Topology: Router (gateway) with two subinterfaces, 192.168.1.254 (main vlan) and 192.168.20.254 (guest vlan)
I've created a guest WLAN - 192.168.20.0, using web authentication. My wireless client sees the WLAN and obtains an address via DHCP succesfully. Now what is supposed to happen is as soon as I launch a web browser and attempt to go to any URL, the web auth login page should appear, prompting a user for alogin to access the network. This does NOT work unless I set the DHCP default gateway to be the interface of the WLAN on the WLC (192.168.1.245). If I set the DHCP default gateway to the actual gateway on my network (192.168.1.254 - sub int. on the router), I have to manually point my browser to the 126.96.36.199/login.html URL in order to authenticate.
Obviously I don't want guest users to have to manually point their browser to 188.8.131.52 in order to authenticate. The problem is that if I set the default gateway to my controller in order to get the automatic login, I am unable to reach my main network - 192.168.1.0. If I set the DHCP default gateway to the actual gateway, it works, however I have to manually point the browser to 184.108.40.206/login.html just to authenticate.
You shouldn't need to do any funny business - your description of what should happen is correct.
You need to make sure that DHCP is issuing a DNS address, and that the clients can contact the DNS server from an IP routing perspective - forget about WLAN authentication for now.
When your browser tries to hit www.google.com, it must first send a DNS request to resolve the URL. (The controller will allow this to happen) Once the Guest knows the IP address of the server, it then sends an HTTP_GET request. This request is hi-jacked by the WLC and re-directed to your virtual interface.
Presuming DNS & DHCP are both working properly, there's a few things you can do;
Check DHCP is giving out IP addresses appropriate to the VLAN
Check VLAN is propogating properly throughout your network
Sniff client traffic to ensure requests are being sent / received
Also, if you're using proxies it can get a bit more complicated. If you have any more info, please post...
Thanks for your response. Indeed, actually getting internet access to work is not the problem:
WLC interface: 192.168.20.245
Router to Internet: 192.168.20.254
WHen my wireless clients obtain their IP addressing information via DHCP and the Router to the Internet (192.168.20.254) is assigned as the default gateway, I am able to get to the internet. However, it is my understanding that if i'm using web authentication, the WLC is supposed to intercept any http request and first present the login screen before network access is allowed. So all I should have to do is just launch my browser and I am automatically redirected to the login page.
This does not happen in the above scenario. If 192.168.20.254 is assigned as the default gateway and I launch my browser, it goes nowhere. I must manually point it to 220.127.116.11/login.html to authenticate, and then I am able to access the network. I should not have to do this.
However, if DHCP assigns the WLC interface (192.168.20.245) as the clients default gateway, and I launch my browser, i get the login screen right away and am able to authenticate and get network access. However, at this point, I can NOT get to the internet because the WLC is my default gateway. It does not forward anything.
Yeah, sounds like Web Auth is being dodgy.. Few other points then.
1. Are you using a recent version of code? The latest 18.104.22.168 code adds some changes to the Web Auth feature, so might be worth trying that?
2. Can you attach a show run from your WLC?
3. Are your clients configured with proxies(?) as I've had trouble with this in the past...
4. What browser are your clients using and how is it configured? Any settings in place that force browsers to reject redirected packets?
5. Can you please post a packet trace from a client as it associates and tries to access a web page. We need to know if the HTTP requests are hitting the controller, and if the controller is responding in the correct manner.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...