WLC Guest WEB Authentification
Hello,
I would like to configure on a WLC 2504 Internet-Access for Guests through a web authentication.
But I always find configuration instructions only describe the with the additional anchor WLC?
This works but also without anchor WLC, right?
Can anyone give a hint on where I find a manual for it (ideal for Release 7.4 or 7.5) to me.
Thank you
Alexander
It does indeed. When I use the foreign controller for guest access, I often will use a 5508 in port mode (non lag) and break out a port for guest.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Similar Messages
-
WLC 2100 guest access with local web authentification
Hello I tried to create a guest acces with local web authentification.
My Laptop is connected to the Wlan but My Browser don't ask my login and passwordPlease refer to the following links:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html -
Guest web redirect with redundant ISE
Dears,
I have redundant ISE configured (primary and secondary) and integrated cisco WLC 5508.
I already configured SSID for Guest Web authentication.
With primary ISE the redirect link is working fine but when I power off the primary ISE the redirect link stop working even if I changed the Role of the secondary to primary.
Please I need your support,
Regards,Thank you for your reply,
- Yes on the same nodegroup.
- Yes resolved correctly in the DNS.
- I will recheck it but I already create an ACL for redirect.
- Yes the both ISE defined on the Radius Auth. on the WLC.
Now I will check the ACL and back to you.
Regards, -
WLC Guest portal - External DNS issue
I have an interesting behavior. When my guest users attach to the guest network, I want them to use some external DNS source and not my organizations DNS servers. So, I set the dhcp scope options to point to other DNS Servers. When I do, the users don't seem to be redirected to the WLC guest portal, they get nothing and because of that, they cannot get to the Internet.
I am not sure why this is happening. The re-direction URL is https://1.1.1.1/login.html?redirect=www.google.com?/ocid=iehp
I don't understand why pointing a guest client to an external DNS servers would cause the guest login page not to come up.The issue is likely that you are attempting to redirect an HTTPS page. See this link for more information:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc7
You didn't mention your code rev, but it seems that 8.0 is able to redirect HTTPS for guest portal. -
WLC Guest Setup thru Palo Alto Firewall
We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out. it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA. We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses. When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us. We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck. Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet. Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work? I've attached a diagram of the basic topology we have setup.
ThanksHi Rod
You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC? -
WiSM and GUEST web authentication
I have a WiSM and we use Cisco open web
authentication with a user email address.
When performing this command via CLI:
>config network secureweb disable
>save config
> reset system
Will this make the web authentication come up HTTP instead of HTTPS ?That command is in order that you manage the unit.
However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
Let me know if it works for you -
Jabber guest web without iframe
The document "Jabber Guest web SDK" describe how to use Jabber guest with a iframe.
Is there a supported (and maybe documented) possibility to use jabber guest without the iframe? and include the code directly in a app so we can customize it?Hi - in current releases we don't support customization of the Jabber Guest web interface. Using the iFrame is the only supported way to embed Jabber Guest into a web application.
Mike -
WLC 2504 - French characters for guest web login page
Good day,
I have recently installed a WLC 2504 and I have the following issue:
When I modify the text for the web login page (Under security/Web Auth/Web Auth page), if I use french caracters such as (é, è, à, etc...) in the message body, it does not show up correctly on users computers. As we're a bilingual country, I must put a bilingual text message. Are there any settings or workaround out there to rectify this?
We're on version 7.2.103.0
Thanks,
EricThanks Scott, I'll have a look at the documentation.
Right after sending this post, I tried typing the actual HTML code for the character instead and it seems to be working. I'm curious about custom webauth page, we may be able to customize it more than we thought we could do.
Cheers,
Eric -
WLC: which software-version support SHA2 certificates for Web Authentification and Web Management ?
Hello,
I tried to install new SHA2 3th-Party certificates on our WLCs. There are old WiSM1-Boards and 2504 to support our old 1230 Access Points, running 7.0.251.2, which didn't install it, although the config manual for 7.6 and 8.0 say that SHA2 certificates are supported since 7.0.250.0. When I tried to install the SHA2-certificates I get the message "File transfer failed" an the log says:
*TransferTask: Dec 12 13:22:14.394: #UPDATE-3-CERT_INST_FAIL: updcode.c:1869 Failed to install Webauth certificate. rc = 1
*TransferTask: Dec 12 13:22:14.394: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4085 Cannot PEM decode private key
I tried to install the same certificates on our WiSM2-Boards, running 7.4.121.0 and I failed too. The same certificates could be installed on a 2504 running 8.0.100 without any problems.
In all 3 cases I tried to install unchained certificates for web management and Level 3 chained certificates for web authentication. I used the following guides to get the certificates (e.g. taken from the config manual 8.0.100):
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.pdf
Which software versions support SHA2 certificates and which didn't ? Is the a list for it ?
RegardsHello,
I solved the problem. First I used a Debian Linux system with Openssl 1.0.1. After I searched the internet using one of the log messages above I found sites which mentioned to use Openssl 0.9.x. So I tried a productive and security fixes Debian Linux System running Openssl 0.9.8 and I succeeded. The wlcs accepted the certificate files and used it after a reboot. The Web GUI still shows a SHA1 Fingerprint, but the certificate signature Algorithm is SHA2:
Signature Algorithm: sha256WithRSAEncryption
When you check the openssl.org homepage Openssl 0.9.8 is still one of the actual version of openssl and is still available and fixed. But the Openssl Roadmap says:
"We don't want to have to maintain too many branches. This is likely to include a timescale for the EOL of version 0.9.8"
I don't know the differences between certificates made with openssl 0.9.8 and 1.0.1. Is there anybody who can explain it to me ?
Regards -
WLC 5508 Web Auth Splash Page: Is it possible to place a download?
Hi,
I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
Thanks
MichaelIt could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe). This shouldn't be a problem considering a .doc size, but I have to ask the same question. Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html? Maybe there is a good reason, but I can't really think of any scenario. Feel free to elaborate.
-
WLC2112 with Guest / Web-Auth and vlan
Hi
I'm trying to configure my WLC with guest SSID and vlan 10.
The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
Please help.
Management IP Address 192.168.14.252
Software Version 6.0.182.0
Emergency Image Version
I have tried with ver. 5.2 also -I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
Don't know if that helps, or not. -
WLC Guest Network DHCP run out of IPs??
Hello,
I have this guest wlan working with web authentication, as you may know in order to get authenticated you must have an IP address first then have a valid username and password. The problem is that if you don't have valid credentials you keep the IP address anyways.
I'd like to know if there is a way to release the IPs that are not being used? The WLC is the DHCP server for this network.
WLC4402
6.0.202.0
Thanks in advance!That would be good, but right now there is not automated process to remove those clients.
If you are good with scripting, you could setup a script to pull the clients list, then parse it based on the authentication. Once you have that you can then do a client deauthenticate, and wipe the IP address lease as well.
Unfortunately, I can't be too much help as I don't really know scripting.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
I have 4402(50) with 25 nos. 1242 LWAP, I have two guest wlan (guest1 & guest2) with different dynamic interface and vlan. both dhcp scopes assigned in wlc mgmt. guest1 wlan is working properly, guest2 is not authenticating with web authentication. I dont have any radius server.
Unfortunately, "my network is not working" does not give us enough information to help you. Can you post screenshots of the wlan configuration screens, or the relevant portion of output from "show run-config"?
What kind of "not authenticating" happens? What exactly do you experience when trying to log on? What messages appear on the controller console during this process? -
Enable Session Timeout - Guest web-auth
Hi All,
Just a quick one. If this timer expires when using web-auth on a guest wlan in the following way
PC --Ap -- WLC (campus) -- Anchor WLC (DMZ) --- www
Does the web session break and the user will be redirected to the web authentication page?
Many thx indeed,
KenHi there.
http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html#wp1048408
Thanks for the doc above. It has the info in there. Many many thx for your help.
Ken
The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences a recurring session timeout that requires reauthentication. -
WLC Guest Account Configuration
Hello,
I have been trying to set up a guest WiFi network using a 2504 series WLC. I have configured the switch, the router, and the firewall for the IP Schema that I want to use for the guest network, but I am unable to get this process working. I have a CAPWAP configuration example that I followed as well as a LWAPP example. I don't have a LWAPP but I do have a CAPWAP. I want to breakdown my network into two separate networks: one for internal use and one for the guest. I am able to connect to the internal network correctly and can ping and gain access via the WAP after I completed my configurations, but I am not able to use the 10.0.0.0 network that I configured for the guest network. I can ping the default router address of 10.0.0.11 from the WLC. I also want to use web authentication as a way to set up the guest network for authentication and the virtual address of 1.1.1.1 does not appear as the authentication method.
I would appreciate any help on this issue. I have been working on this issue for some time with no luck. Any suggestions on things I could try would be great.refer :
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html#proc
Maybe you are looking for
-
Best practices on using EVALUATE functions
hi, experts, I wanna know what is the best practices on using EVALUATE functions on obiee (calling oracle user defined functions) I found that if I use evaluate functions in Answers, obiee will construct a sql behind and then execute. sometimes, obie
-
I'm doing a java program using random numbers. I would like to avoid that each generated number, besides unique, is different from its index in array - for instance, the first number in array is not number 1, the second is not number 2, the third not
-
SOLVED (for now) MacBook Pro (15-inch, Mid 2010): Intermittent black screen or loss of video
For MAC OS Snow Leopard 10.6.8 I downloaded the display driver update from apple support and it didn't fix the problem. I had to download gfxcardstatus-1.7.5 and change the driver to Intel Graphics instead nVidia (wich is the one that crashes the scr
-
How to install tfs server 2012
how to install tfs server 2012
-
Can I have 2 itues account, one in switzerland and one in uk
can i have 2 itues account, one in switzerland and one in uk