in HTTPS" paradigm is just a denial of
    common sense in security ...
    Of course, HTTPS tunneling is still a useful option, but not the best IMHO.

  • Web Server and proxy

    Hi developers!
    I have two web servers. The server A is a webserver with tomcat and it have a public ip. Then, my clients can access from internet. The other server, named B for example, is inside my intranet. This server don't have public ip. It isn't visible from internet. But, the clients new some pages from server B. Server B is a microsoft exhange, and i need some pages from owa.
    I have two solutions. One solution is create a servlet-proxy. The other solution is create a java proxy with sockets. Someboy have any idea??? Moreover, somebody knows some free project that work with it???

    Why don't you simply use JavaMail to retrieve the (presumably email) messages from exchange?
    - Saish
    "My karma ran over your dogma." - Anon

  • PALM with WLC 4400 (Web Auth Portal)

    We cannot get the Web Portal splash page to display on wireless Palm units....the site simply hangs. Is there any fixes out there for this problem. Thanks for all replies!!

    Has anyone else seen this Palm/WebAuth issue or found a fix? I am seeing this on our Palm devices too. Running 4.x code with internal guest auth, laptops work just fine with the https://1.1.1.1 redirect, but the Palm just hangs. Could it be the certificate is not valid and the Palm has no way to prompt for that message like a laptop. Any ideas?

  • Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

    Hello,
    I have configured a Guest SSID with web authentication (captive portal).
    wlan XXXXXXX 2 Guest
     aaa-override
     client vlan YYYYYYYYY
     no exclusionlist
     ip access-group ACL-Usuarios-WIFI
     ip flow monitor wireless-avc-basic input
     ip flow monitor wireless-avc-basic output
     mobility anchor 10.181.8.219
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security web-auth
     security web-auth parameter-map global
     session-timeout 65535
     no shutdown
    The configuration of webauth parameter map  is :
    service-template webauth-global-inactive
     inactivity-timer 3600 
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     voice vlan
    parameter-map type webauth global
     type webauth
     virtual-ip ipv4 1.1.1.1
     redirect on-success http://www.google.es
    I need to  login on web authentication on HTTP instead of HTTPS.
    If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
    I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
    Web Authentication on HTTP Instead of HTTPS
    You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
    For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
    For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
    On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
    Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
    Thanks in advance.
    Regards.

    The documentation doesn't provide very clear direction, does it?
    To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

  • WiSM and GUEST web authentication

    I have a WiSM and we use Cisco open web
    authentication with a user email address.
    When performing  this command via CLI:
    >config network secureweb disable
    >save config
    > reset system
    Will this make the web authentication come up HTTP instead of HTTPS ?

    That command is in order that you manage the unit.
    However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
    Let me know if it works for you

  • Delayed Web Authentication on 5500 WLC

    Hi
    I have setup a Guest WLAN on 5508 WLC with web authentication, I noticed during tests that it takes about 2 to 3 minutes to complete authentication process and providing access to the client machine. My WLC is running version 7.3.101.0.
    Has anyone came across similar situation or can suggest a solution to this issue?
    Feel free to ask if you need more details.
    Thanks
    Sunil

    Well what I would do for testing is the following:
    Remove WebAuth to see if there is an issue with connectivity on that subnet
    Map the Guest WLAN to a working subnet or create a new SSID and map that to a known working subnet
    If your using a custom WebAuth, try using the default internal WebAuth page to see if there is any difference
    If your authenticating Guest using radius, check the radius logs for errors
    Is it all devices or is it an issue with few or a certain model
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • ISE and central web authentication

    Hello all,
    I have followed the steps in this document in detail:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
    however, my central authentication does not work. I get to the guest portal, i get authenticated through the guest portal,
    but then the "second" MAB authenticatino doesn't happen.
    In the last screencapture of the document, you get a green "Dynamic Authorization" line (third line from below). On my system
    this is a red line with the error message "11213 No response received from Network Access Device".
    (i have a successfull guest authentication in my ise logs, but it seems ise is unable to bounce or initiate the second MAB....)
    Any ideas ?
    regards,
    Geert

    By the way, i feel the document example is a bit too general. For example, if you implement the document, ISE will do web authentication and redirection even when you are using a 802.1X client and are authenticated (and you have no other rules in your Autorization sequence table)
    I managed to prevent this by adding an additional condition to the first rule "MAC not known" that has the CentralWebAuth policy. Only do webautentication if MAC not known AND Wired_MAB is being used.

  • Incompatibility among the authentication WEB-based and Windows Vista

    I have a Wireless LAN Controller 5.0.148.2 and Access Points 1252 and 1231; the customer have 8 laptops with Windows Vista that they present problems when to get connected to the Guest's WLAN; these same ones do not present problems when they authenticate to Employee's WLAN through PEAP. The laptops with Windows XP do not present this problem.
    The users that are connected to the Guest's WLAN then they obtain correctly the direction IP through DHCP; the Guest's users can not visualize the page find salutatory Web or when sometimes they visualize it, they introduce the username and password and next do not visualize the page accordingly, and they do not connect to the Internet.
    Them laptops in mention come from different manufacturers ( HP and DELL ), Windows Vista's versions ( Home Basic and Home Premium ) and wireless cards ( INTEL and ATHEROS ).

    I'm having the same problem with our student wireless. It uses web authentication and Windows Vista and Mac users are having problems but Windows XP works fine. They all get IP addresses but aren't getting presented with the login page.

Maybe you are looking for

  • BPM - check message existance

    I have a bpm build to receive two messages(2 files) and merge them.  I have a deadline branch setup to raise an exception after 3 minutes.  Now, I need to verify after 3 minutes whether I have both messages or not.  If I don't have one of the message

  • "no SIM" on unlocked 3g iPhone

    My iPhone 3g which has not been 3g connected for some time says "no SIM", when it used to say "no service". I am having recognition issues with Spotify. Are these things related, and do I have a hardware problem?

  • Where can I set the number of records in BEx Web Selection screen

    Hi We have 2004s SPS10 running. Within the selection screen in the portal (eg on characteristic 0material) there is a default setting of maximum 1000 entries. Where can I change this default value of 1000? Thanks for your help. Kind regards, Thomas S

  • ACE 4710 and load balancing with sticky cookie

    Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers.  I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall.  The ACE is in bridged

  • E71 one-touch key reverts to default setting

    Hello, Could someone who has a E71 (or E71-3) please try this? I'm wondering if it's a fw bug, or something with my phone only: Menu->Tools->Settings->General->Personalization-> One-touch keys->Messaging key->Short press Select "Camera", or "Clock" (