Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Bypass guest webauth for Blackberry Service

Hi Folks, Our wireless deployment has two wireless networks - one with 802.1x auth for corporate machines and the other is an open one with internet access for guests (but with a web auth page).

What I'd like to do is allow staff to connect their Blackberry handsets to the guest (open) wireless network to collect email from the Blackberry Enterprise Server (it's a lot easier that configuring 802.1x and getting users to roll their passwords each time), I think I can work around this with a pre-authentication ACL to bypass the webauth page for access to the Blackberry Enterprise Server, but I'm a bit confused over the direction of the access list entries. If I added an access list to the WLC which looks like the below - would that work or is the directionality wrong?

The example for the external webauth server I saw had the directionality the otherway around.

Action Source IP/Mask Destination IP/Mask Protocol Source Port Dest Port DSCP Direction

Permit 0.0.0.0 / 0.0.0.0 [the ip of my BES] / 255.255.255.255 IP Any Any Any Outbound

Permit [the ip of my BES] / 255.255.255.255 0.0.0.0 / 0.0.0.0 IP Any Any Any Inbound

Any advice that you can provide would be great

Thanks in advance

Kev

  • Other Wireless - Mobility Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Bypass guest webauth for Blackberry Service

Never underestimate the help menu ;-)

Direction

Any, Inbound (from client), or Outbound (to client).

I think that this description is straighforward.

But you will probably notice that your blackberries are disconnected every 3 minutes from your SSID. I don't know if this is something they can tolerate.

Pre-auth ACL is made to give access to some ressources needed to authenticate on the web login page. Not to bypass it completely. So the WLC is kicking out clients that are connected since 3 minutes on the Webauth SSID but not autheneticated on the web page ...

Nicolas

===

don't forget to rate answers that you find useful

2 REPLIES
Cisco Employee

Re: Bypass guest webauth for Blackberry Service

Never underestimate the help menu ;-)

Direction

Any, Inbound (from client), or Outbound (to client).

I think that this description is straighforward.

But you will probably notice that your blackberries are disconnected every 3 minutes from your SSID. I don't know if this is something they can tolerate.

Pre-auth ACL is made to give access to some ressources needed to authenticate on the web login page. Not to bypass it completely. So the WLC is kicking out clients that are connected since 3 minutes on the Webauth SSID but not autheneticated on the web page ...

Nicolas

===

don't forget to rate answers that you find useful

New Member

Re: Bypass guest webauth for Blackberry Service

Thanks Nicolas,

My help file doesn't show this information as far as I can see, but thankyou for posting this as it's most useful - it seems to work the opposite way around from what I expected...

I think we'll have to see how it goes for the bypass as really it's just to pull email - no other functionality is required at this time, if we find that it's a problem, then we'll need to look at putting them onto the corporate one.

Kev

501
Views
0
Helpful
2
Replies
This widget could not be displayed.