Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

4402 Web Auth, Routing

WLC 4402 w/ 4.0 code

Topology: Router (gateway) with two subinterfaces, 192.168.1.254 (main vlan) and 192.168.20.254 (guest vlan)

I've created a guest WLAN - 192.168.20.0, using web authentication. My wireless client sees the WLAN and obtains an address via DHCP succesfully. Now what is supposed to happen is as soon as I launch a web browser and attempt to go to any URL, the web auth login page should appear, prompting a user for alogin to access the network. This does NOT work unless I set the DHCP default gateway to be the interface of the WLAN on the WLC (192.168.1.245). If I set the DHCP default gateway to the actual gateway on my network (192.168.1.254 - sub int. on the router), I have to manually point my browser to the 1.1.1.1/login.html URL in order to authenticate.

Obviously I don't want guest users to have to manually point their browser to 1.1.1.1 in order to authenticate. The problem is that if I set the default gateway to my controller in order to get the automatic login, I am unable to reach my main network - 192.168.1.0. If I set the DHCP default gateway to the actual gateway, it works, however I have to manually point the browser to 1.1.1.1/login.html just to authenticate.

Any way around this?

3 REPLIES

Re: 4402 Web Auth, Routing

You shouldn't need to do any funny business - your description of what should happen is correct.

You need to make sure that DHCP is issuing a DNS address, and that the clients can contact the DNS server from an IP routing perspective - forget about WLAN authentication for now.

When your browser tries to hit www.google.com, it must first send a DNS request to resolve the URL. (The controller will allow this to happen) Once the Guest knows the IP address of the server, it then sends an HTTP_GET request. This request is hi-jacked by the WLC and re-directed to your virtual interface.

Presuming DNS & DHCP are both working properly, there's a few things you can do;

Check DHCP is giving out IP addresses appropriate to the VLAN

Check VLAN is propogating properly throughout your network

Sniff client traffic to ensure requests are being sent / received

Also, if you're using proxies it can get a bit more complicated. If you have any more info, please post...

HTH,

Rich

New Member

Re: 4402 Web Auth, Routing

Thanks for your response. Indeed, actually getting internet access to work is not the problem:

WLC interface: 192.168.20.245

Router to Internet: 192.168.20.254

DNS: 192.168.1.17

WHen my wireless clients obtain their IP addressing information via DHCP and the Router to the Internet (192.168.20.254) is assigned as the default gateway, I am able to get to the internet. However, it is my understanding that if i'm using web authentication, the WLC is supposed to intercept any http request and first present the login screen before network access is allowed. So all I should have to do is just launch my browser and I am automatically redirected to the login page.

This does not happen in the above scenario. If 192.168.20.254 is assigned as the default gateway and I launch my browser, it goes nowhere. I must manually point it to 1.1.1.1/login.html to authenticate, and then I am able to access the network. I should not have to do this.

However, if DHCP assigns the WLC interface (192.168.20.245) as the clients default gateway, and I launch my browser, i get the login screen right away and am able to authenticate and get network access. However, at this point, I can NOT get to the internet because the WLC is my default gateway. It does not forward anything.

So web auth is what is broken i think?

Re: 4402 Web Auth, Routing

Yeah, sounds like Web Auth is being dodgy.. Few other points then.

1. Are you using a recent version of code? The latest 4.0.206.0 code adds some changes to the Web Auth feature, so might be worth trying that?

2. Can you attach a show run from your WLC?

3. Are your clients configured with proxies(?) as I've had trouble with this in the past...

4. What browser are your clients using and how is it configured? Any settings in place that force browsers to reject redirected packets?

5. Can you please post a packet trace from a client as it associates and tries to access a web page. We need to know if the HTTP requests are hitting the controller, and if the controller is responding in the correct manner.

Rich

168
Views
0
Helpful
3
Replies
CreatePlease to create content