strange guest wlan issue - auto proxy detection

Unanswered Question
Jan 7th, 2009

Hi,

I have a wireless guest configration up and running using a 4402 controller and a number of 1130AG ap's.

The solution itself works fine. I have it configured for local web based authentication via the lobby administrator and DHCP via an external DHCP server.

Users can connect and login without any problems at all. The strange thing is that the browsers do not seem to autodetect the proxy servers unless I close the browser immediately after a sucesfull login, then restart it. It then detects the http proxy correctly and all is well.

So for example, if a user opens a browser, tries to go to www.cisco.com, the WLC correctly redirects the traffic to the login page. The user logs in and the browser then tries to retrieve the original page, in this case www.cisco.com. This fails with a timeout. I restart the browser and all is fine.

I have the browsers configured for 'auto detect' and in the DHCP server I am passing option 252 with the correct string to locate the wpad.dat file.

with the browser open, and prior to login, I can enter the option 252 string directly into the url bar and the file downloads correctly. Again, if I place a host directly onto the wired vlan and test the wpad.dat file, the browser behaves correctly so I know the file is ok.

Futher, I can see the browser trying to get to the proxy server prior to login, so I think that the browser is getting the wpad file from DHCP and is actually working ok.

I am using IE7 and running 4.1.181.0 on the controller

It looks like the WLC is causing the problem but I cant see where it could be going wrong.

Has anyone else seen this issue before ?

Or perhaps can point me in the right direction.

Cheers

Shaun

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
grzegorz.ciolek Wed, 01/07/2009 - 12:35

Hi,

Before proper authentication wlc only allows for DHCP and DNS traffic. Other type of traffic (also getting configure file is forbidden). You can try build pre-authentication acl to allow this type of traffic.

Cheers

Gregory

Scott Fella Thu, 01/08/2009 - 12:26

That is the issue with using a proxy. The user will only get the webauth page if he or she disables proxy on the browser. After authentication, users will then get a page cannot be displayed after the redirection. Users will then have to switch the proxy on to browse the web. This is the workaround, there isn't a configuration you can do on the wlc to help with this.

Stephen Rodriguez Thu, 01/08/2009 - 14:08

You may be able to add the proxy port to the WLC, so it listens on that port as well. The command is CLI only, and is:

config network web-auth-port < port number > This may not work, but is something to try.

HTH,

Steve

roadhouse1387 Mon, 01/12/2009 - 08:15

Hi Guys,

Sorry for not replying straight away but thanks for the good info, I will try the CLI command and see if it works.

At least it looks like normal behaviour, thought i was going mad for a moment !

Cheers

Shaun

Rajesh Kongath Mon, 01/19/2009 - 00:11

Hi

I'm facing almost similar issues in our environment, where we are using WLC(code 4.2.61.0) and 1131 APs. we may have to forward the traffic via MS ISA proxy. with proxy the authentication never happens ? anybody is got any workaround on this issue?

Thanks in advance

raj

wesleyterry Mon, 01/12/2009 - 19:14

This may not be related but I see a similar problem all the time on my 4.1 Code. But I don't know if it is fixed in 4.2+.

Basically, the web authentication (I assume you use) is hijacking the request to the first web-request sent. So lets say you auto-proxy a device called PROXY1.

Open IE, tries to go to PROXY1, but WLC hijacks and redirects to WLC Web Authentication. Once Authenticated, any request to PROXY1 still gets sent back to the WLC authentication page if using the same IE session.

In my problem, it is with home pages. I dont use a proxy, but no one can go to their home page untill they close IE since the homepage always redirects back to the authentication page....

Does that make sense?

I haven't found a work-around/fix but maybe it is fixed in 4.2. The bottom line is that I think it has something to do with the sessions in IE. and the redirect stops after the IE closes (and starts new web-sessions after authenticated)

So in theory, if the proxy works after closing IE, then I'm sure it is the same thing I have with homepages...

Stephen Rodriguez Tue, 01/13/2009 - 09:10

Wesley,

What you are seeing is an error specific to IE. For some reason, when IE goes to the splash page, it caches it as the homepage. There is an option in IE to check for a new page every visit, by default it's set to automatically. This is under, General, Temporary Internet Files, Settings.

Also, there are some meta tags to try to keep IE from caching the page. The following should be in your login.html page

kylerossd Fri, 01/16/2009 - 18:04

You can write your own webauth page to possibly get around this and upload it to the controller as a tar file. I did this for a AUP policy page and the redirect always goes to the company webpage.

Let me know if this would interest you.

Actions

This Discussion