Re: WLC and NOMADIX?

Dave Anthony David · ‎02-28-2012

Is it possible to implement a web authentication in WLC and Nomadix as a gateway to internet for guest internet access?

Here are the network details.

No Layer 3 in the network

DHCP will be provided by NOMADIX (AG5500)

Guest Device(Laptop/Smartphones) --> CiscoAP (CAPWAP) --> CiscoL2Switch <--> CiscoWLC (5508 v7.0.116) ---> Nomadix (AG5500) ---> Internet

Testing done:

SSID is set to open (No L2/L3 Security set) - OK, web redirection to NOMADIX portal for AUP (Acceptable User Policy) is successful

SSID is set to L3 WebAuthentication (guest user is on WLC local database) - Not OK, NO web redirection, unable to reach WLC virtual IP.

Justin Kurynny · ‎02-28-2012

dsdavid,

If you perform the authentication on the WLC with a redirection to Nomadix, then you have to configure the Nomadix box wtih the proper .js scripts to send back the authentication accept or reject to the controller.

Instructions/example for setting up External WebAuth:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml

With a Nomadix box, however, it seems to me that you'd want to do authentication behind the controller and just leave the SSID open and tie the WLAN's VLAN directly into the Nomadix. In line with your user traffic, the Nomadix would handle both the portal and the authentication.

Justin

Dave Anthony David · ‎02-28-2012

Hi Justin, I want to pop-up the built-in (internal) portal page from WLC first, then enter username/password created in WLC local database, then after successful web authentication, it will redirect to Nomadix for AUP, then goes to the internet.

Right now my problem is I'm not hitting the Virtual IP address of my WLC, and so, it won't give me the WLC portal page. Correct me if I'm wrong.

Dave

George Stefanick · ‎02-28-2012

Hi Dave,

If I may chime in..

Why are you using the WLC for logon and then Nomadix for AUP? Why dont you use the WLC for both ? What advantage are you getting from Nomadix ?

As Justin points out why not leave the WLAN open?

Ive configured a few of these over the year. All those customers left it open and let the Nomadix handle everything.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Dave Anthony David · ‎02-28-2012

Hi George, thank you for asking me that. My client wanted to use web authentication to a specific area where a valid credentials must be entered before gaining access to the internet. And he wants the credential must be stored in WLC. A lobby admin will provide the credentials to their guests. Another WLAN/SSID which is currently working right now is provided to another specific area where no web authentication is required, this time, the Nomadix will only provide AUP to accept then will direct to internet after accepting that AUP.

As for the Nomadix, the box is providing DHCP/NAT for the guest to access the internet. Since their network is configured only to use Layer 2.

Dave

George Stefanick · ‎02-28-2012

So are you trying to combine the 2 WLANs? Are you trying to go to creditials and get rid of the OPEN ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Dave Anthony David · ‎02-28-2012

Nope. Sorry for misinterpreting my question. It should be like this.

SSID1 - Open

SSID2 - WebAuth

George Stefanick · ‎02-28-2012

You will need to keep both SSIDs clean.

SSID1 - WLC WEBAUTH where you can manage accounts

SSID2 - OPEN where it will be sent to Nomadix

You cant mix the two ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎02-28-2012

So are you saying both WLANS are as described above and your WLC WEBAUTH isnt working ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Dave Anthony David · ‎02-28-2012

Yes George. WLC WEBAUTH isnt working.

George Stefanick · ‎02-28-2012

tyring to follow the packet here...

The open guest to nomadix has no problem so the packet is going right through the WLC and the web redirect happens on the nomadix side.

The packet for the webauth goes through the WLC then to the internet. The WLC then highjacks the request and then redirects it to the virtual address. The virtual address then brings up the page etc.

Are you pointing the webauth network in anyway way to the nomadix ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Dave Anthony David · ‎02-28-2012

Are you pointing the webauth network in anyway way to the nomadix?

Yes, this is via dynamic interface/vlan/wlan/ssid mapping. Take note though that network here is pure Layer 2. Gateway defined in dynamic interface (vlan x) is fictional, Nomadix will only take the vlan-id as its source network (this is how I understand the Nomadix)

George Stefanick · ‎02-28-2012

Your gateway on the dynamic interface is pointing to what, the Nomadix ip address by chance?

Here is my thinking....

Your sending your traffic down the same pipe so you have 2 redirects going on. Be the packet for a properly designed webauth for a moment... You go to yahoo.com. The WLC sends this out to the DNS server, the DNS server responds with IP 99.99.99.99. The WLC then high jacks this and then give you the virtual address.

Well it would appear based on these few post when you go to yahoo.com it goes through the WLC and then Its going though the Nomadix and who knows what is coming back from the Nomadix as this point.

This is why i mentioned eariler if you keep it clean, two separate WLANs and dynamic interfaces there is no reason why it shouldnt work.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Dave Anthony David · ‎02-28-2012

Your gateway on the dynamic interface is pointing to what, the Nomadix ip address by chance?

It is pointing to an IP Address that belongs to the same subnet where wireless clients is. But NOT the Nomadix ip address.

Nomadix I believed don't have ip address related to Vlans.

Appreciate your replies, I let you know if we'll solve this soon. Thank you.

Justin Kurynny · ‎02-28-2012

Dave,

You will also need to consider that you are now presenting two SSIDs that go to the same place (the Internet):

SSID1 - Requires credentials

SSID2 - Requires no credentials, just that I click "accept"

If I'm a user, I'm not going to bother fussing around asking for credentials. I'm just going to go to SSID2 and click 'accept' and be done with it.

Unless you have some other compelling reason that a user should would want to use SSID1 (such as no traffic policing, no web filtering, etc.), then it's pointless to have two SSIDs with different security policies that go to the same place, all else being equal.

As an analogy, it would be like having a choice of two customs officers when you step off a plane: one that does long interviews, background checks and searches all your luggage, and another that just smiles and waves you through. Given a choice, which line would you get in?

Justin