WLC - External WebAuth Documentation

Hi All,
I currently have a guest access WLAN setup on our WLC / WCS using the internal webauth functionality.
I would like to set this up to use External webauth (we need an external server to host ~16 different custom pages which are all branded etc) and I have found lots of information about the overall process and how to configure the controller for external webauth but I cannot seem to find any information on actually building the external web pages.
I need to know what URL the WLC forwards onto the external server, what format the reply needs to be to the WLC and ideally I would like to find a basic example external webpage that I could begin to use for testing. I have been trawling google and cisco.com but seem to find very little information on this part of the config.
Does anyone have any pointers or example external webauth pages they could share?
Many thanks,
Paul.

Thanks Scott. Unfortunately I am looking into this remotely at the moment so I cannot browse to the current internal page to view the source. I have tried downloading the custom webauth template but we currently only have smartnet contracts on a number of 2504 controllers and these do not seem to have the templates available for download from CCO.
This current trial is being carried out on a 4402 controller but we do not have a smartnet contract on this to get access to the templates through CCO. Is it not possible to download a template from the controller through the web interface? (i haven't been able to find anything so far)
I am surprised at the little amount of information I have been able to find about this on the web.

Similar Messages

  • Specification documents o internal and external programs documentation

    I have to make some changes in the specification documents o internal and external programs documentation. I want to know i there are defined some standard conventions about the technica objects name and the requirements documentation.
    We have made some formats, but we have seen change resistance=2 The problem is the amount of information required in these ne formats that we think is important and will help to reduc ambiguity and to avoid backworks but it's going to ad activities to the developers.

    . Ours is bit different to what she sampled but the standardization differ from the team implementing it. You must also come out with the pattern for program "pre" and "post" documentation.
    1. Before the actual coding of the program, you have to specify the estimated number of mandays needed for the analysis, coding and documentation. Don't forget to add n% for the buffer. (In our case, we use 30% buffer). Then update the form by putting on the other column the actual mandays consumed. There should not be cases that estimated < actual mandays. If problem is encountered that may cause delay, inform team lead to adjust the estimated mandays.
    2. Create a form that will specifically states the unit testing made (eg. Test case, test data, how the test is perform, outcome of testing, rating: pass or fail, etc.)
    3. After coding, specific program specification (eg. logic of the program, tables created, function module used, authorization checking, etc). Please be reminded to put result of "program extended syntax check" (tcode: slin) and "run time analysis" (tcode: se30) if applicable.
    4. And initial code review must made also. If proper ABAP coding is incorporated and obliged by the program. If the proper naming convention that you implemented is followed by the program...so on and so forth.
    hope you'll get some ideas out of it.
    cheers,

  • Wlc 5508 webauth subnet mask change issue

    Recenly l changed the network subnet for a particular wlc interface and scope and also an upstream router and for some reason it would only allow me to use a /24 Host mask as my plan was to go to a /22 mask to allow for over 1000 hosts within this scope.
    The Upstream Router which is a  ( RV042 ) had the following original config :
         192.168.1.1
         255.255.255.0
    I have noticed this device will not let me change the mask from a /24 to a /22 as you can only change from a pre-defined list of masks and you cannot manually add any either..
    New Config
         10.10.0.10
         255.255.255.0
    WLC 5508 Controller Interface
         Original Config
          192.168.1.25
         255.255.255.0
         192.168.1.1
         New Config
         10.10.0.25
         255.255.252.0
         Scope
         Range : 10.10.1.10 - 10.10.3.254
         Mask : 255.255.252.0
         Network : 10.0.0.0
         Router : 10.10.0.10
    When l reconfigure to this addressing the wireless clients connect and get the new dhcp scope details but following this the webauth screen doesn't appear not allowing them to connect meaning there is no routing of traffic / internet access.
    If l modify the above interface and scope masks back to a /24 - 255.255.255.0 the the wireless clients connect and webauth appears to prompt them to accept the terms and conditions and connect thus giving them internet access.
    It looks like an issue with the mask ? The main reason l am trying to change the subnet addressing is because the standard /24 mask is not providing enough dhcp addresses and we have had times were the scope has been exhausted due to the public connecting and disconnecting as the lease perod of 2 hours holds onto the address before expiring meaning there is not enough available addresses for people to connect.
    I would of thought that the upstream router ( RV042 ) even though it is only a /24 mask would still route the traffic coming from a WLC Controller interface with a /22 mask ?
    Hopefully someone can suggest a solution ?
    Thanks Simon

    Hey Scott just getting back to this issue..   If for instance l can modify the wlc interface and Scope to have a /22 mask ( 1022 Hosts ) and my upstream Router ( Cisco RV042 ) can only provide a /24 or higher mask then does that mean l am still limited to a range of 254 hosts ( /24 Mask ) ?  Would this mean l need to look into replacing my upstream Cisco RV042 VPN Router ?

  • WLC 5508 - WebAuth Bundle tar error 256

    Hi all,
    I have a new fresh 5508 release 7.0.98.0
    When I try to download (I mean upload to the controller) a customized Webauth bundle in .tar format I have the following message error in the syslog :
    *TransferTask: Oct 29 12:56:08.894: %UPDATE-3-UNTAR_CMD_FAIL: updcode.c:2832 Error during untar of webauth bundle. Tar returned 256.
    If someon could help me...
    Thanks

    Excellent find, Karl!
    I'd just to clarify a bit for those who might not have completely understood this.  Note that Karl said all files and folders must have UID root and GID root.  Running chown root only changes the UID.  To change the GID, you must also run chgrp root .  The easiest way to go about this is to create a new directory, copy your current tar file to it and extract, chown and chgrp against ./*, then tar it back up.
    su root     # alternatively, you can use sudo for chown and chgrp
    mkdir weblogintmp
    cp weblogin.tar weblogintmp/
    cd weblogintmp
    tar -xvf weblogin.tar
    rm weblogin.tar
    chown -R root ./*
    chgrp -R root ./*
    tar -cvf weblogin-new.tar ./*
    ## the tar file itself doesn't need to have UID and GID root, only the contents of it does.
    Karl also pointed out that this must be done from a Unix/Linux-based operating system that a GID (group ID) literally named root.  In BSD-based systems (at least the ones I've worked with, including Mac OSX), the root-equivalent GID is named wheel.  The 5508 WLC with 7.0.98.0 will not accept this.
    If you do all of this and it still gets rejected by the WLC, consider that there might actually be something else wrong with it.  There's a fantastic article in the Documents section of the Security and Network Management group which helped me figure out a couple issues I had in the past:
    https://supportforums.cisco.com/docs/DOC-13954
    Here's a snippet that pertains to not being able to transfer your webauth bundle to a WLC:
    "There are some limitations with custom webauth that varies with versions  and bugs. The things to watch for are .tar file size (used to be 1Meg  maximum), also the number of files in the .tar as well as the filename  length of the files in there (something like 30 characters max for a  file)."

  • Report external processing documentation

    Sorry to answer that, but I can't find documentation about the External processing usage, in the Report attributes page, where the inline help suggests to read the "documentation for intructions".
    Please let me know.
    Thanks,
    Marco

    I saw the demo page, but nothing appears in the text area. It's completely blank.
    Also following explanation found here Re: PDF printing in 2.0
    I tried to set the field URL and link label in my report for test, but no external link appears in the resulting rendered page. (Of course the report is rendered!)
    What should I expect? A button, a text link or what?
    I use Apex 3.1
    Regards,
    Marco

  • Error installation 3rd party certificate on wlc for webauth

    i,
    I would like to install a web auth certificate on a 5508. Version 7.6.130
    Every time I get an error on web gui or cli like:
    Cisco Controller) >transfer download start
    Mode............................................. TFTP
    Data Type........................................ Site Cert
    TFTP Server IP................................... 10.1.126.100
    TFTP Packet Timeout.............................. 6
    TFTP Max Retries................................. 10
    TFTP Path........................................ /wlan/
    TFTP Filename.................................... final.pem
    TFTP Webauth cert transfer starting.
    *TransferTask: Oct 07 14:33:08.162: RESULT_CODE:1
    *TransferTask: Oct 07 14:33:12.165: Locking tftp semaphore, pHost=10.1.126.100 pFilename=/wlan/final.pem
    *TransferTask: Oct 07 14:33:12.249: Semaphore locked, now unlocking, pHost=10.1.126.100 pFilename=/wlan/final.pem
    *TransferTask: Oct 07 14:33:12.249: Semaphore successfully unlocked, pHost=10.1.126.100 pFilename=/wlan/final.pem
    *TransferTask: Oct 07 14:33:12.250: TFTP: Binding to remote=10.1.126.100
    *TransferTask: Oct 07 14:33:12.266: TFP End: 7959 bytes transferred (0 retransmitted packets)
    *TransferTask: Oct 07 14:33:12.266: tftp rc=0, pHost=10.1.126.100 pFilename=/wlan/final.pem
                                                                                                    pLocalFilename=cert.p12
    *TransferTask: Oct 07 14:33:12.266: RESULT_STRING: TFTP receive complete... Installing Certificate.
    TFTP receive complete... Installing Certificate.
    *TransferTask: Oct 07 14:33:12.266: RESULT_CODE:13
    *TransferTask: Oct 07 14:33:16.269: Adding cert (7895 bytes) with certificate key password.
    *TransferTask: Oct 07 14:33:16.309: RESULT_STRING: Error installing certificate.
    *TransferTask: Oct 07 14:33:16.309: RESULT_CODE:12
    Error installing certificate.
    What's funny, when I'm on a 2106 with the same certificate (Version: 7.0.250.0) install, everything works!
    Does anyone have an idea to solve this problem?
    Regards
    Juergen

    Hello, please check these links out and see if they help:
    https://supportforums.cisco.com/discussion/11376866/error-installing-certificate-help
    https://supportforums.cisco.com/discussion/12294996/web-auth-certificate-download-failed-install-certificate
    https://supportforums.cisco.com/blog/151061/generate-csr-third-party-cert-and-download-unchained-cert-wireless-lan-controller-wlc

  • WebAuth + Passthru + PreAuth ACL with External WebServer problem - WLC5508

    Hi:
    Setting up a guest-wireless access with a pair of WLC-5508 in HA running 7.4.100.60.
    The Web Auth policy is in Passthrough mode with a redirection to an external web server. PreAuth ACL is mandatory for these controllers and it's configured like this:
    Seq #1
    Source: IP_Addr_External_Web_Server
    Destination: Guest_Clients_Pool
    Protocol: TCP
    Source and Destination Ports: Any
    Direction: Outbound
    Action: Permit
    Seq #2
    Source: Guest_Clients_Pool
    Destination: IP_Addr_External_Web_Server
    Protocol: TCP
    Source and Destination Ports: Any
    Direction: Inbound
    Action: Permit
    Seq #3
    Source: Any
    Destination: Any
    Protocol: Any
    Source and Destination Ports: Any
    Direction: Any
    Action: Deny
    However, it's not working :-(.
    It's strange, though, that right after enabling all this, first time I connected a client it worked, but next clients can't load the web page they are redirected to and I can only see matches on the ACL for the Seq #3, no more matches on redirection traffic (allowed) anymore.
    Even more strange: if I change the settings for the WLAN, saying for instance Internal Web Server serving the spalsh webpage and then apply, and after that go back to the desired config, applying again External WebAuth + PreAuth ACL, it works again .....only the first time! Next clients trying to connect can't load the webpage and again, no more matches on the allowed traffic.
    Sounds like a bug to me but I'd like to know if someone has experienced something similar to this and if so, if found out a way of solving it.
    Btw, when the Web Policy is configured for using the Internal (customised) Web Server, it always works (no ACL needed in this case) but I need to redirect the traffic to an External server.
    Thanks!
    Juan.

    Hi:
    Setting up a guest-wireless access with a pair of WLC-5508 in HA running 7.4.100.60.
    The Web Auth policy is in Passthrough mode with a redirection to an external web server. PreAuth ACL is mandatory for these controllers and it's configured like this:
    Seq #1
    Source: IP_Addr_External_Web_Server
    Destination: Guest_Clients_Pool
    Protocol: TCP
    Source and Destination Ports: Any
    Direction: Outbound
    Action: Permit
    Seq #2
    Source: Guest_Clients_Pool
    Destination: IP_Addr_External_Web_Server
    Protocol: TCP
    Source and Destination Ports: Any
    Direction: Inbound
    Action: Permit
    Seq #3
    Source: Any
    Destination: Any
    Protocol: Any
    Source and Destination Ports: Any
    Direction: Any
    Action: Deny
    However, it's not working :-(.
    It's strange, though, that right after enabling all this, first time I connected a client it worked, but next clients can't load the web page they are redirected to and I can only see matches on the ACL for the Seq #3, no more matches on redirection traffic (allowed) anymore.
    Even more strange: if I change the settings for the WLAN, saying for instance Internal Web Server serving the spalsh webpage and then apply, and after that go back to the desired config, applying again External WebAuth + PreAuth ACL, it works again .....only the first time! Next clients trying to connect can't load the webpage and again, no more matches on the allowed traffic.
    Sounds like a bug to me but I'd like to know if someone has experienced something similar to this and if so, if found out a way of solving it.
    Btw, when the Web Policy is configured for using the Internal (customised) Web Server, it always works (no ACL needed in this case) but I need to redirect the traffic to an External server.
    Thanks!
    Juan.

  • Cisco WLC 5508 simultaneous Web Auth Users logins?

    Hi there,
    We have 2 WLC5508 (7.2.111.3) with several SSID's.
    One of them is configured as Passthrough with an external splash server. Works fine.
    Now we want to use the "On MAC Filter failure".
    If the client MAC-adresse is configured under MAC Filtering on the WLC, the authentication is done without WebAuth.
    If MAC-adress is not known, the client will be redirect to the external WebAuth server for authentication.
    To keep the Passthrough functionality for the user, we hardcoded an username&password in the splash-page.
    So, every client WebAuth uses the same username&password for authentication against the WLC.
    User Login Policies is set to unlimited.
    So far so good, it seems to work, but I have read, that Cisco 5500 controllers supports only 150 simultaneous Web Auth Users logins.
    The two WLC's have abount 100-170 clients connected.
    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information wolud be great.
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    Thanks for the answers ;-)
    Kind regards,
    Norbert

    Question:
    - Will these be an issue with the 150 simultaneous logins, despited when usin only one user for all Wifi-clients?
    > I believe this means at the same time... I have clients doing the same thing with hundreds or more of guest users
    - Can the user WebAuth be done with a Cisco ISE like Passthrough, no username&password should be entered by the user.
      If yes, some guide information would be great.
    > ISE is really used to login with a username and password and to be able to profile.  You would need to ask that on the Security forum to get their input if this is something then would do or just leave it on the WLC
    - When successfully authenticated, a logout screen shows on the Windows client. Can this be hidden some how?
    > Not really... some machines with popup blocker does block this and you don't see the logout, but you can't remove this.
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Guest WLAN Spalsh page to external URL

    Hi, I want to setup a webpage for my guest network (no authentication) users. When the client connects to the open guest network and upon opening a browser they would be directed to a survey that I would like them to take, if they don't want to take it they can begin browsing to other sites without issue. How do I do this on a my 5508 WLC?

    You mean in the WLAN config? If so, that didn't work either.
    To recap where I am at now I have my WLAN setup with just passthrough.
    Then under security Web auth > web login page I have it set as
    Unfortunatlly, I still cannot leave the External Webauth URL empty
    With the above setup, the client after connecting to the WLAN has the browser auto launch and appears to direct to the redirect site, however the page just refreshes and does not load. Long URL with domain.com/blah blah blah/1.1.1.1 virtual interface of the WLC.
    Message was edited by: Andrew Schulz

  • WebAuth logout.html

    Hi,
    I have the following systems in place:
    5508 WLC - 7.4.100.00
    NAC Guest Server - 2.1.0
    I have setup an SSID with external Webauth, which is pointing to the login page on the NAC.
    All works fine but I cannot use the logout page which is customized on the NAC. I always get the internal default logout.html of the WLC and I cannot customize that.
    Every customization which I have done to the logout.html (then uploaded it on the WLC) will not be recognized.
    Is there a way to customize that logout.html?
    Thanks
    Stefan

    No direct solution I'm afraid. The only thing I can think of is to use ISE instead, which does allow you to customise all the things you're interested in.

  • WLC url-redirect

    Using FreeRadius to do Mac authentication Bypass with External URL redirect.  I have confirmed that I'm sending cisco AV-pair for url-redirect, and the WLC shows the client having that url applied(along with the url-redirect-acl that I've applied)
    My issue, the URL presented to the client doesn't have the action_URL appended when I apply it via 802.1x.  If I change the SSID and force external webauth I get a good URL to the client(generally http://<SITE>?action_URL=http://1.1.1.1/login.html or something similar).  How can I use url-redirect to force authentication with the proper action_URL appended?
    WLC 5508 with 7.2 code
    FreeRadius running on CentOS

    Hello Jeremy,
    As per your query i can suggest you the following solution-
    Configure WLC Splash Page Redirect with the information to configure the features described.
    Complete these steps in order to configure the devices to use the splash page redirect feature:
    1.Configure the WLC for RADIUS authentication through the Cisco Secure ACS server.
    2.Configure the WLANs for the Admin and Operations departments.
    3.Configure the Cisco Secure ACS to support the splash page redirect feature.
    For more reference refer to the link-
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml#conf
    Hope this will help you.

  • Custom WebAuth issues

    I'm trying to get a custom webauthentication page for two WLANs working, with RADIUS authentication.
    The default web-auth page has been operational for some time so there are no issues with the process itself.
    For some reason when I click on the submit button, while using the custom page, nothing happens. There's no redirect, no entry in RADIUS.
    The script code is exactly the same, word for word. The only things modified are the style layouts of the page as well as the coloring.
    I've noticed this line of code for the scripting:
    "<script language="javascript" src="./loginscript.js"></script>"
    Is 'loginscript.js' something that needs to be set up and uploaded along with the custom page, or is that coded into the WLC software?
    Any other insight on why this may not be working? Thanks.

    In 4.1, the feature to allow upload of webauth html files to the controller was introduced. Only when the webauth type is "customized" (not external or internal), the webauth URL includes "fs/customwebauth" to point to the files stored on the controller's flash file system. This should not affect scripts that were used before, for internal or
    external webauth.
    You can navigate the directories for web related html files (only the uploaded ones) using devshell shell. You will be able to find the custom webauthentication directory, after you have uploaded the webauth files to the controller.

  • Integration between WLC WEb auth and NGS

    Im trying to integrate WLC and NGS and getting this error message:
    Preauthentication ACL needs to be configured/selected for external webauth to work.
    Where do I need to configure ACL?
    Thanks

    Hi Surendra,
    Thanks for the links.
    Even though im using the 5500 WLC I still need to add the ACL!
    Looking at the attachment , if I permit ANY source and dest, then I can connect to the internet, but it didint go through the login page and ask for the username and password, I could access the Internet without any authentication. If I set the rules as shown in the attachment, it get me to the logon page (which is good) but I could not logon, here's the radius log:
    rad_recv: Status-Server packet from host 127.0.0.1 port 43507, id=90, length=38
            Message-Authenticator = 0xf7233fc3f00a133f273b87e9c2359199
    Sending Access-Accept of id 90 to 127.0.0.1 port 43507
    Finished request 111.
    Cleaning up request 111 ID 90 with timestamp +5120
    Going to the next request
    Ready to process requests.
    rad_recv: Access-Request packet from host x.x.x.164 port 32770, id=65, length=169
            User-Name = ""
            CHAP-Challenge =
            CHAP-Password =
            Service-Type = Login-User
            NAS-IP-Address = x.x.x.164
            NAS-Port = 1
            NAS-Identifier = ""
            NAS-Port-Type = Wireless-802.11
            Airespace-Wlan-Id = 10
            Calling-Station-Id = "x.x.x.x"
            Called-Station-Id = "x.x.x.164"
            Message-Authenticator =
    +- entering group authorize {...}
    [radius-user-auth]      expand: %{User-Name} ->
    [radius-user-auth]      expand: %{User-Password} ->
    [radius-user-auth]      expand: %{NAS-IP-Address} -> x.x.x.164
    [radius-user-auth]      expand: %{Calling-Station-Id} ->
    Exec-Program output:
    Exec-Program: returned: 1
    ++[radius-user-auth] returns reject
    Delaying reject of request 112 for 1 seconds
    Going to the next request
    Waking up in 0.7 seconds.
    Sending delayed reject for request 112
    Sending Access-Reject of id 65 to x.x.x.164 port 32770
    Waking up in 4.9 seconds.
    Cleaning up request 112 ID 65 with timestamp +5144
    Ready to process requests.
    What is this message mean "++[radius-user-auth] returns reject"?
    Thanks for your time.

  • Bypass guest webauth for Blackberry Service

    Hi Folks, Our wireless deployment has two wireless networks - one with 802.1x auth for corporate machines and the other is an open one with internet access for guests (but with a web auth page).
    What I'd like to do is allow staff to connect their Blackberry handsets to the guest (open) wireless network to collect email from the Blackberry Enterprise Server (it's a lot easier that configuring 802.1x and getting users to roll their passwords each time), I think I can work around this with a pre-authentication ACL to bypass the webauth page for access to the Blackberry Enterprise Server, but I'm a bit confused over the direction of the access list entries. If I added an access list to the WLC which looks like the below - would that work or is the directionality wrong?
    The example for the external webauth server I saw had the directionality the otherway around.
    Action Source IP/Mask Destination IP/Mask Protocol Source Port Dest Port DSCP Direction
    Permit 0.0.0.0 / 0.0.0.0 [the ip of my BES] / 255.255.255.255 IP Any Any Any Outbound
    Permit [the ip of my BES] / 255.255.255.255 0.0.0.0 / 0.0.0.0 IP Any Any Any Inbound
    Any advice that you can provide would be great
    Thanks in advance
    Kev

    Never underestimate the help menu ;-)
    Direction
    Any, Inbound (from client), or Outbound (to client).
    I think that this description is straighforward.
    But you will probably notice that your blackberries are disconnected every 3 minutes from your SSID. I don't know if this is something they can tolerate.
    Pre-auth ACL is made to give access to some ressources needed to authenticate on the web login page. Not to bypass it completely. So the WLC is kicking out clients that are connected since 3 minutes on the Webauth SSID but not autheneticated on the web page ...
    Nicolas
    ===
    don't forget to rate answers that you find useful

  • VWLC 7.4 Webauth

    Hi,
    I have setup a vWLC and I'm unable to get local webauth working for a guest WLAN. From my understanding, as the access points only work in Flexconnect mode, traffic to the virtual IP address should still be sent to the vWLC using capwap instead of switching locally but this is not working. The client device receives an IP address from DHCP but the redirect does not happen. Manual connection attempt to https://1.1.1.1/login.html also fails (1.1.1.1 being the VIP on the vWLC).
    Can someone confirm that the vWLC supports local webauth or if an external webauth server is required?
    Thanks,

    Hello Will,
    As per your query i can suggest you the following steps-
    Step 1   Copy the .tar file containing your login page to the default directory on your server.
    Step 2   Specify the download mode by entering this command:
    transfer download mode {tftp | ftp | sftp
    Step 3   Specify the type of file to be downloaded by entering this command:
    transfer download datatype webauthbundle
    Step 4   Specify the IP address of the TFTP server by entering this command:
    transfer download serverip tftp-server-ip-address.
    Note    Some TFTP servers require only a forward slash (/) as the TFTP server IP address, and the TFTP server automatically determines the path to the correct directory.
    Step 5   Specify the download path by entering this command:
    transfer download path absolute-tftp-server-path-to-file
    Step 6   Specify the file to be downloaded by entering this command:
    transfer download filename filename.tar
    Step 7   View your updated settings and answer y to the prompt to confirm the current download settings and start the download by entering this command:
    transfer download start
    Step 8   Specify the web authentication type by entering this command:
    config custom-web webauth_type customized
    Step 9   Enter the save config command to save your settings.
    For more information please refer to the link-
    http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/system_management/config_system_management_chapter_010111.html#ID785
    Hope this will help you.

Maybe you are looking for