Proxy Config

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Mon, 12/08/2008 - 20:03

Unless they have added a new feature on the 5.2 code, WebbAuth will not work. I have tried this in the past and what is required is that the client have proxy disabled on their browser and then after a successfull webauth login, he or she enables proxy to be able to browse. This is due to how webauth works and verifies the users homepage or url he or she is trying to get. Here is a link that might help:

Rajesh Kongath Mon, 01/19/2009 - 00:15

Hi Fella,

Whats new in 5.2 code? we are stuck in our wireless guest configuration via proxy. did anyboyd found any workaround on this issue?



wesleyterry Mon, 01/19/2009 - 08:31

So I guess you have your proxy's manually configured and are not using WCCP?

With WCCP, you wouldn't need your clients manually configured with a proxy server. You could have the client web-auth to the WLC as expected, but then when they try to reach the internet, the WCCP policy takes into effect and requires the proxy authentication...

Just a theory, and I'm not sure what all proxy devices support WCCP (we use Blue Coat), but I'm pretty sure this "could" work...

Just a quick run-down on WCCP:

Configure WCCP on your link to the internet from the router and all HTTP traffic will automatically go to the proxy device you have configured for WCCP. So when a client opens the Internet, and attempts to access a page, the request is automatically hi-jacked by the Proxy server without any client side configuration.

Matthew Fowler Mon, 01/19/2009 - 16:38

You can use WebAuth with a proxy, but you will need to:

1) Exclude the virtual address from the proxy

2) Configure the WLC to listen on the correct port (i.e. 8080 if you are using this). config network web-auth-port 8080

If using WPAD, you will need a pre-authentication ACL to allow the client to download the PAC file before passing web authentication. The PAC file should look similar to this:

function FindProxyForURL(url, host)


// variable strings to return

var proxy_yes = "PROXY :";

var proxy_no = "DIRECT";

if (shExpMatch(url, "http://*")) { return proxy_no; }

if (shExpMatch(url, "https://*")) { return proxy_no; }

// Proxy anything else

return proxy_yes;


Hope this helps.


Rajesh Kongath Wed, 01/21/2009 - 08:00

Thank wesleyterry for the comments but unfortunatly we are having MS ISA proxy which is not supported by WCCP

hello matt i will test your solution and let you know the feedback. by the way, wht exactly i have allow in pre auth ACl? my proxy port (8080) or all http traffic?

Rajesh Kongath Thu, 01/29/2009 - 00:29

Thanks Matt

It worked, after applying the bidirectional ACLs in the contoller.

by the way, the redirection is not working properly, suppose if typed after authentication it redirects to do you have any clue on this ?

Apart from this, is there anyway to have AD or ACS created Lobby Admins?

Thanks for your effors

jain.nitin Thu, 05/14/2009 - 11:42

Hi, Could you please let me know what you have allowed in Pre Authentication ACL. what is WPAD ? I am trying to deploy same thing on a customer place...any kind of help will be appreciated..

brodierad Mon, 10/04/2010 - 23:08

Hello there

I'm having the same issue and I have seen this solution posted in quite a few places but being pretty new to this I still find it confusing.

I don't understand what it means to "exclude the virtual address from the proxy."

Can someone tell me in a bit more detail please how I might do this? The virtual address being used is the default


Edit: nevermind, I got this now.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode