WLC 2504 Guest Wifi login Page

Answered Question
Jun 5th, 2012

Hi

Need some help. I have setup guest access on the controller and this is not working at the moment.

DHCP server setup on the controller for the Guest users.

You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.

Need to know how to fix this.

Regards

Chris

I have this problem too.
0 votes
Correct Answer by Amjad Abdullah about 1 year 10 months ago

Do your connected clients able to perform dns queries?

Make sure dns server provided by dhcp is correct.

If windows clients try nslookup

While the clients are connected and make sure dns is working fine.

This link will be very good for troubleshooting:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080a38c11.shtml

HTH

Amjad

Sent from Cisco Technical Support iPad App

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Amjad Abdullah Tue, 06/05/2012 - 09:10

Do your connected clients able to perform dns queries?

Make sure dns server provided by dhcp is correct.

If windows clients try nslookup

While the clients are connected and make sure dns is working fine.

This link will be very good for troubleshooting:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080a38c11.shtml

HTH

Amjad

Sent from Cisco Technical Support iPad App

George Stefanick Tue, 06/05/2012 - 09:40

A few things are important for the redirect to occur. Lets talk through the process so we are clear and you can appreciate what is going.... This is if you are using a sign cert. the goal in this is to get the user to 1.1.1.1 address. This is the virtual address and this address is what serves up the web page on the controller.

1. guest connects to your guest ssid

2. guest opens a browser and goes to yahoo.com

3. the client sends the DNS request for yahoo.com to the DNS server (Q#1: Is your DNS inside or outside for your guest)

4. The controller intercepts the dns query that is returned and hijacks it and replaces it with your virtual address 1.1.1.1 from the controller. Again, 1.1.1.1 is what deleivers the page to the guest.

5. If you dont have a signed cert on the controller, the user will get a 'accept this cert on the webpage'. The user accepts the cert and you are off to the races.

If you are using a signed cert, not a local one on the wlc,  let me know as there are a few extra steps that happen which I can explain if needed.

also are you using the cisco default page or a custom page?

are you using the cisco wlc to offer the page or an external server?

did you configure web auth as part of your guest security ?

chrisvanwyk Wed, 06/06/2012 - 02:30

Hi

This should be fairly simple you enable webauth from the controller tab then  create the guest SSID then set the policy layer 2 none layer 3 web policy and set the web auth method to internal the default. All this is done but DNS is not working as yet the DSL  router was not setup yet. I just wanted to test the authentication. I entered the IP address of the controller guest interface IP and then I get the redirect to 1.1.1.1 but from here I dont get the login screen displayed just page can not be displayed. So is then DNS related but the redirect is 1.1.1.1.  No certs used just default settings. I should still het to the login page.

hopes this makes more sense.

George Stefanick Tue, 06/05/2012 - 09:47

Amjid,

DNS shoudlnt be needed, UNLESS they are using a signed cert to resolve the cert name to the virtual address. If they are then, yes DNS is needed. Other wise, not a requirement.

BTW +5 to you my freind. Keep up the good work ..

chrisvanwyk Wed, 06/06/2012 - 02:46

Just to explain the setup

The controller is connected to Cisco layer 3 trunked all Vlan's allowed. Layer 2 vlan created for the Guest Vlan that is conneting the guest users to a DSL modem for the www traffic so they are not using the clients bandwith. The DSL has not been cabled in  the vlan yet. The DHCP on the controller is setup for 10.0.0.0 range and default gateway and DNS is the DSL router. They only want the guest to access the internet there no other resources on the local. They want the lobby admin setup so the receptionist  can create and manage these user for them when a geust needs access other wise I would have just gone for the WPA2 preshared key option.

Amjad Abdullah Wed, 06/06/2012 - 03:23

George:

Thank you for the ratiing.

For this issue, they are getting the web-page and after providing the credentials it is redirecting to the original page.

If there is no DNS available so how the host will resolve the URL IP in order to open the web-page?

This is why I suggested to check DNS.

From the link I posted above I quote:

...........

The next step in the process is DNS  resolution of the URL in the web browser. When a WLAN client connects to  a WLAN configured for web authentication, the client obtains an IP  address from the DHCP server. The user opens a web browser and enters a  website address. The client then performs the DNS resolution to obtain  the IP address of the website. Now, when the client tries to reach the  website, the WLC intercepts the HTTP Get session of the client and  redirects the user to the web authentication login page.

Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On Windows, choose Start > Run, enter CMD in order to open a command window, and do a “nslookup www.cisco.com" and see if the IP address comes back. ........

If you are using a URL for the virutal interface then lack of DNS will not show you the credentials page at the first place.

If no URL for virutal interface and you get auth page but after entering the credentials it does not successfully redirect one of the main reasons is DNS problem.

You can still comment on this if you see it not accurate.

Regards,

Amjad

chrisvanwyk Wed, 06/06/2012 - 05:07

Hi

The web page cant not be displayed is before you enter the credentials.  You dont even get the login page as explained I get the redirect to 1.1.1.1 but then page can not be displayed. Hope this makes sense now.

Sum this up.

User enters wepage gets the redirect to 1.1.1.1 then page can not be dispayed. No page to enter login credentials just page can not be displayed.

Regards

Chris

Amjad Abdullah Wed, 06/06/2012 - 05:32

Hi Chris,

I think I need to visit a doctor! I read your post twice before and what i understood is that you got the auth page and "page can not be displaied" appears after entering the credentials.

I now went to read it and it is metnioned explicitly that it shows "page can not be displaied" before you see the page!! I don't know what is wrong with me.

On the other hand, the DNS is still my primary suspect.

quoting again:

The user opens a web browser and enters a website  address. The client then performs the DNS resolution to obtain the IP  address of the website. Now, when the client tries to reach the website,  the WLC intercepts the HTTP Get session of the client and redirects the  user to the web authentication login page

From the mentioned process, if there is no DNS resolution then there will be no HTTP get message and hence it is normal not to get the page. The WLC does not intercept the dns reply to the client, however, it intercepts the HTTP GET message when the client tries to open the page.

When internet/DNS are ready please test and let us know.

I will be very interested if it is not DNS to go deep to discover what the issue is.

Thanks.

Amjad

George Stefanick Wed, 06/06/2012 - 05:46

You are correct. DNS is needed for the intercept to work. I was focusing on cert redirect. So I as well read this differently. LOL

Actions

Login or Register to take actions

This Discussion

Posted June 5, 2012 at 4:59 AM
Stats:
Replies:10 Avg. Rating:5
Views:7426 Votes:0
Shares:0

Related Content

Discussions Leaderboard