Has anyone deployed guest access with proxy servers? I am looking to have a guest SSID cross proxy servers so cannot deploy proxy settings with group policy and need it to be automatic.
I have seen PAC, WPAD, DNS and DHCP may provide a solution but have not tested as yet. Any sugestions.
Unless they have added a new feature on the 5.2 code, WebbAuth will not work. I have tried this in the past and what is required is that the client have proxy disabled on their browser and then after a successfull webauth login, he or she enables proxy to be able to browse. This is due to how webauth works and verifies the users homepage or url he or she is trying to get. Here is a link that might help:
Whats new in 5.2 code? we are stuck in our wireless guest configuration via proxy. did anyboyd found any workaround on this issue?
So I guess you have your proxy's manually configured and are not using WCCP?
With WCCP, you wouldn't need your clients manually configured with a proxy server. You could have the client web-auth to the WLC as expected, but then when they try to reach the internet, the WCCP policy takes into effect and requires the proxy authentication...
Just a theory, and I'm not sure what all proxy devices support WCCP (we use Blue Coat), but I'm pretty sure this "could" work...
Just a quick run-down on WCCP:
Configure WCCP on your link to the internet from the router and all HTTP traffic will automatically go to the proxy device you have configured for WCCP. So when a client opens the Internet, and attempts to access a page, the request is automatically hi-jacked by the Proxy server without any client side configuration.
You can use WebAuth with a proxy, but you will need to:
1) Exclude the virtual address from the proxy
2) Configure the WLC to listen on the correct port (i.e. 8080 if you are using this). config network web-auth-port 8080
If using WPAD, you will need a pre-authentication ACL to allow the client to download the PAC file before passing web authentication. The PAC file should look similar to this:
function FindProxyForURL(url, host)
// variable strings to return
var proxy_yes = "PROXY
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://
if (shExpMatch(url, "https://
// Proxy anything else
Hope this helps.
Thank wesleyterry for the comments but unfortunatly we are having MS ISA proxy which is not supported by WCCP
hello matt i will test your solution and let you know the feedback. by the way, wht exactly i have allow in pre auth ACl? my proxy port (8080) or all http traffic?
It worked, after applying the bidirectional ACLs in the contoller.
Apart from this, is there anyway to have AD or ACS created Lobby Admins?
Thanks for your effors
Hi, Could you please let me know what you have allowed in Pre Authentication ACL. what is WPAD ? I am trying to deploy same thing on a customer place...any kind of help will be appreciated..
I'm having the same issue and I have seen this solution posted in quite a few places but being pretty new to this I still find it confusing.
I don't understand what it means to "exclude the virtual address from the proxy."
Can someone tell me in a bit more detail please how I might do this? The virtual address being used is the default 188.8.131.52
Edit: nevermind, I got this now.