WLC web authentication ACL to allow internet surfing only
Hi forumers'
I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
i also try on this ACL at my core switch but seem not success.
ip access-list extended ACL-VLAN-20
permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
permit tcp 172.16.20.0 0.0.0.255 any eq 80
permit tcp 172.16.20.0 0.0.0.255 any eq 443
deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
int vlan 20
ip access-group ACL-VLAN-20 in
any problem with it?
well, as long as can block web authenticaiton user only goto internet then serve my purpose
thanks
Noel
This should work
deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31 (deny all IP traffic from guest to internal)
permit udp 172.16.20.0 0.0.0.255 any eq 53 (or list the specific servers you want them to use)
permit tcp 172.16.20.0 0.0.0.255 any eq 80 (allows HTTP but only outside as the deny stops internal)
permit tcp 172.16.20.0 0.0.0.255 any eq 443 (allows HTTPS but only outside as the deny stops internal)
but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above. I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers. If you want to allow that, it's better to permit the explicit servers
You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
When you do the ACL on the WLC, you need to do the inverse ACL as well. So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
HTH,
Steve
Similar Messages
-
Ciosco WLC Web Authentication with Internet Explorer 10
Hi my name is Ivan
I have a question:
Cisco WLC Web Authentication woks fine with Internet Explorer 10. I have worked with Chrome, Mozilla, IE 7 and I don't have any trouble.
When i put the ip address https://1.1.1.1/login, the web page show me.
Thanks for your answers
RegardsHUmm Im a mac guy hard for me to test. I also did a search and dont see anything about bugs. Did you make any chnages to IE10 settings ? Is proxy enabled ?
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Tablets and Cisco WLC Web Authentication
Hi my name is Ivan
I have a question:
I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
Android, Samsung, others?
And wich are the requeriments of the tablet to use this way to authentication?
Regards
IvanAny device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth. If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS. From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine. Apple IOS can handle this automatically (in most cases)
As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine. -
Certificate for WLC web auth - HELP
Hi all
I need to buy a cert for my WLC web authentication
I have read the document below
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
However, I want to fill in the details and generate the CSR via the provider im buying the cert from, thawte
Am I ok doing all this via the provider, or do I need to use open SSL to generate the CSR?
Can anyone post the steps in here I need to take when purchasing and installing a chained certificate on my WLC.
The WLC has the latest version of code.
cheers
CarlHere are the instructions for a chained certificate.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
It's simple enough, copy and paste the chanin below the certificate when you generate the final.pem.
Main thing to remember when compiling the final.pem use a version of OpenSSL < 1.0 as it won't install.
If your provider will generate the CSR for you it should be fine, but you will need the private key to recompile the certificate.
As you'll be using OpenSSL to recompile the certificate you may as well use it to generate the CSR, there's not much to it.
Thanks
Chris -
Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)
Hello,
I have configured a Guest SSID with web authentication (captive portal).
wlan XXXXXXX 2 Guest
aaa-override
client vlan YYYYYYYYY
no exclusionlist
ip access-group ACL-Usuarios-WIFI
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
mobility anchor 10.181.8.219
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth parameter-map global
session-timeout 65535
no shutdown
The configuration of webauth parameter map is :
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
redirect on-success http://www.google.es
I need to login on web authentication on HTTP instead of HTTPS.
If I login on HTTP, I will not receive certificate alerts that prevent the users connections.
I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
Web Authentication on HTTP Instead of HTTPS
You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
Thanks in advance.
Regards.The documentation doesn't provide very clear direction, does it?
To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page. -
WLC 4400/Web Authentication and proxy autodiscovery
We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.
We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.
My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?
Regards,
RutgerThe reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.
The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.
Lots of documentation about how to achieve this via CCO.
Regards,
Richard -
Repeated wlc 5508 client web authentication
I'm trying to troubleshoot a situation where many of our guest wireless users are repeatedly being prompted to reauthenticate via the web interface. the session timeout is set to 4 hours, however, many times a client is presented with a web authentication screen right in the middle of browsing at random times.
I do have several system log entries, but cannot find the specific entries in the Error code reference for the WLC. For example, I don't find anything on %AAA-3-VALIDATE_GUEST_SESSION_FAILED: file_db.c:4022 Guest user session validation failed for guest1. Index provided is out of range..
I'm running a WLC 5508 with 7.0.98.0 and have read through all of the release notes, error code references, etc., and don't see anything regarding this issue.
The WCS screenshot shows a good example of how often this occurs! Is the client actually re-associating with the AP (which in turn would require a web reauth)? Not sure if I'm barking up the wrong tree - focusing on web auth when I may actually need to be focusing on AP association...
I do have a TAC case opened up, but was wondering if anyone has experienced this before?
Sorry for the rambling...Rene,
I did several things and at least one of them seemed to resolve the issue:
These notes are directly from my TAC case and I will try to provide a little more information [in brackets].
1. Upgrade WLC to 7.0.98.218 [self explanatory]
2. Upgrade WCS to 7.0.172.0 [current version, as of this note]
3. Increase DHCP scope time on ASA from default (30 minutes) to 4
days [DHCP running external from the WLC]
4. Remove TKIP from the WLAN - only allow AES [had both configured but tech advised to only use AES]
5. Increased session timeout from 14400 seconds to 64800 seconds
(4 hours to 18 hours) [don't think this helped resolve the issue, but it certainly was more convenient for our longer-term guests]
I think that the TKIP and/or DHCP setting was integral as part of the resolution. I upgraded the WLC because the version that I was running didn't have the web-auth debug option, so I'm not sure that that actually contributed to the resolution.
Good Luck,
Rob. -
Wlc flexconnect wlan local authentication and central web authentication maximum rtt
Hi
From the below link below it mentioned that "Round-trip latency must not exceed 300 milliseconds (ms) between the AP and the controller. If the 300 milliseconds round-trip latency cannot be achieved, configure the AP to perform local authentication."
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1094148.
Is this limitation refer to web authentication also?
Thanks
Anyone???Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings).
Also, the version of code that you are running in ISE and your controller.
Thank you for rating helpful posts! -
WLC MOBILITY GROUP SINGLE WEB AUTHENTICATION
Hi.
I have installed two AIR-WLC2112 with mobility group configured and authentication web.
I want to know if you can create user / password web authentication only in one WLC.
Now, when I create a new user / password , I have to create in two WLC.
ThanksInorder to validate a site issuing a certificate , client should be loaded with a certificate from same Certificate Authority. Else ignore the warning and continue to the site. If you want to know if the site is valid , click on View certificate on the warning page and see if it belongs to the website.
-
SNMP web authenticated users wlc 5508
Hello everyone,
I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
I am using an external web server and my client are authenticated with ldap.
I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
Can anyone help me ?
Thanks a lot for your answers.Hello Julien,
Thank you for the info. +5 for solving your own problem.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty
Hi All,
I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
Thanks,
KashifHi,
if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
Lemme know if this answered ur question!!
Regards
Surendra -
Delayed Web Authentication on 5500 WLC
Hi
I have setup a Guest WLAN on 5508 WLC with web authentication, I noticed during tests that it takes about 2 to 3 minutes to complete authentication process and providing access to the client machine. My WLC is running version 7.3.101.0.
Has anyone came across similar situation or can suggest a solution to this issue?
Feel free to ask if you need more details.
Thanks
SunilWell what I would do for testing is the following:
Remove WebAuth to see if there is an issue with connectivity on that subnet
Map the Guest WLAN to a working subnet or create a new SSID and map that to a known working subnet
If your using a custom WebAuth, try using the default internal WebAuth page to see if there is any difference
If your authenticating Guest using radius, check the radius logs for errors
Is it all devices or is it an issue with few or a certain model
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
WLC Client excluded - web authentication failed 3 times
Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
An example of the alert generated in the event of an excessive authentication failure is as follows:
Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
E-mail will be suppressed up to 30 minutes for these alarms.
I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
- What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
- If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
- If necessary could e-mail suppression be turned off - for this alert only?
Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
BR
RockfordThere is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
http://support.microsoft.com/kb/883619 -
Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Wlc 5500 authentication timeout
I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)
Scott-
Here are the results of the sho WLAN cmd:
(Cisco Controller) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... OBSD BYOD
Network Name (SSID).............................. OBSD-BYOD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 25
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ g9c-guest
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... Guest WiFi Internet Only
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
--More-- or (q)uit
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Web Auth
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
--More-- or (q)uit
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
Maybe you are looking for
-
Get URL from embedded Flash AS3 movie
I have a thumbnail scroller app built with AS3 on my website homepage. I have the class files but would like to know of any quick workaround to make the embedded Flash movie clickable without reworking the AS3 files. What I would like to do is if you
-
Pages sorts merged documents by FIRST name?
I drop a bunch of names & addresses from Address Book onto a Pages merge document. The address data is sorted by last name. Pages creates a new merge document, but now everything is sorted by FIRST name. Kinda makes mailouts a bit a of pain when othe
-
Link into Web Console to a Specific Workstation
At our customer, we are running ZAM 7.5. Ist there any way, to link into the Web Console from outside, to a specific workstation? e.g. http://myserver:port/rtrlet/rtr?wksname=MyAssetTag The service desk is working with another tool, to deal with user
-
Problem of update rows in data object
Hi everybody, I got the error message. Cannot update rows in data object /Samples/Monitor Express/BI_default_Project1_Process1.java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 Please advise!!!!
-
Dear all MY scanerio is MTO . A is a header material and B is a component .both material is having individual indicator 1 in material master. sale order----mrp run ---plan order generated. when i have converted plan order to production order ,bom ha