WLC 4404 and internal guest WLAN authentication issues

Unanswered Question
Oct 22nd, 2007

Dear all,

We have recently decided to enable WLAN for guest users that authenticates users by redirection to WLC's virtual address (

I have created WLAN and assigned management interface for it on WLC.

Interface points to dhcp server that resides on the same segment and issues all "guest" clients with ip addresses which works fine.

The problem is with web authentication redirection when using names (eg: http://www.cisco.com).

Clients are supposed to be redirected to web auth. page once supplied with relevant dhcp information.

Redirection occurs when client opens up internet browser (eg. IE).

Unfortunately this does not occur when browsing to URL's using names.

When browsing to an ip address, redirection to works just fine.

I have applied preauth acl for guest WLAN to allow DNS traffic, but that didn't help.

I have noticed that when ACL is applied clients can resolve dns for about 5 seconds and after that everythings stops.

I tried to allow icmp - just to prove the concept and noticed that after 6 - 10 packets connection drops.

my WLC is running 4.0.179 firmware

One more thing, when I access web auth page by going to and authenticate succesfully i am able to browse the internet which indicates that DNS resolution works fine.

Please help i am out of ideas.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tfsoarescisco Thu, 10/25/2007 - 08:03


I am currently testing a WLC4400 set up, regarding web-auth have a similar problem and know the reason for it. The redirect will only work for addresses your DNS resolves into IP addresses, in my case that means only internal names will be resolved, i.e. if type in something.mycompany.com i get redirected to the web auth page, whereas if i type http://www.google.com i'll only get a invalid address error.

To test if this is what's happening in your case try checking the name resolution via command line using nslookup.

If you have a proxy configured on the browser that will also cause you not to get redirected, in my case I use a proxy but the internal addresses are bypassing the proxy (defined in group policy) so this problem doesn't affect me on the pages that can get me to the web auth page... in a perfect world proxy or no proxy, internal or external website you would always get redirected...

Hope this helps,

Tiago LS

augul Fri, 10/26/2007 - 17:06

Thanks for your reply Tiago,

I am aware of the proxy setting in IE and i made sure that there is no proxy config in my client laptop that i use for testing.

There has been some progress on my issue.

I have opened a TAC case with Cisco and so far i have proven that there is a fault with my 4404's - "pre authentication ACL" does not work.

The theory is that by specifying certain traffic in "pre authenticacion ACL" you allow it to go out/in (depends on your ACL's) before the WLAN client gets authenticated.

Preauthentication ACL does not make any difference even if I permit any source to any destination on any protocol in/out.

Nslookup is the command that i am using to test dns resolution and it just times out for not autenticated clients.

I will keep you posted...


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode