Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Guest WLAN and Web Auth?

Hi Guys,

Maybe someone can help me out?

I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical

"Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 

What I tried so far is..

  • add a DNS Host Name to the virtual interface and assign it to our internal DNS server.
    • dns name was resolving but we were unable to ping
  • changed the virtual ip from to and modified the DNS entry
    • dns name resoved but still could not ping think this is normal)
  • changed the virtual IP to a private address of and modified the dns entry
    • same result

I've attached some screenshots of our configuration.

Cisco Employee

Re: Guest WLAN and Web Auth?

Do you get the webauth page when you manually enter the following url


Sent from Cisco Technical Support iPhone App

Re: Guest WLAN and Web Auth?

Troubleshooting Web Authentication

After you configure web authentication, if the feature does not work as expected, complete these

troubleshooting steps:

Check if the client gets an IP address. If not, users can uncheck

DHCP Required

on the WLAN and

give the wireless client a static IP address. This assumes association with the access point. Refer to


IP addressing issues

section of

Troubleshooting Client Issues in the Cisco Unified Wireless

Network for troubleshooting DHCP related issues



On WLC versions earlier than, you must manually enter


order to navigate to the web authentication window.

The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client

connects to a WLAN configured for web authentication, the client obtains an IP address from the

DHCP server. The user opens a web browser and enters a website address. The client then performs

the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the

website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web

authentication login page.


Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On

Windows, choose

Start > Run

, enter


in order to open a command window, and do a  nslookup" and see if the IP address comes back.

On Macs/Linux: open a terminal window and do a  nslookup" and see if the IP

address comes back.

If you believe the client is not getting DNS resolution, you can either:

Enter either the IP address of the URL (for example, is

Try to directly reach the controller's webauth page with

https:///login.html. Typically this is

Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also

be a certificate problem. The controller, by default, uses a self−signed certificate and most web

browsers warn against using them.


For web authentication using customized web page, ensure that the HTML code for the customized

web page is appropriate.

You can download a sample Web Authentication script from Cisco Software Downloads. For

example, for the 4400 controllers, choose

Products > Wireless > Wireless LAN Controller >

Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless

LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication


and download the


These parameters are added to the URL when the user's Internet browser is redirected to the

customized login page:


ap_mac The MAC address of the access point to which the wireless user is associated.

switch_url The URL of the controller to which the user credentials should be posted.

redirect The URL to which the user is redirected after authentication is successful.

statusCode The status code returned from the controller's web authentication server.

wlan The WLAN SSID to which the wireless user is associated.

These are the available status codes:

Status Code 1: "You are already logged in. No further action is required on your part."

Status Code 2: "You are not configured to authenticate against web portal. No further action

is required on your part."

Status Code 3: "The username specified cannot be used at this time. Perhaps the username is

already logged into the system?"

Status Code 4: "You have been excluded."

Status Code 5: "The User Name and Password combination you have entered is invalid.

Please try again."

All the files and pictures that need to appear on the Customized web page should be bundled into a

.tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is

login.html. You receive this error message if you do not include the login.html file:

Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web

Authentication Configuration Example for more information on how to create a customized web

authentication window.


Files that are large and files that have long names will result in an extraction error. It is

recommended that pictures are in .jpg format.


Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.

Other browsers may or may not work.


Ensure that the


option is not blocked on the client browser as the customized web page on

the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.



The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up

messages for the user.


If you browse to an


site, redirection does not work. Refer to Cisco bug ID CSCar04580

(registered customers only) for more information.

If you have a

host name

configured for the

virtual interface

of the WLC, make sure that the DNS

resolution is available for the host name of the virtual interface.


Navigate to the

Controller > Interfaces

menu from the WLC GUI in order to assign a



to the virtual interface.


Sometimes the firewall installed on the client computer blocks the web authentication login page.

Disable the firewall before you try to access the login page. The firewall can be enabled again once

the web authentication is completed.


Topology/solution firewall can be placed between the client and web−auth server, which depends on

the network. As for each network design/solution implemented, the end user should make sure these

ports are allowed on the network firewall.




TCP port 80/443

CAPWAP Data/Control Traffic

UDP port 5247/5246

LWAPP Data/Control Traffic

(before rel 5.0)

UDP port 12222/12223

EOIP packets

IP protocol 97


UDP port 16666 (non

secured) UDP port 16667

(secured IPSEC tunnel)


For web authentication to occur, the client should first associate to the appropriate WLAN on the

WLC. Navigate to the

Monitor > Clients

menu on the WLC GUI in order to see if the client is

associated to the WLC. Check if the client has a valid IP address.


Disable the Proxy Settings on the client browser until web authentication is completed.


The default web authentication method is PAP. Ensure that PAP authentication is allowed on the

RADIUS server for this to work. In order to check the status of client authentication, check the

debugs and log messages from the RADIUS server. You can use the

debug aaa all

command on the

WLC to view the debugs from the RADIUS server.


Update the hardware driver on the computer to the latest code from manufacturer's website.


Verify settings in the supplicant (program on laptop).


When you use the Windows Zero Config supplicant built into Windows:

Verify user has latest patches installed.

Run debugs on supplicant.


On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start

> Run > CMD:

netsh ras set tracing eapol enable

netsh ras set tracing rastls enable

In order to disable the logs, run the same command but replace enable with disable. For XP, all logs

will be located in C:\Windows\tracing.


If you still have no login web page, collect and analyze this output from a single client:

debug client

debug dhcp message enable


debug aaa all enable

debug dot1x aaa enable

debug mobility handoff enable

If the issue is not resolved after you complete these steps, collect these debugs and use the TAC

Service Request Tool (registered customers only) in order to open a Service Request.

debug pm ssh−appgw enable

debug pm ssh−tcp enable

debug pm rules enable

debug emweb server enable

debug pm ssh−engine enable packet

Cisco Employee

Re: Guest WLAN and Web Auth?

There is one good doc of web auth troubleshooting. Please find the same from the below link and try to tshoot

CreatePlease to create content