WLC 4400/Web Authentication and proxy autodiscovery

Unanswered Question
Nov 14th, 2007
User Badges:

We have a guest-SSID where people authenticate via the build in web authentication and RADIUS.

We use proxy autodiscovery (WPAD, DHCP option 252) in our network and this works on the guest-SSID, but only after the authenticated user closes and opens Internet Explorer. It seems that restarting Internet Explorer triggers the WPAD discovery process.

My question is if there is a smarter way to push proxy settings to guest users without user invention? How did you solve this?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gmarogi Tue, 11/20/2007 - 12:42
User Badges:
  • Bronze, 100 points or more

Does the WLC pose any message at its console while the IE browser window is reopened and the porxy discovery worked??.

Enable debug output on the controller and send me the capture you find. I will trace it for clear understanding of the root cause.

Richard Atkin Wed, 11/21/2007 - 12:58
User Badges:
  • Silver, 250 points or more

The reason you need to restart IE is because the WLC will be blocking the initial discovery messages from IE to Proxy because the user won't have authenticated yet. When the user authenticates, closing / opening IE triggers the discovery messages thruogh, which are now allowed to pass to the proxy.

The most fool-proof way I've come across is to use Transparent URL Redicection. This is something you can setup on a PIX / ASA, but requires a compatible WebProxy / WebFilter - I've used WebSense, but I believe other products should work too.

Lots of documentation about how to achieve this via CCO.



kingsclererider Thu, 05/15/2008 - 06:30
User Badges:


I am planning deploying something similar to you. (I have just posted a question based on this!!!). The behaviour you are experiencing is how I would expect WPAD to work. WPAD occurs when the browser opens however it is blocked until authentication has occured. Open a second browser after you authenticated means that the WPAD message is passed through the WLAN controller. Do you use the integrated web authentication or do you use an external web-server. My thoughts are that the external webserver could open a second web-browser once the 'logon' button has been pressed.



Rutger Blom Thu, 05/15/2008 - 07:10
User Badges:


We are using the integrated authentication web. I was able to solve this problem by using the DHCP WPAD discovery method where the WPAD-URL is sent in the DHCP-reply. This information is then already in place before the web authentication occurs.

Are you familiar with that? Otherwise I'll be glad to post the configuration here.


kingsclererider Thu, 05/15/2008 - 07:13
User Badges:

Hi Rutger,

Thanks. I am not familiar with this so would be grateful for the configuration.




This Discussion



Trending Topics - Security & Network