This document went official on cisco.com :
I'd just like to say thank you! I just spent many many hours trying to figure out why my WLCs were telling me INVALID_TAR_FILE when I was trying to download an updated webauth bundle. After much hair-pulling and banging on my desk, I found this guide and quickly discovered that a new image file I added had a name longer than 30 characters. Once I shortened that, it worked! Cisco should really incorporate this into their official documentation, as it's far more comprehensive than anything else I've been able to find.
If you have more than one WLC with all WLCs using the same virtual interface, can you use one certiface or do you need a certificate for each WLC?
I have the same certificate installed on about 20 different WLCs. Just use the same virtual interface IP on all of them (e.g. 22.214.171.124).
What sort of certificate should I request from a CA authority?
Instructions are here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Thanks so much.
Thanks a lot for your excellent guide.
Question, you mention that an exemple of bundle is provided with this chunk, but I didn't find it, could you please just tell me where it is ?
Thanks in advance
The best is to use the one that is up-to-date on cisco.com
Go in the download section, click on any WLC model and it will suggest you :
-Webauth bundle example
Just pick the bundle there, it's far better than any examples that was running around before
It was under:
Wireless LAN Controller
Cisco 5500 Series Wireless Controllers
Cisco 5508 Wireless Controller
Wireless Lan Controller Web Authentication Bundle-1.0.2
Did anybody tried new version 7.2?
Can I set HTTP web-auth, and HTTPS management?
If so, how? I just installed on one of my 5508s, and was not able to figure out how to perform such configuration.
About Web Auth over HTTP.
I asked to the Cisco support. It is indeed fixed, and I can confirm it to be working.
- update to version 126.96.36.199
- on CLI (no web interface, issue the following command)
config network web-auth secureweb disable
If using a EoIP tunnel to DMZ-dedicated WLCs, you need to upgrade just the DMZ WLCs.
No need to update the core ones.
WCS 188.8.131.52 seems to be able to manage 7.2 controller, but it lacks the newest features (such as RF groups).
Wait for WCS update, or plan for NCS migration.
Thanks for the info Ivan.
I will actually update this document to 7.2 and all the new features.
By the way, there will not be any further WCS versions coming out, so NCS is the way to go for 7.2 WLC management.
Very helpful guide, thanks a lot !!!!!
One more question:
Is it possible to use a non-standard tcp port in your webauth url, that points to the external webauth server ??
If I understand your question correctly : no.
What you can do is:
-the user types the URL with a special port (http://mylocalserver:8010)
-The WLC is configured to listen on 8010 and intercepts it and throws the web authentication.
-After typing his credentials, user is redirected to mylocalserver:8010
What you cannot do is have the web login page itsel using another port (https://184.108.40.206:8080/login.html will not happen)
I think the question is saying can the "external webauth server" be using a non-standard port and have the WLC redirect.
ie. user goes to www.somepage.com, and WLC redirects to external page at http://server:8080/login.html.
The answer is yes.
For instance, you have decided that your server will be bound using port 8010. When you specify the "server URL", you will include this in your external webauth server redirect address.
Bobby Jo connectes to your L3 (external) WLAN, then tries to go to http://www.google.com
The WLC will hijack, and then redirect the request to your external server http://220.127.116.11:8010/login.html.
Remember, you will need to be sure your pre-auth ACLs are in place. Rather than allowing "HTTP" traffic, choose "other" as the port type and configure your customer port#.
I didn't understand the question correctly so then yes I agree with David :-)
That is exactly what I meant ... :-)
I have configured a pre-auth acl on this wlan allowing 10.10.10.10 as destination with tcp port any to any, and I
didn't forget to allow the 10.10.10.10 tcp answer packets, too.
But still not working, the site shows up fine when browsed to directly (on a lan, not with redirection .....)
What am I missing, any ideas ???
Can you share the ACL you created? Did you apply it as a "preauthentication ACL" on the L3 policy for the WLAN in question?
This is the ACL:
And yes, I applied it as preauth-acl:
I think I found my logical mistake, please correct me if I am wrong somewhere:
It is the Client, that needs to have connectivity to the external webauth server, not the WLC .... right ???
If so, I need to move the server, because the IP Address that the client gets via DHCP is taken from a different
VRF than the VRF the IP Address of the server is in..... No routing between both VRFs is allowed.
Moving the server to the clients VRF would allow the client to talk to the server and load the redirected login page .....
I will do some testing on that and report the results here....
Hi Nicholas,, great summary of all the web auth features using different devices. Quick question on Splash Page Redirect.If you are using the ACS for uinput of redirection ., is the slash page hosted on the ACS Server or is it on the WLC? . Need to be able to customize the page for users and need to know where that page is created. They (corporate users) will be on a BYOD net using EAP-PEAP/WPA2 with AD Group Policy. The redirect is after they login they need to see that page that is created.
if we want to modify the success page for showing the remain time of use login. How we do ?
You cannot modify the success page.
I encounter one issue web auth with external AD for user credential. With local account is ok. But if we use AD account to login, it is not successful even though we configure properly. Can help to suggest what cound be the issue?
WLC & AD are working properly with different SSIDs. Now we just want to create new SSID with L3 security web auth.
Thank you so much,
I have an urgent issue going on. the guest users are not getting the webauth page to type their username and password. I have checked almost everything, they are getting correct ip and dns from the pool, even i tried using new guest account with PSK even then they are not able to connect to internet though wireless showing connected.
Also i am not able to traceroute of resolve google.com neither with its ip nor with the name.
Could it be a DNS issue or webauth issue. Its very urgent
Urgent problem means you should open a TAC case. Otherwise ask your question on the forum but don't put it as a comment to a document please.
The URL to the feature request doesn't work for people without TAC access (or is it even Cisco internal?). Here the URL to the bugtoolkit: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy32145
May i know if its possible to disable the port 80 service on WLC used for user web authentication page.
So currently the user is using http://18.104.22.168 and is redirected to https://22.214.171.124/login, so we want to disable http service on the wlc so that the user gets no service on it, but only in case he directly types https:// the authentication page should open.
I am facing the same probles as u. Guest WLAN is broadcasting, clients are able to recv ip adress but shows limited internet access...Did u solve the issue..Please share ur expereince.
Thanks in advance,
I nee your help i have wireless controller 5508 i want to configer dedicate SSID with deferent vlan i want broadcast only one SSID in each erea
previosly i had solved the "web-auth certificate warning issue"
input on CLI the command
*config network web-auth secureweb disable
recently i have update my WLC on version 126.96.36.199
the warning come back out again , and the * command is not more present!!!
please any suggestion?
we have WLC 2504 conroller and 7 APs configured and its working fine. if you an guide me to do the below things:
1. the guest SSID configured web authentication- passthrogh option with entering email address. how to retreive all the email address list which guest users entered on web authentication portal.
2. how to make band width limitation for guest SSID (we have 100mbps connection we need to limit for guest SSID to 30mbps).
if you can help me to sort out this would be great!.