Wirless Web redirection page

Unanswered Question
Nov 23rd, 2008

I have 2 SSID in my wireless network.

1 for the cooperate users and 1 for the guest.


The guest SSID is broadcast and when a user open an IE, they will get a screen for user name and password.


My cooperate users are using AD and integrated with ACS 4.1 Solution engine.


When the AD users get connected to the guest SSID and they provide the AD username and password they are also able to browse internet.


I need to block the AD user from using guest SSID and block the AD user authentication in the web page. please advice on this issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gamccall Mon, 11/24/2008 - 05:11

It would be helpful to know whether your APs are running IOS or LWAPP, and whether the splash screen is being served by a WLC or a third-party captive portal product.

mohanantassp Mon, 11/24/2008 - 17:01

Thank you for your reply, my mistake i didnt explain on the requested potions. Am using WiSM Blade, AP's are LWAPP AP's. Am just using the WLC splash screen. I just need to block the AD users from using the web access.

gamccall Tue, 11/25/2008 - 08:07

There's a guide here which relates to this feature:


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml


I've implemented this on my current project, but run into a bit of a hitch: My guest users are correctly blocked from connecting to the internal SSID; however, my internal users are NOT being blocked from using the guest SSID. I suspect this may be because the guest SSID does not use 802.1X, and the guide seems to imply that 802.1X is a mandatory part of this config.


Under IOS, it was possible to set up Radius VSAs in ACS which would let you use Cisco AV-Pairs to limit the permissible SSIDs per group or user, as per this document:


http://www.cisco.com/en/US/docs/wireless/access_point/12.2_15_JA/configuration/guide/s15ssid.html#wp1037147


However, the WLCs do not recognize AV-Pairs as far as I know.


I have a TAC case open on the issue currently; I'll post results when I have any.


dennischolmes Wed, 11/26/2008 - 06:11

This is a well known and documented bug that was allowed to stay in as a feature. To stop your internal people from connecting go to the WiSM gui to controller. Under the Web RADIUS Authentication select a method not currently configure on your RADIUS server. In most case MD5-CHAP is not installed on a RADIUS. This will cause the client to fail. The process is for authentication flows like this. First attempt to resolve username and password is against internal database on controller and the second attempt is against the RADIUS configured on the management interface.


Hope this helps.

mohanantassp Thu, 11/27/2008 - 17:26

hi gamccall,


really appreciate the information you have posted, i will check on the information after read your link. please update me once you have close the TAC case. at least i will have a clear picture on this issue.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode