WLC Web Auth Redirect URL point to an ISE Policy NODE only?

Similar Messages

• Anchor WLC web-auth secure web issue

  Hi all,
  I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue...Has anyone ran into this before and any idea how to fix it?
  Thanks in advanced for your input!
  Robin

  The custome page might be from Cisco web auth page sample by the look of the webpage. I don't know how to verify whether or not it was hard coded for HTTPS...
  Do I also need to diable the web-auth secure web on the main controller?
  This anchor is running in production and has to reboot after hour, will do the test and let you know how it goes.
  Thanks!
  Robin

• Web Auth Redirection

  I have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.
  The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.
  If I point the web auth at the internal WLC page using a WLC local user account it works.
  If I set the guest access to pass through it works without issues getting dhcp and dns.
  On the ISE is there a policy needed to say if guests are web authenticated give them access?
  The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with. Does anyone have any ideas where I might be going wrong?
  Thanks for any ideas Mick

  Does this work if you point to the WLC internal page and use AAA credentials?

• ISE, WLC: web auth, blocking user account

  Hello!
  We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
  On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
  Credentials are created at the ISE sponsor portal.
  We create user account in ISE sponsor portal with one hour lease.
  In 10 minutes we delete (or block)  user credentials.
  In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
  This happens because WLC thinks, that client is still associated.
  There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
  From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
  In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
  How the user account blocking process can be automated without manually deleting the client session from WLC client database?

  It seems that there is some bug about CoA when deleting Guest accounts
  CSCuc82135
  Guests need to be removed from the network on Suspend/Delete/Expiration
  When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.
  Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  from BUG Toolkit there is Release-Pending in "Fixed-in" option.

• Framed-IP-Address in RADIUS Access Request for WLC web-auth users

  We have a web-auth WLAN (with 7.6.130.0 software on a 2504 WLC) configured to authenticate users through RADIUS. The Framed-IP-Address attribute, representing the client device's IP address is sent in the Accounting Request, as expected. However, this information should be available at the WLC before sending the RADIUS Access Request, since the device is already having an IP address. 
  So is there a way to configure the WLC to send the Framed-IP-Address attribute in the RADIUS Access Request as well?

  Hi ,
  Try using:
  aaa accounting delay-start
  Regards,
  ~JG
  Do rate helpful posts

• WLC Web-auth fail with external RADIUS server

  I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"
  My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user.
  WLC 4402 version 4.1.171.0
  http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a0080706f5f.html

  Hi,
  I am having some issues when I try to authenticate an AD account against a NAP Radius Server on Windows 2008.
  In fact, I own a WLC 2106 and I configured it to authenticate users againts a radius Server with Active Directory. I set the Web Radius Authentication to CHAP on the controller tab from the WLC 2106 and i am getting the error below  
  : Authentication failed for gcasanova. When I set the controller to  Web Radius Authentication to PAP, everything is working fine. I am able to connect to through the controller using an AD Account. But my purpose is not use PAP which is an unsecure protocol since password are sent as plaintext on the network.
  Can someone tell me what's wrong?
  *radiusTransportThread: Oct 26 11:02:13.975:    proxyState......................                                                                                                 .............00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:13.975:    Packet contains 0 AVPs:
  *emWeb: Oct 26 11:02:13.977: Authentication failed for gcasanova
  *aaaQueueReader: Oct 26 11:02:29.985: AuthenticationRequest: 0xb6564634
  *aaaQueueReader: Oct 26 11:02:29.985:   Callback.....................................0x8576720
  *aaaQueueReader: Oct 26 11:02:29.985:   protocolType.................................0x00000001
  *aaaQueueReader: Oct 26 11:02:29.985:   proxyState...................................00:24:D7:40:E5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.986:   Packet contains 11 AVPs (not shown)
  *aaaQueueReader: Oct 26 11:02:29.986: apfVapRadiusInfoGet: WLAN(4) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Oct 26 11:02:29.986: 00:24:d7:40:e5:00 Successful transmission of Authentication Packet (id 86) to 10.2.0.15:1812, proxy state 00:24:d7:40:e5:00-00:00
  *aaaQueueReader: Oct 26 11:02:29.987: 00000000: 01 56 00 9a 8e 48 e7 20  1d ef be 29 e6 3a 61 6d  .V...H.....).:am
  *aaaQueueReader: Oct 26 11:02:29.987: 00000010: 2b de 07 24 01 0b 67 63  61 73 61 6e 6f 76 61 3c  +..$..gcasanova<
  *aaaQueueReader: Oct 26 11:02:29.987: 00000020: 12 3c ce a0 87 ac df 7a  a5 35 af 7c ef 83 c7 58  .<.....z.5.|...X
  *aaaQueueReader: Oct 26 11:02:29.987: 00000030: ed 03 13 28 a7 5a 0d 26  6d ab 49 ea da 7c 5a 8e  ...(.Z.&m.I..|Z.
  *aaaQueueReader: Oct 26 11:02:29.987: 00000040: 1d 94 70 69 06 06 00 00  00 01 04 06 0a 02 00 06  ..pi............
  *aaaQueueReader: Oct 26 11:02:29.987: 00000050: 05 06 00 00 00 01 20 0a  50 41 52 2d 57 4c 43 31  ........PAR-WLC1
  *aaaQueueReader: Oct 26 11:02:29.987: 00000060: 3d 06 00 00 00 13 1a 0c  00 00 37 63 01 06 00 00  =.........7c....
  *aaaQueueReader: Oct 26 11:02:29.988: 00000070: 00 04 1f 0c 31 30 2e 32  2e 30 2e 31 35 36 1e 0a  ....10.2.0.156..
  *aaaQueueReader: Oct 26 11:02:29.988: 00000080: 31 30 2e 32 2e 30 2e 36  50 12 7f 86 5a c5 61 ad  10.2.0.6P...Z.a.
  *aaaQueueReader: Oct 26 11:02:29.988: 00000090: af 54 fa fa 42 e7 f6 16  9e 10                    .T..B.....
  *radiusTransportThread: Oct 26 11:02:29.988: 00000000: 03 56 00 14 a9 10 07 84  83 00 87 83 b9 10 64 e1  .V............d.
  *radiusTransportThread: Oct 26 11:02:29.988: 00000010: 66 b3 c5 5e                                       f..^
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Oct 26 11:02:29.988: 00:24:d7:40:e5:00 Access-Reject received from RADIUS server 10.2.0.15 for mobile 00:24:d7:40:e5:00 receiveId = 0
  *radiusTransportThread: Oct 26 11:02:29.989: 00:24:d7:40:e5:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d7:40:e5:00
  *radiusTransportThread: Oct 26 11:02:29.989: AuthorizationResponse: 0xb97fe774
  *radiusTransportThread: Oct 26 11:02:29.989:    structureSize................................32
  *radiusTransportThread: Oct 26 11:02:29.989:    resultCode...................................-4
  *radiusTransportThread: Oct 26 11:02:29.989:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Oct 26 11:02:29.989:    proxyState...................................00:24:D7:40:E5:00-00:00
  *radiusTransportThread: Oct 26 11:02:29.989:    Packet contains 0 AVPs:

• Certificate for WLC web auth - HELP

  Hi all
  I need to buy a cert for my WLC web authentication
  I have read the document below
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml              
  However, I want to fill in the details and generate the CSR via the provider im buying the cert from, thawte
  Am I ok doing all this via the provider, or do I need to use open SSL to generate the CSR?    
  Can anyone post the steps in here I need to take when purchasing and installing a chained certificate on my WLC.
  The WLC has the latest version of code.
  cheers
  Carl

  Here are the instructions for a chained certificate.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  It's simple enough, copy and paste the chanin below the certificate when you generate the final.pem.
  Main thing to remember when compiling the final.pem use a version of OpenSSL < 1.0 as it won't install.
  If your provider will generate the CSR for you it should be fine, but you will need the private key to recompile the certificate.
  As you'll be using OpenSSL to recompile the certificate you may as well use it to generate the CSR, there's not much to it.
  Thanks
  Chris

• Web Auth using 5760 Guest Anchor and ISE

  I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
  When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
  As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
  Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

  I hope this may help you
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
  HTH
  Rasika
  *** Pls rate all useful responses ****

• WLC - Web Traffic redirection without using Web Auth?

  Hi there,
  I am in need of solution to integrate it to WLC where the Guest Users can use the wireless access and then be redirected to the company's website once they open a browser.
  This is where the guest users will no longer click any buttons (or accept any certificates). Once the browser is hit it will automatically go to the companys website.

  You can use pfsense or monowall (there are others, but these are the top two open source splash screen portals) or a commercial offering as the gateway
  pfsense is bsd based and has more features than monowall.  The splash can be http or https and is fully customizable.

• Integration between WLC WEb auth and NGS

  Im trying to integrate WLC and NGS and getting this error message:
  Preauthentication ACL needs to be configured/selected for external webauth to work.
  Where do I need to configure ACL?
  Thanks

  Hi Surendra,
  Thanks for the links.
  Even though im using the 5500 WLC I still need to add the ACL!
  Looking at the attachment , if I permit ANY source and dest, then I can connect to the internet, but it didint go through the login page and ask for the username and password, I could access the Internet without any authentication. If I set the rules as shown in the attachment, it get me to the logon page (which is good) but I could not logon, here's the radius log:
  rad_recv: Status-Server packet from host 127.0.0.1 port 43507, id=90, length=38
          Message-Authenticator = 0xf7233fc3f00a133f273b87e9c2359199
  Sending Access-Accept of id 90 to 127.0.0.1 port 43507
  Finished request 111.
  Cleaning up request 111 ID 90 with timestamp +5120
  Going to the next request
  Ready to process requests.
  rad_recv: Access-Request packet from host x.x.x.164 port 32770, id=65, length=169
          User-Name = ""
          CHAP-Challenge =
          CHAP-Password =
          Service-Type = Login-User
          NAS-IP-Address = x.x.x.164
          NAS-Port = 1
          NAS-Identifier = ""
          NAS-Port-Type = Wireless-802.11
          Airespace-Wlan-Id = 10
          Calling-Station-Id = "x.x.x.x"
          Called-Station-Id = "x.x.x.164"
          Message-Authenticator =
  +- entering group authorize {...}
  [radius-user-auth]      expand: %{User-Name} ->
  [radius-user-auth]      expand: %{User-Password} ->
  [radius-user-auth]      expand: %{NAS-IP-Address} -> x.x.x.164
  [radius-user-auth]      expand: %{Calling-Station-Id} ->
  Exec-Program output:
  Exec-Program: returned: 1
  ++[radius-user-auth] returns reject
  Delaying reject of request 112 for 1 seconds
  Going to the next request
  Waking up in 0.7 seconds.
  Sending delayed reject for request 112
  Sending Access-Reject of id 65 to x.x.x.164 port 32770
  Waking up in 4.9 seconds.
  Cleaning up request 112 ID 65 with timestamp +5144
  Ready to process requests.
  What is this message mean "++[radius-user-auth] returns reject"?
  Thanks for your time.

• Tablets and Cisco WLC Web Authentication

  Hi my name is Ivan
  I have a question:
  I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
  Android, Samsung, others?
  And wich are the requeriments of the tablet to use this way to authentication?
  Regards
  Ivan

  Any device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth.  If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS.  From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine.  Apple IOS can handle this automatically (in most cases)
  As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine.

• ISE 1.2 CWA Redirect URL

  Hi,
  Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
  I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
  TIA
  -G
  Sent from Cisco Technical Support iPad App

  Users Are Not Appropriately Redirected to URL
  Symptoms or Issue
  Administrator   receives one or more "Bad URL" error messages from Cisco ISE.
  Conditions
  This   scenario applies to 802.1X authentication as well as guest access sessions.
  Click   the magnifying glass icon in Authentications to launch the Authentication   Details. The authentication report should have the redirect URL in the RADIUS   response section as well as the session event section (which displays the   switch syslog messages).
  Possible   Causes
  Redirection   URL is entered incorrectly with invalid syntax or a missing path component.
  Resolution
  Verify   that the redirection URL specified in Cisco ISE via Cisco-av pair "URL   Redirect" is correct per the following options:
  •CWA   Redirection URL:   https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  •802.1X   Redirection URL:   url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• 7.5 web-auth client sleep timer feature

                     The 7.5 release advertises the ability to configure a timeout value so that guest clients which go to sleep are not re-prompted for web-auth.  Does anyone know if 7.5 would only be required on the anchor WLC or must it also be on the foreign?  We utilize web-auth for a guest WLAN and anchor it to a WLC in the DMZ.  Preference would be to NOT load 7.5 on every WLC we have and only upgrade our guest anchor.
  Thanks!
  Anthony

  Hi Scott ( and all ),
  I was making some tests with sleeping client with a infrastructure like this:
  - 2 foreign ( 5508 ) with the APs and client association
  - 2 anchor ( 4402 ) on the DMZ
  - radius for client auth
  From my understand the :
  - clients are associated to the foreign but
  - the authentication is forwarded to the anchor
  ( I can see the request on the radius with the anchor NAS IP address and, before the client is authenticated, i get the status as REQ_D state on the anchor )
  So I suppose the sleeping client feature should be on the anchor ( or on both wontroller ) and not only on the foreign. I'm wrong ?
  If You've some Idea to let it works with only sleeping config on the foreign i will solve one big issue because my anchors are 4402 without sleeping feature available.
  All is working fine on the foreign if I remove the anchor configuration ( by the way, like this isn't anymore a foreign )

• Web Auth Type: Customized(downloaded) Redirect URL after login not working.

           5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
  Everything is working as it should.  I downloaded the web auth bundle from Cisco and  will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
  I have edited the aup.html and login.html to say what I want it to.  I have 2 different login.html pages and bundle to a .tar file like the documentation says.  I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should.  The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined. 
     I must be missing some setting somewhere, but I just can not seem to find it.  Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page  Redirect URL after login is http://www.mccg.org which is our home page.
  Any help will be appreciated.  I cannot seem to fine very good documentation, or I am just overlooking something.
  Thanks
  John   

  Your HTML code is wrong. Attach your code if your okay with it and I can check.
  Sent from Cisco Technical Support iPhone App

• Web authentication on WLC fails to redirect when we enter URL i browser

  I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble .....
  The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web-browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this:
  https://cisco6a19c4/login.html?redirect=nyttintranet.sem10.se/
  I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems.
  A little more info:
  2x WLC5508 runnnig r7.0.116.0 and APs are 1142
  WLCs connected to Cat4503 via LAG
  Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.
  DHCP to guest-users from separate broadband-router which is def gwy and "DNS".
  On the virtual interfaces no hostname is configured.
  ANY ideas??!?!?!???
  Best Regards
  Göran Blomqvist

  Ooop....  waddyaknow....  As it turned out, one of the WLC _did have_ a name configured under the virtual interface, of course it was NOT the one that "our" AP was associated with....
  That has now been corrected and the guest access is working as intended......
  (Oh, yes we tried  with 3 PCs and 2 smartphones when we discovered the 'malfunction'....)
  Thanx for the mental push Stefan!!
  Regards
  Göran