Community Member

Web-auth on two SSIDs with AD

Hi All, Is there any possiblity two configure web-auth for Two SSIDs. one SSID which is for guest will use WLC local database for authenticating over web-auth. While other ssid for corporate users will use web-auth but web-auth will be integrated to AD to provide authentication for corporate users over web-auth.

Means there will be two ssid with web-auth. but for one ssid web-auth will use AD as backend- database for other ssid Web-auth will used loca wlc database.

Please let me know if it possible or no?


Re: Web-auth on two SSIDs with AD

I can't answer your question directly, but was wondering why you need to (or want to) use web auth for your corporate users?

For your corporate users, have you considered using PEAP with WPA2/AES (or WPA/TKIP) on your wireless clients and authenticate the users against AD using Cisco ACS or Windows IAS? Since you already have AD servers, you already have licenses to run IAS without paying additional fees. If your AD controllers are decent (not super-beefy, but decent), they should work just fine for IAS.

Community Member

Re: Web-auth on two SSIDs with AD

thanks for your reply. Its customer requirement. customer does not have ACS & they dont want to run IAS.

So no option to do this. other manual configu the dont want like wep, WPA-PSK


Re: Web-auth on two SSIDs with AD

Sorry to hear that, but they really really really need to use something like WPA2/PSK with the web auth. If they just use web auth, all wireless traffic will be unencrypted and easily captured over the air with simple tools.

Re: Web-auth on two SSIDs with AD

I think I can answer your other question, now.

You will want to define a "global" web auth setting that will be used for the Guest network (go to Security -> Web Auth -> Web Login Page.

For the private network, you will override the global web auth setting with a local setting (WLAN -> choose your SSID -> Go to Layer 3 tab, Enable "Web Policy", Select "Authentication", Check the "Enable" box for Over-ride global config and set your web auth type of "External (redirect)".

You will likely have a lot of fun writing the code that runs on the external web server. I can't help you with that one. You might want to search the Cisco docs for a custom re-direct web auth guide.

You could also easily do the reverse: define a custom re-direct at the global level and over-ridge the global setting with a web auth for the guest network.