Solved: 2504 Controller Layer 3 security downloaded web authentication

tonypearce1 · ‎06-10-2012

Hello all,

I have a 2504 and a few AP's. My goal is to allow users to connect, redirect their web pages to a web page where they can read a disclaimer and agree before gaining access to the internet. I would also like this to be available over http so the end users do not receive a certificate warning.

I have completed the following:

1. Created a custom web-page which the end users will initially see

2. Uploaded this to the controller and set the WLAN to use this "downloaded" customisation

3. Tested successfully however:

When I access the wireless, the controller forwards me to the page I created which is as expected. However the controller redirects to HTTPS rather than HTTP. Also, the URL is the virtual IP of which I have used 1.1.1.1. So the URL is https://1.1.1.1/fs/customisation.....

I read on the support forums that there is not an actual option to disable HTTPS for the web authentication, but you can do so by disabling HTTPS in the management capabilities, leaving only HTTP. I did this, however the controller still forwards the user to HTTPS://. Not only that, but with this setup, the end user receives Error 404 or similar regarding not finding the web page. The certificate warning is still displayed, and no amount of controller reboots resolves the issue.

I don't mind if we have to purchase a cert from an authority, however would this even work since the controller is forwarding to the IP address of 1.1.1.1?

Saravanan Lakshmanan · ‎06-11-2012

For Internal webauth - HTTP & HTTPs redirection is possible on 7.0 & 7.2 code on 2504. See the difference below.

On 7.0 code both webauth redirection & wlc management were global, Disabling http management disables http webauth redirection, same for https as well. This behavior is changed in 7.2.

On 7.2 code, You can have both HTTP & HTTPs management enabled and configure either HTTP or HTTPs redirection. use the below command to control http or https redirection.

(Cisco Controller) >config network web-auth secureweb enable/disable

Enable - Enables https for web-auth redirection.

Disable - Enables http for web-auth redirection.

View solution in original post

Amjad Abdullah · ‎06-10-2012

Hello,

You can not use http for webauth. it will only use https. If you disable https for management that does not affect https for webauth. management and webauth redirection are two independent features. https for management can be enabled/disabled. webuath https redirection can not be chagned however.

You need to use a certificate from a trusted authority in order to get your warning away.

Those links will be very useful to you:

How Make the Web Auth Certificate Warning Go Away document:

https://supportforums.cisco.com/docs/DOC-11765

Web Authentication on WLC (wireless and wired) : complete guide

https://supportforums.cisco.com/docs/DOC-13954#Putting_a_certificate_for_the_controller_webauth

for the IP 1.1.1.1 concerns, you can simply change the IP address with a URL (under WLC GUI -> Controller -> Interfaces -> Virtual therei s an entry "DNS Host Name"). type the URL to redirect to. Make sure that your DNS is configured to resolve the URL to your virtual interface IP address (1.1.1.1 in your case).

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah · ‎06-10-2012

ah, about your 404 error, make sure that you have the correct name of pages in your bundle.

From WLAN go to L3 security config and check "Over-ride Global Config" checkbox.

in "Web Auth type" choose: Customoized(Downloaded).

From the list of pages (login page, login failure page and logout page) choose the correct pages that should appear to the user when s/he logs in, logs out or failed to login.

This is jus to test that you have the pages uploaded with correct names in the bundle.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

tonypearce1 · ‎06-10-2012

Thanks Amjad I'll look into that.

Strange though, because in the link you posted it does tell me in option number 2 to disable HTTPS but you say this is wrong? :

The reason you get the certificate security warning is b/c the WLCs have a self signed certificate that a client's browser will not know about. To deal with that warning, you have a few options: 
1. Leave it as is and let the users know that seeing that is OK
2. Disable HTTPs on the controller - almost no one picks this b/c it is a global change so even admin logins will be unencrypted.
3. Install a valid root or chained certificate on the controller from an Internet CA:

I would like to do option number 2, however when I do this, I am still presented with the certificate warning AND the customisation page no longer shows up. So, with HTTPS disabled I actually lose all functionality.

Do you know if this is as expected? I'm running version 7.2 I believe.

Thanks again

Amjad Abdullah · ‎06-11-2012

Thanks for your reply. I actually did not give notice that Nicholas (the document creater) has metnioned in the document to disable HTTPs on WLC!
Although Nicolas is a Cisco TAC employee, it seems he either missed this point or he was talking about older versions that has disabling https for management disables it for web-auth as well (but I doubt that this is true).
In practice, disabling https on a WLC is only for management. It is not for web-auth. You have noticed this when you tried adn this should be the correct behavior.

I may try to contact Nicolas about this point to clarify further.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Saravanan Lakshmanan · ‎06-11-2012

For Internal webauth - HTTP & HTTPs redirection is possible on 7.0 & 7.2 code on 2504. See the difference below.

On 7.0 code both webauth redirection & wlc management were global, Disabling http management disables http webauth redirection, same for https as well. This behavior is changed in 7.2.

On 7.2 code, You can have both HTTP & HTTPs management enabled and configure either HTTP or HTTPs redirection. use the below command to control http or https redirection.

(Cisco Controller) >config network web-auth secureweb enable/disable

Enable - Enables https for web-auth redirection.

Disable - Enables http for web-auth redirection.

tonypearce1 · ‎06-11-2012

Thanks Saravanan! This has seemed to do the trick!

Although web redirect is no longer working I think this is another issue. Do you know how long the URL limit is for redirection? Ours is something like 50 charecters.. Wondering if this is the problem?

Amjad Abdullah · ‎06-11-2012

Tony:
The maximum number of characters is for the filename in the webauth bundle.
maximum length of the file name must be 30 characters. If you have files in the bundle with filename more than 30 chracters it is not going to work.

Note:

The customized web auth bundle has a limit of up to 30 characters for filenames. Ensure that no filenames within the bundle are greater than 30 characters.

Reference: http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080a38c11.shtml

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

tonypearce1 · ‎06-12-2012

Thanks Amjad

- I meant the URL length limit. The webauth filenames are their default - simple setup.

Amjad Abdullah · ‎06-11-2012

Survanan:
Really valuable information. +5.

Rating useful replies is more useful than saying "Thank you"

Brian Schultz · ‎08-14-2012

Saravanan,

Is there a special trick to get webauth working with http? I issued the config network web-auth secureweb disable command and rebooted the 7.2.110 controller. When it comes back up, webauth redirect does not work to the http://1.1.1.1/ page. When I change it back to secureweb enable, it works via HTTPS. Tried this several times and tried several devices.

Has anyone else had any luck getting this feature to work?

-Brian

Saravanan Lakshmanan · ‎08-14-2012

Are you using custom webauth bundle or ext webauth, if so enable http management access to WLC along with disabling https redirection. if you hit this condition then you could be running on to a bug. If custom webauth bundle is not used then it should work without an issue with current config.

Brian Schultz · ‎08-14-2012

Yes, I am using custom webauth bundle. Do you have the bug id? Is the workaround to disable https management access?

Saravanan Lakshmanan · ‎08-14-2012

workaround is to enable http management.