Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
2
Replies

WLC 4404 and internal guest WLAN authentication issues

augul
Level 1
Level 1

‎10-22-2007 11:45 PM - edited ‎07-03-2021 02:49 PM

Dear all,

We have recently decided to enable WLAN for guest users that authenticates users by redirection to WLC's virtual address (1.1.1.1).

I have created WLAN and assigned management interface for it on WLC.

Interface points to dhcp server that resides on the same segment and issues all "guest" clients with ip addresses which works fine.

The problem is with web authentication redirection when using names (eg: http://www.cisco.com).

Clients are supposed to be redirected to web auth. page once supplied with relevant dhcp information.

Redirection occurs when client opens up internet browser (eg. IE).

Unfortunately this does not occur when browsing to URL's using names.

When browsing to an ip address, redirection to 1.1.1.1 works just fine.

I have applied preauth acl for guest WLAN to allow DNS traffic, but that didn't help.

I have noticed that when ACL is applied clients can resolve dns for about 5 seconds and after that everythings stops.

I tried to allow icmp - just to prove the concept and noticed that after 6 - 10 packets connection drops.

my WLC is running 4.0.179 firmware

One more thing, when I access web auth page by going to http://1.1.1.1 and authenticate succesfully i am able to browse the internet which indicates that DNS resolution works fine.

Please help i am out of ideas.

Labels:
0 Helpful
2 Replies 2

tfsoarescisco
Level 1
Level 1

‎10-25-2007 08:03 AM

Hi,

I am currently testing a WLC4400 set up, regarding web-auth have a similar problem and know the reason for it. The redirect will only work for addresses your DNS resolves into IP addresses, in my case that means only internal names will be resolved, i.e. if type in something.mycompany.com i get redirected to the web auth page, whereas if i type http://www.google.com i'll only get a invalid address error.

To test if this is what's happening in your case try checking the name resolution via command line using nslookup.

If you have a proxy configured on the browser that will also cause you not to get redirected, in my case I use a proxy but the internal addresses are bypassing the proxy (defined in group policy) so this problem doesn't affect me on the pages that can get me to the web auth page... in a perfect world proxy or no proxy, internal or external website you would always get redirected...

Hope this helps,

Tiago LS

0 Helpful

augul
Level 1
Level 1
In response to tfsoarescisco

‎10-26-2007 05:06 PM

Thanks for your reply Tiago,

I am aware of the proxy setting in IE and i made sure that there is no proxy config in my client laptop that i use for testing.

There has been some progress on my issue.

I have opened a TAC case with Cisco and so far i have proven that there is a fault with my 4404's - "pre authentication ACL" does not work.

The theory is that by specifying certain traffic in "pre authenticacion ACL" you allow it to go out/in (depends on your ACL's) before the WLAN client gets authenticated.

Preauthentication ACL does not make any difference even if I permit any source to any destination on any protocol in/out.

Nslookup is the command that i am using to test dns resolution and it just times out for not autenticated clients.

I will keep you posted...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card