Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Proxy Config

Has anyone deployed guest access with proxy servers? I am looking to have a guest SSID cross proxy servers so cannot deploy proxy settings with group policy and need it to be automatic.

I have seen PAC, WPAD, DNS and DHCP may provide a solution but have not tested as yet. Any sugestions.

Hall of Fame Super Silver

Re: Proxy Config

Unless they have added a new feature on the 5.2 code, WebbAuth will not work. I have tried this in the past and what is required is that the client have proxy disabled on their browser and then after a successfull webauth login, he or she enables proxy to be able to browse. This is due to how webauth works and verifies the users homepage or url he or she is trying to get. Here is a link that might help:

*** Please rate helpful posts ***
New Member

Re: Proxy Config

Hi Fella,

Whats new in 5.2 code? we are stuck in our wireless guest configuration via proxy. did anyboyd found any workaround on this issue?




Re: Proxy Config

So I guess you have your proxy's manually configured and are not using WCCP?

With WCCP, you wouldn't need your clients manually configured with a proxy server. You could have the client web-auth to the WLC as expected, but then when they try to reach the internet, the WCCP policy takes into effect and requires the proxy authentication...

Just a theory, and I'm not sure what all proxy devices support WCCP (we use Blue Coat), but I'm pretty sure this "could" work...

Just a quick run-down on WCCP:

Configure WCCP on your link to the internet from the router and all HTTP traffic will automatically go to the proxy device you have configured for WCCP. So when a client opens the Internet, and attempts to access a page, the request is automatically hi-jacked by the Proxy server without any client side configuration.

Cisco Employee

Re: Proxy Config

You can use WebAuth with a proxy, but you will need to:

1) Exclude the virtual address from the proxy

2) Configure the WLC to listen on the correct port (i.e. 8080 if you are using this). config network web-auth-port 8080

If using WPAD, you will need a pre-authentication ACL to allow the client to download the PAC file before passing web authentication. The PAC file should look similar to this:

function FindProxyForURL(url, host)


// variable strings to return

var proxy_yes = "PROXY :";

var proxy_no = "DIRECT";

if (shExpMatch(url, "http://*")) { return proxy_no; }

if (shExpMatch(url, "https://*")) { return proxy_no; }

// Proxy anything else

return proxy_yes;


Hope this helps.


New Member

Re: Proxy Config

Thank wesleyterry for the comments but unfortunatly we are having MS ISA proxy which is not supported by WCCP

hello matt i will test your solution and let you know the feedback. by the way, wht exactly i have allow in pre auth ACl? my proxy port (8080) or all http traffic?

Cisco Employee

Re: Proxy Config

The port that WPAD uses...80 I think?

New Member

Re: Proxy Config

Thanks Matt

It worked, after applying the bidirectional ACLs in the contoller.

by the way, the redirection is not working properly, suppose if typed after authentication it redirects to do you have any clue on this ?

Apart from this, is there anyway to have AD or ACS created Lobby Admins?

Thanks for your effors

New Member

Re: Proxy Config

Hi, Could you please let me know what you have allowed in Pre Authentication ACL. what is WPAD ? I am trying to deploy same thing on a customer place...any kind of help will be appreciated..

New Member

Re: Proxy Config

Hello there

I'm having the same issue and I have seen this solution posted in quite a few places but being pretty new to this I still find it confusing.

I don't understand what it means to "exclude the virtual address from the proxy."

Can someone tell me in a bit more detail please how I might do this? The virtual address being used is the default


Edit: nevermind, I got this now.

CreatePlease to create content