I have 6 1231G access points that I have converted to LWAPs and a shiny new WLC2006. I am trying to get the internal web login page to work, but it fails when it tries to redirect to the "virtual" interface on the WLC. I read the Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller, but I didn't understand everything that they recommended.
We have a few network ports coming from our routers statically configured by our central IT to be on a "visitor" VLAN. All of them share one "visitor" subnet. Previously we just had an open wireless network and let people on that visitor subnet, but now we would like to use this WLC2006 to serve as a password-protected gateway to the visitor subnet. We have an existing DHCP server and DNS server on that subnet that we give out to wireless clients that connect.
I configured the "management" and "ap-manager" interfaces with VLAN of 0 and addresses in this subnet and connected one LWAP to it. It is seen and activated by the controller. I also configured the address of our DHCP server in the "management" interface. I then enabled Web Policy/Authentication for the Layer 3 security of the visitor wlan I set up. The "virtual" interface has an ip address of 220.127.116.11 (not routable).
So now when I try to associate the DHCP traffic goes through. I get an address on the subnet. I open up a web browser and it does get the initial Cisco page which contains nothing but a META redirect to https://18.104.22.168/login.html?redirect=google.com which never completes. I assume that this is because there is no route to 22.214.171.124 since I am giving it a real route on our network from the domain controller.
What should I do? I tried assigning the "virtual" interface to a real one on the network, but it doesn't seem to let me assign one that is in the same subnet as the management interface. I don't think I will be able to talk the central IT folks into reconfiguring their wired routers for me, so I would like to do any setup just on the WLC and on our DHCP/DNS servers if that is possible.
Ok, I am too late to edit my last post. It occured to me I messed up one part.
The client sends its DNS query to its DNS server (let's say 10.10.10.10), and the controller intercepts it. When the controller proxies the connection it sends the DNS query to the same server (10.10.10.10), but it sources it from the Manager or AP-Manager interface (I forgot which one). It has been a while, but as I recall one of those addresses had to be allowed to talk to the DNS server assigned to the client. In my situation, the IPs were not allowed out through the firewall, so when guests tried querying the external DNS server before getting the splash, the controller was not allowed to access them, and the clients timed out waiting for a response.