cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2324
Views
0
Helpful
13
Replies

Using Splash screen WPA2 network

michael.lussier
Level 1
Level 1

I was using Document 100787 as a guide.

1. I have  1252 & 1142 AP's  connected to the Wism (6.0.188.0 code)

2.  FWSM I have a 4402 (6.0.188.0 ) appliance connected as my anchor.

3. ACS is ver 4.2

All of my wireless networks function as expected. I see the successful auth in ACS. I just built a new WPA2  network and set it up to use Splash screen redirect. It doesn't seem to matter what I do it just wont work. IE or  Mozilla.

Test 1 was to drop the users at the wism. There was no splash screen.

There was no evidence of my url-redirect in the wireshark trace.

Test 2 used the 4402 as my anchor point with the same results.

In both cases the client was authenticated  and was able to navigate the internet and other duties.  The problem is apon opening the broswer there is no redirect.

Any thoughts ?

13 Replies 13

michael.lussier
Level 1
Level 1

Here is a look at the trace

see attached.   This was the point of interest

*Sep 24 15:22:48.073: 00:0b:cd:5a:50:b2 Unable to apply override policy for station 00:0b:cd:5a:50:b2 - VapAllowRadiusOverride is FALSE

I am not sure I understand what you are trying to accomplish. Typically you do not configure L2 encryption such as WPA/2 on web authentication SSIDs. This is because it is difficult to manage L2 encryption on networks intended for guest use or non domain users. If this SSID is for guest/non domain users I would use a PSK and provide that to end users if you need to use L2 encryption. If this is for domain users I would normally use 802.1x for authentication via EAP-TLS or PEAP.

Yes this is a WPA2 AES /802.1x Network. Management has dictated that there must be a splash screen that comes up. Cisco states that this can be done. However I have yet to see how .

I assume you have already enabled the web auth on the SSID under L3 security. Once you are able to auth using L2 can you type the virtual interface IP address of the wlc? It is usually 1.1.1.1 or whatever you chose on install. Issues like this are usually related to DNS. The wireless client must be able to look up DNS names for the web redirect to work. If you are able to pull the splash page with the IP address then it fairly certain you have a DNS issue.

layer 2 WPA2 Policy

WPA2 Encryption

Layer 3

Web Policy

SPlash Page Web Redirect

Yes DNS works

Once the client has an IP and opens the browser they pull up the internet site. Just  no splash screen

Are you able to pull the splash page directly by the virtual IP address? Also, have you had the same result when you set L3 to authentication rather than splash page?

http://1.1.1.1  pulls up nothing but an unknown page

( time out )

I would try https://1.1.1.1 as well just for testing. The only thing I can think of is that since the WLC already sees the client as authenticated it does not route to the splash page. If you force L3 to require authentication as well does the WLC then present the page and request a password?

I do get the site certificate error page and then I click past it. It bombs out with page not found.

Have you tried creating a new ssid tied to the same dynamic interface using web splash only? This would at least prove if the wlc is serving up the page properly at all.

That is exactly what I have done here. I'm also using a  second ACS 4.2 server as well.

HUmmm... Did you anchor the anchor to itself?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Vinay Sharma
Level 7
Level 7

Hello Michael,

Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.

Thanks,

Vinay Sharma

Community Manager – Wireless

Thanks & Regards
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: