Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Webauth DHCP exclusion in WLC 5.0

Anyone knows what the "Config Guest-lan Webauth exclude" command does in 5.0 controller code? Doesn't seem to be documented anywhere.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Webauth DHCP exclusion in WLC 5.0

Allows you to turn off the webauth policy exclusion.

config wlan webauth-exclude disable

By default (somewhere around 4.0.179), a web-auth protected SSID will de-associate an unauthenticated client every 5 minutes to reclaim connections and resources. If you are implementing a pre-auth ACL to allow user access to say your external web server or DMZ without auth, then they will lose their connection every 5 minutes and re-associate again after 60 seconds. If you want them to stay connected to the resources specified in the pre-auth acl, but then be prompted to auth when accessing the Internet, then use this command. Keep in mind if you are broadcasting, then your guest wireless may begin to fill up with idle connections.

6 REPLIES
New Member

Re: Webauth DHCP exclusion in WLC 5.0

Am not get your question please clarify

IF you ask how to configure WEBauth from controller its very easy also you can use internal DHCP from Controller

Thanks

New Member

Re: Webauth DHCP exclusion in WLC 5.0

No, I'm asking about the CLI command in a 4402 WLC running 5.148 code. The command is "Config Guest-lan Webauth-exclude". Why don't you type it in and see what you get?

New Member

Re: Webauth DHCP exclusion in WLC 5.0

I want to know too.

My guess would be that if this is enabled then successive web-auth failures will lead to blocking of DHCP requests from that client's MAC address. But there aren't any parameters like how long the exclusion is applied for. Maybe it ties into the normal client exclusion policies and uses the SSID's exclusion timeout parameter.

It would be nice if Cisco could comment. I'm going to turn it on and see what it breaks...

Re: Webauth DHCP exclusion in WLC 5.0

Allows you to turn off the webauth policy exclusion.

config wlan webauth-exclude disable

By default (somewhere around 4.0.179), a web-auth protected SSID will de-associate an unauthenticated client every 5 minutes to reclaim connections and resources. If you are implementing a pre-auth ACL to allow user access to say your external web server or DMZ without auth, then they will lose their connection every 5 minutes and re-associate again after 60 seconds. If you want them to stay connected to the resources specified in the pre-auth acl, but then be prompted to auth when accessing the Internet, then use this command. Keep in mind if you are broadcasting, then your guest wireless may begin to fill up with idle connections.

New Member

Re: Webauth DHCP exclusion in WLC 5.0

Thanks for that info. May I humbly ask if you got that from a cisco doc or is it just from realworld observation?

Your explanation makes sense, but are you sure it's related to this command? Looking at the command description "webauth dhcp-server exclusion" and the ACL hits I have on my pre-auth ACL it looks like the command basically enables/disabled bypass for DHCP, i.e. if you have a pre-auth ACL then you don't need dhcp-client or dhcp-server permit rules if you have webauth-exclude enabled.

Any idea what the default state of this feature is, since it's not present in the GUI and the setting doesn't show up when you do a "show wlan"?

Re: Webauth DHCP exclusion in WLC 5.0

I had opened a TAC case because my unauthenticated clients in the guest WLAN, using my pre-auth ACL were dropping every 5 minutes. The information pretty much came verbatim from Cisco TAC. They suggested using the hidden command as a workaround to my issue, only a 5.x thing.

1075
Views
5
Helpful
6
Replies