Cisco 4400 questions

Unanswered Question

Ok, this will be a long one so please bear with me.....

Cisco 4400 with 2 networks set up, one secure for internal traffic, one guest for guest access (we are a healthcare facility) both with authentication via a Cisco ACS appliance. (The guest gets it IP from DHCP running on a cheap Linksys router, this may be the issue)

The guest network is set for web-authentication so it uses certificate. My guests use a generic account to authenticate, BUT, they must accept a "non-trusted" certificate to get to the page to login then get redirected to a splash screen disclaimer, etc. Boss man hates the certificate part so tells me to turn off the web authentication and just redirect to a splash screen with the disclaimer for the guest network. I do this only to discover that the splash screen is tied int the web-authentication!

I need to do one of two things, get a recognized cert on the 4400 so users do not have to accept it (tried to generate one but it did not work through DNS, see issue above?)


Find a way to redirect to a splash page without needing the web-authentication.

Thanks for the help in advance.......

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)

I found this....

Is it possible to skip the guest user authentication and display only the web page disclaimer option?

A. Yes. Another configuration option of wireless guest access is to bypass user authentication altogether and allow open access. However, there might be a need to present an acceptable-use policy and disclaimer page to guests before granting access. In order to do this, a guest WLAN can be configured for web policy passthrough. In this scenario, a guest user is redirected to a web portal page which contains disclaimer information. In order to enable identification of the guest user, passthrough mode also has an option for a user to enter an email address before connecting.

At this site....

But it does not tell me how to do it?

weterry Thu, 06/18/2009 - 19:10

If you disable HTTPS on the controller, the redirect and web auth will take place in HTTP and not require a certificate. Make sure you enable http access though.

This will also disable the management https as well so just take that into consideration.

There will basically be no encryption on the user credentials entered if it is not https though, so take that into consideration as well. (assuming no layer2 encryption and just web auth)

weterry Fri, 06/19/2009 - 21:17

Which feature?

Disabling HTTPS to get an HTTP webauth should work for all version.

As well, the article quoted above my post is referring to web pass-through (which is still configured in the Layer3 section of a wlan security). Web pass-through I think has been available as well in all versions of code...

But web-passthrough is still a web-auth redirect, which doesn't solve anything for the https certificate issue..

ERIC ARMSTRONG Mon, 11/23/2009 - 13:57

I'm trying to get web passthrough to work with http instead of https. When I enable http and disable https (and reboot the controller), the AUP page cannot be displayed when associating with the guest ssid. Works fine with https. Is there something else that needs to be done? We're running 6.0.182 on the anchor controllers.


ERIC ARMSTRONG Wed, 11/25/2009 - 08:06

Well, I tried enabling http, disabling https and rebooting again. This time it seemed to work fine. The passthrough page came up as http. Not sure what happened the first time around.


dennischolmes Wed, 11/25/2009 - 16:27

A good work around but do be aware of the potential security holes around you GUI login now. Also make sure you use very strong passwords with you admin accounts on the controller.

jpeterson6 Wed, 11/25/2009 - 07:16


Two things come to mind as I have just recently resolved a similar issue with the certificates.

1. What version of code are you on? Pre 5.1.151 you need to use Unchained/Root certificates, so if you are pre-5.1.151 and got your certificate from Verisign it will not work as they no longer issue unchained/root certs. I got mine from Thawte.

2. Did you assign the DNS name to the Virtual Interface on your 4404? It needs to match with the DNS entry you had entered in your CSR. If you miss this step, DNS won't work properly and it could cause issues.

Hope that helps,



This Discussion



Trending Topics - Security & Network