Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Wirless Web redirection page

I have 2 SSID in my wireless network.

1 for the cooperate users and 1 for the guest.

The guest SSID is broadcast and when a user open an IE, they will get a screen for user name and password.

My cooperate users are using AD and integrated with ACS 4.1 Solution engine.

When the AD users get connected to the guest SSID and they provide the AD username and password they are also able to browse internet.

I need to block the AD user from using guest SSID and block the AD user authentication in the web page. please advice on this issue.


Re: Wirless Web redirection page

It would be helpful to know whether your APs are running IOS or LWAPP, and whether the splash screen is being served by a WLC or a third-party captive portal product.

New Member

Re: Wirless Web redirection page

Thank you for your reply, my mistake i didnt explain on the requested potions. Am using WiSM Blade, AP's are LWAPP AP's. Am just using the WLC splash screen. I just need to block the AD users from using the web access.


Re: Wirless Web redirection page

There's a guide here which relates to this feature:

I've implemented this on my current project, but run into a bit of a hitch: My guest users are correctly blocked from connecting to the internal SSID; however, my internal users are NOT being blocked from using the guest SSID. I suspect this may be because the guest SSID does not use 802.1X, and the guide seems to imply that 802.1X is a mandatory part of this config.

Under IOS, it was possible to set up Radius VSAs in ACS which would let you use Cisco AV-Pairs to limit the permissible SSIDs per group or user, as per this document:

However, the WLCs do not recognize AV-Pairs as far as I know.

I have a TAC case open on the issue currently; I'll post results when I have any.

Re: Wirless Web redirection page

This is a well known and documented bug that was allowed to stay in as a feature. To stop your internal people from connecting go to the WiSM gui to controller. Under the Web RADIUS Authentication select a method not currently configure on your RADIUS server. In most case MD5-CHAP is not installed on a RADIUS. This will cause the client to fail. The process is for authentication flows like this. First attempt to resolve username and password is against internal database on controller and the second attempt is against the RADIUS configured on the management interface.

Hope this helps.

New Member

Re: Wirless Web redirection page

hi gamccall,

really appreciate the information you have posted, i will check on the information after read your link. please update me once you have close the TAC case. at least i will have a clear picture on this issue.

CreatePlease to create content