Internal Web Authentication + Local Net User

Unanswered Question
Nov 4th, 2008

Hi all,

I'm trying to setup the WLC with internal web authentication + local net user account. I've setup a WLAN for this local net user configure the user profile map to this WLAN.

When the laptop get associated with the designated WLAN, and user tried to browse to the internet, the internal web authentication page doesn't appear on the browser.

I'm just curious is there any DNS server require in order to direct the user entered URL request to the virtual interface?

regards.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Scott Fella Wed, 11/05/2008 - 04:56

As long as you have everything working without webauth then your setup should be okay. When you implement webauth, the wlc verifies the homepage of the user. If the homepage cannot be resolved, due to intranet, https or DNS issues, then the webauth login page will not be displayed. Also the VIP interface should not have a DNS entry unless you have installed a 3rd party certificate in which the FQDN is resolved via DNS.

orochi_yagami Wed, 11/05/2008 - 05:20

Hi fella5,

When you said"everything working without webauth", does it mean the client able to associate with the WLAN?

The VIP (virtual IP ) should not have any entry, u mean the DNS hostname field should leave it blank?

Scott Fella Wed, 11/05/2008 - 05:31

Prior to setting up webauth, a user should be able to associate to the ssis and get out to the internet. If any of these fail, then webauth will not work nor can you test it. Being able to resolve the users homepage is a requirement that is performed by the wlc. SO if the wlc can't resolve the homepage of the user, then the webauth page will never be dispalyed.

The VIP should be left alone unless you added the FWDN of the certificate into DNS.

dbentley Wed, 11/05/2008 - 06:02

Make sure that your homepage is NOT a SSL link. The WLCs only forward port 80 during internal web auth. Also to you have your virtual address in place under the interface tab?

orochi_yagami Wed, 11/05/2008 - 22:04

Yup,i set the virtual address to 1.1.1.1 as this's general setup. Currently my IAS (radius)is not ready for me to authenticated to AD, so what i've done was create a local Net user in local database. Then tried to access to the internet page.

Another question,when we need to authenticate against the IAS, do we need a CA cert to be install on the client laptop? I'm not too sure the concept of using CA cert with authentication on server.

regards

Scott Fella Thu, 11/06/2008 - 03:36

If webaith is not enabled, is everything working? The login page will only fail if the wlc can't resolve the users homepage. A 3rd party certificate is so you don't get a certificate warning when you open a browser and get redirected to the VIP for the webauth page. You are using the internal webauth and not a custom webauth page correct?

dbentley Thu, 11/06/2008 - 05:03

Be aware if you are running anything less than 5.1 code you cannot use a intermediate certificate. It must be a root. I have heard that the root certificate signing authority ends the end of December. (Ask Entrust, for a 2 year root).

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

I will create another SSID with local auth and try it.

Scott Fella Thu, 11/06/2008 - 07:25

I believe VeriSign is the only CA that will not issue a Root CA Certificate. This happened at the end of September.

orochi_yagami Thu, 11/06/2008 - 17:51

Everything look good while trying to used the "internal web"authentication. When the client get associated with desired WLAN, the internal authentication page appears once the user launch the internet browser with default homepage defined. As my IAS server still not ready, it will authenticate against the WLC local database instead.

My question now is, as i'm using an internal web authentication, A root CA cert will be need to install on the client machine in order to allow the client machine to authenticate with the "correct" IAS server? Pls correct me if my though is incorrect.

regards.

Scott Fella Thu, 11/06/2008 - 19:18

Okay, let me see if i can answer your question. Certificates are used in various ways... a 3rd party certificate can be installed on a wlc that will host the webauth page. This will allow the user to not get a certificate error message when he or she opens a browser. Certificates that are either installed on the radius server (peap) or also on the client (eap-tls) is used for the type of eap authentication you want to use. Radius servers are configured on the wlan and this is where you point what radius server will authenticate users on that wlan.

orochi_yagami Sun, 11/09/2008 - 22:38

Hi fella5,

So from you mean is, i can proceed the web authentication(internal) with radius server without the certificate install on client machine or server UNLESS i want to use layer 2 authentication(e.g.: WPA+WPA1, dot1x...) on the wireless edit option, am i right?

In other words, a cert will be require for both client machine and radius server if i want to implement layer 2 security, for e.g.: WPA+WPA2

Scott Fella Mon, 11/10/2008 - 04:38

Well if you are using webauth for guest users, you really want to have an open ssid and wither have a username and password on the wlc or use a passthrough webauth where the guest users just have to click submit or accept. If you are using this for internal users, then you really shouldn't use webauth since this will not be single sign on. Again, you can if you want your internal users to sign on again. There is wpa/wpa2 PSK and then there is wpa/wpa2 8021.x in which this will require either using local EAP or a Radius Server. Ther radius server will either have the local user accounts or you can point this to AD. Depending on if you use EAP-PEAP (certificate on the radius server only) or EAP-TLS (certificate on both the radius and clinet) you will need a certificate.

For webauth only, you do not need a certificate on the user or radius server, a certificate will be required on the wlc if you don't want users to be promted with a certifcate error message. 5.1 supports unchained certificates, but I always use RapiddSSL for a root ca cert just to make deployment mush simpler for the client. So webauth and EAP will require certifcates with webauth being optional.

dbentley Mon, 11/10/2008 - 04:25

If you install a valid 'root certificate'(on 4.2.185 or earlier) on your WLC you will not have to touch the client machines at all. You can use the same root cert on all your controllers. I would suggest that you go through Entrust for this. It will take about 4 days for them to validate and complete the cert. Once you have the cert follow the process to convert it to a .pem file.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Actions

This Discussion