Got my very first WAP561 Access Point, trying to get Capitve Portal to work and the local authentication page never comes up for my guest login, have followed the help steps, created instance, web locate, group and user, tied them all together but nothing
Any ideas? anyone used the inhouse local database and authentication page to do this yet?
Please contact the Small Business Support Center and speak with an engineer. The contact information is located here: https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Cisco Small Business Community Manager
for Cisco Small Business Products
These are just some general troubleshooting tips but you may want to reset the device, just make sure to save the configuration as to not lose your current configuration because a reset will set the device to factory default settings. Another tip would be to download the latest firmware if you are not on the most current version. Also, I know you said you followed all of the configuration steps for Captive Portal but here is another resource you may want to take a look at in order to confirm you either did set it up correctly or if there's something you need to modify.
Hope this helps,
Sorry have been away
Ok, have reset the device to factory default, the AP was already running latest firmware.
I found your link to be very helpful, but going from that link, I still believe I have the correct config and sadly still doesn't work.
I have a TAC open and we still haven't sorted it!
I have opened up another AP from the same order and left old firmware on, but again no in-house authenicatetion page coming up for guest users to login in too.
I do have another issue that I will post now.
any more ideals very welcome, pity you cant ssh and copy the config.
Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.
I have reviewed your case and I am working with your current Engineer to help resolve this for you.
Eric Moyers .:|:.:|:.
Cisco Small Business US STAC Advanced Support Engineer
Mon - Fri 09:00 - 18:00 (UTC - 05:00)
*Please rate the Post so other will know when an answer has been found.
I am looking to get this escalated if possible, i really need to have this working or find another product that does work!
Hello Sir, Sorry I have been out of touch for a little bit. Was out of work for a couple of days and just getting back and getting caught up..
Please loof at this document and see if following it might help any.When doing Captive Portal on the WAP 100, 300 and 500 series Access Points there are a couple of little gotcha's. I believe I have them fully noted in this.
Not knowing where you have left off. I would delete everything up to this point and begin fresh. If you still have issues, I will be glad to set up a time to work with you directly by doing a WebEx so I can see your AP directly.
We all need to have time off mate, re-charge the batteries
The document is what both I and some of your fellow colleagues have set the AP up as, though the redirect says its for when a successful login has happened, and else where I read its for sending to a login page of own our (which we dont have)
Currently Borislav is looking at this, I would like your view on how the untagged & management vlan should be setup in a guest access solution.
I'm having the same problem. Followed the instructions from Cisco exactly and it's not even working at all. I simply want to have a guest access SSID that is on a separate network that can only go to the internet and NOT be able to access our main network. Cisco claims this can easily be done with the Captive Portal. I have 3 of these WAP561's and they are useless to me if I can't get this done.
I will probably open a TAC case as well. I've wasted enough time trying to figure this out on my own.
that bit will work, but only without enabling the captive portal and having the correct topologly in place. Cisco are saying the portal only works on the management vlan, but I dont see the sense in that at all, it seem draft!!
I am trying to chase, but feedback is very slow coming.
Got the guest access working by just changing it to VLAN 1 which isn't acceptable. You're right though. These are supposed to give "highly secure guest access". Not sure how secure it is being on VLAN 1. I need the guest access on a entirely different VLAN that can ONLY go to the internet. I would imagine the AP would need to be able to do DHCP on its own, but these cannot, correct?
Also had the problem with freezing with the latest firmware. Had to physically disconnect the cable and reconnect to reboot (you can see how fun that will be when they are mounted to the ceiling). Downgraded to the earlier firmware and we'll see if that happens again.
Very disappointed with these. Probably going to return them.
Not sure if you ever got this working, but I had the same problem when I originally stood this up on my network. I found that for the captive portal to work the guest vlan must be allowed to access the management portal ip address on port 443. Basically the captive portal redirects the user to the ip address of the management portals. What really bothers me about this is that once the user has authenticated they can still web browse on port 443 to the management portal and you can not change the default username or create a new username with read and write access. Bottom line make sure you have a stronge admin password and change frequently. Hope that helps and good luck.
I believe the "working" setup for these to dish out the Captive Portal to guests (and use some other authentication such as WPA-Enterprise for staff) is to:
1) put the WAP on your guest subnet (untagged traffic)
2) create multple SSIDs, putting the guest SSID untagged (or vlan 1) and your "private" SSID is tagged to land on the correct subnet at your switch
3) associate the captive portal with your guest SSID.
What Cisco needs to do to fix this is get the LAN settings to allow an IP on each of the various vlans you might create on the device. Then when the captive portal gets associated with an SSID that has a specifc VLAN, the Captive Portal page can then be served to the clients correctly using an IP address on that subnet. As it is now, under what would normal config of primary SSID private and secondary SSID as guest, the clients on guest can't reach the captive portal because it is on a different subnet.
The problem with my suggestion above, is that for the private wifi SSID to use an Enterprise Radius server, once again, the WAP needs to have a local IP address on that subnet. So the real problem here is that Cisco needs to allow these WAPs to have multiple IP addresses when using VLANing.