Using Splash screen WPA2 network

Unanswered Question
Sep 24th, 2010
User Badges:

I was using Document 100787 as a guide.

1. I have  1252 & 1142 AP's  connected to the Wism ( code)

2.  FWSM I have a 4402 ( ) appliance connected as my anchor.

3. ACS is ver 4.2

All of my wireless networks function as expected. I see the successful auth in ACS. I just built a new WPA2  network and set it up to use Splash screen redirect. It doesn't seem to matter what I do it just wont work. IE or  Mozilla.

Test 1 was to drop the users at the wism. There was no splash screen.

There was no evidence of my url-redirect in the wireshark trace.

Test 2 used the 4402 as my anchor point with the same results.

In both cases the client was authenticated  and was able to navigate the internet and other duties.  The problem is apon opening the broswer there is no redirect.

Any thoughts ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.lussier Fri, 09/24/2010 - 12:32
User Badges:

Here is a look at the trace

see attached.   This was the point of interest

*Sep 24 15:22:48.073: 00:0b:cd:5a:50:b2 Unable to apply override policy for station 00:0b:cd:5a:50:b2 - VapAllowRadiusOverride is FALSE

b.garczynski Wed, 09/29/2010 - 09:57
User Badges:

I am not sure I understand what you are trying to accomplish. Typically you do not configure L2 encryption such as WPA/2 on web authentication SSIDs. This is because it is difficult to manage L2 encryption on networks intended for guest use or non domain users. If this SSID is for guest/non domain users I would use a PSK and provide that to end users if you need to use L2 encryption. If this is for domain users I would normally use 802.1x for authentication via EAP-TLS or PEAP.

michael.lussier Wed, 09/29/2010 - 10:36
User Badges:

Yes this is a WPA2 AES /802.1x Network. Management has dictated that there must be a splash screen that comes up. Cisco states that this can be done. However I have yet to see how .

b.garczynski Wed, 09/29/2010 - 10:43
User Badges:

I assume you have already enabled the web auth on the SSID under L3 security. Once you are able to auth using L2 can you type the virtual interface IP address of the wlc? It is usually or whatever you chose on install. Issues like this are usually related to DNS. The wireless client must be able to look up DNS names for the web redirect to work. If you are able to pull the splash page with the IP address then it fairly certain you have a DNS issue.

michael.lussier Wed, 09/29/2010 - 10:48
User Badges:

layer 2 WPA2 Policy

WPA2 Encryption

Layer 3

Web Policy

SPlash Page Web Redirect

Yes DNS works

Once the client has an IP and opens the browser they pull up the internet site. Just  no splash screen

b.garczynski Wed, 09/29/2010 - 10:55
User Badges:

Are you able to pull the splash page directly by the virtual IP address? Also, have you had the same result when you set L3 to authentication rather than splash page?

b.garczynski Wed, 09/29/2010 - 11:02
User Badges:

I would try as well just for testing. The only thing I can think of is that since the WLC already sees the client as authenticated it does not route to the splash page. If you force L3 to require authentication as well does the WLC then present the page and request a password?

michael.lussier Wed, 09/29/2010 - 11:44
User Badges:

I do get the site certificate error page and then I click past it. It bombs out with page not found.

b.garczynski Wed, 09/29/2010 - 11:58
User Badges:

Have you tried creating a new ssid tied to the same dynamic interface using web splash only? This would at least prove if the wlc is serving up the page properly at all.

michael.lussier Wed, 09/29/2010 - 12:43
User Badges:

That is exactly what I have done here. I'm also using a  second ACS 4.2 server as well.

George Stefanick Wed, 09/29/2010 - 13:50
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

HUmmm... Did you anchor the anchor to itself?

Vinay Sharma Sun, 09/25/2011 - 10:43
User Badges:
  • Gold, 750 points or more

Hello Michael,

Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.


Vinay Sharma

Community Manager – Wireless


This Discussion

Related Content



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode