Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
3
Replies

4402 Web Auth, Routing

jblalock1337
Level 1
Level 1

‎01-18-2007 01:47 PM - edited ‎07-03-2021 01:30 PM

WLC 4402 w/ 4.0 code

Topology: Router (gateway) with two subinterfaces, 192.168.1.254 (main vlan) and 192.168.20.254 (guest vlan)

I've created a guest WLAN - 192.168.20.0, using web authentication. My wireless client sees the WLAN and obtains an address via DHCP succesfully. Now what is supposed to happen is as soon as I launch a web browser and attempt to go to any URL, the web auth login page should appear, prompting a user for alogin to access the network. This does NOT work unless I set the DHCP default gateway to be the interface of the WLAN on the WLC (192.168.1.245). If I set the DHCP default gateway to the actual gateway on my network (192.168.1.254 - sub int. on the router), I have to manually point my browser to the 1.1.1.1/login.html URL in order to authenticate.

Obviously I don't want guest users to have to manually point their browser to 1.1.1.1 in order to authenticate. The problem is that if I set the default gateway to my controller in order to get the automatic login, I am unable to reach my main network - 192.168.1.0. If I set the DHCP default gateway to the actual gateway, it works, however I have to manually point the browser to 1.1.1.1/login.html just to authenticate.

Any way around this?

Labels:
0 Helpful
3 Replies 3

Richard Atkin
Level 4
Level 4

‎01-20-2007 04:59 AM

You shouldn't need to do any funny business - your description of what should happen is correct.

You need to make sure that DHCP is issuing a DNS address, and that the clients can contact the DNS server from an IP routing perspective - forget about WLAN authentication for now.

When your browser tries to hit www.google.com, it must first send a DNS request to resolve the URL. (The controller will allow this to happen) Once the Guest knows the IP address of the server, it then sends an HTTP_GET request. This request is hi-jacked by the WLC and re-directed to your virtual interface.

Presuming DNS & DHCP are both working properly, there's a few things you can do;

Check DHCP is giving out IP addresses appropriate to the VLAN

Check VLAN is propogating properly throughout your network

Sniff client traffic to ensure requests are being sent / received

Also, if you're using proxies it can get a bit more complicated. If you have any more info, please post...

HTH,

Rich

0 Helpful

jblalock1337
Level 1
Level 1
In response to Richard Atkin

‎01-20-2007 09:52 AM

Thanks for your response. Indeed, actually getting internet access to work is not the problem:

WLC interface: 192.168.20.245

Router to Internet: 192.168.20.254

DNS: 192.168.1.17

WHen my wireless clients obtain their IP addressing information via DHCP and the Router to the Internet (192.168.20.254) is assigned as the default gateway, I am able to get to the internet. However, it is my understanding that if i'm using web authentication, the WLC is supposed to intercept any http request and first present the login screen before network access is allowed. So all I should have to do is just launch my browser and I am automatically redirected to the login page.

This does not happen in the above scenario. If 192.168.20.254 is assigned as the default gateway and I launch my browser, it goes nowhere. I must manually point it to 1.1.1.1/login.html to authenticate, and then I am able to access the network. I should not have to do this.

However, if DHCP assigns the WLC interface (192.168.20.245) as the clients default gateway, and I launch my browser, i get the login screen right away and am able to authenticate and get network access. However, at this point, I can NOT get to the internet because the WLC is my default gateway. It does not forward anything.

So web auth is what is broken i think?

0 Helpful

Richard Atkin
Level 4
Level 4
In response to jblalock1337

‎01-21-2007 02:09 AM

Yeah, sounds like Web Auth is being dodgy.. Few other points then.

1. Are you using a recent version of code? The latest 4.0.206.0 code adds some changes to the Web Auth feature, so might be worth trying that?

2. Can you attach a show run from your WLC?

3. Are your clients configured with proxies(?) as I've had trouble with this in the past...

4. What browser are your clients using and how is it configured? Any settings in place that force browsers to reject redirected packets?

5. Can you please post a packet trace from a client as it associates and tries to access a web page. We need to know if the HTTP requests are hitting the controller, and if the controller is responding in the correct manner.

Rich

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card