Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Web Authentication on WLC (wireless and wired) : complete guide

New Member

I'd just like to say thank you!  I just spent many many hours trying to figure out why my WLCs were telling me INVALID_TAR_FILE when I was trying to download an updated webauth bundle.  After much hair-pulling and banging on my desk, I found this guide and quickly discovered that a new image file I added had a name longer than 30 characters.  Once I shortened that, it worked!  Cisco should really incorporate this into their official documentation, as it's far more comprehensive than anything else I've been able to find.

New Member

If you have more than one WLC with all WLCs using the same virtual interface, can you use one certiface or do you need a certificate for each WLC?

New Member

I have the same certificate installed on about 20 different WLCs.  Just use the same virtual interface IP on all of them (e.g.

New Member

What sort of certificate should I request from a CA authority?

New Member
New Member

Thanks so much.

New Member

Dear Nicolas

Thanks a lot for your excellent guide.

Question, you mention that an exemple of bundle is provided with this chunk, but I didn't find it, could you please just tell me where it is ?

Thanks in advance


The best is to use the one that is up-to-date on

Go in the download section, click on any WLC model and it will suggest you :

-WLC software


-Mesh software

-Webauth bundle example

Just pick the bundle there, it's far better than any examples that was running around before


Found it:
Release Date: 10/JUN/2011
Bundle of sample pages for web portal authentication
Size: 6343.63 KB (6495869 bytes)

It was under:



Wireless LAN Controller

Standalone Controllers

Cisco 5500 Series Wireless Controllers

Cisco 5508 Wireless Controller

Wireless Lan Controller Web Authentication Bundle-1.0.2

New Member

Did anybody tried new version 7.2?

Can I set HTTP web-auth, and HTTPS management?

If so, how? I just installed on one of my 5508s, and was not able to figure out how to perform such configuration.


Ivan Brunello

New Member

About Web Auth over HTTP.

I asked to the Cisco support. It is indeed fixed, and I can confirm it to be working.

- update to version

- on CLI (no web interface, issue the following command)

config network web-auth secureweb disable

If using a EoIP tunnel to DMZ-dedicated WLCs, you need to upgrade just the DMZ WLCs.

No need to update the core ones.

WCS seems to be able to manage 7.2 controller, but it lacks the newest features (such as RF groups).

Wait for WCS update, or plan for NCS migration.

Ivan Brunello

Thanks for the info Ivan.

I will actually update this document to 7.2 and all the new features.

By the way, there will not be any further WCS versions coming out, so NCS is the way to go for 7.2 WLC management.

Very helpful guide, thanks a lot !!!!!

One more question:

Is it possible to use a non-standard tcp port in your webauth url, that points to the external webauth server ??


If I understand your question correctly : no.

What you can do is:

-the user types the URL with a special port (http://mylocalserver:8010)

-The WLC is configured to listen on 8010 and intercepts it and throws the web authentication.

-After typing his credentials, user is redirected to mylocalserver:8010

What you cannot do is have the web login page itsel using another port ( will not happen)


I think the question is saying can the "external webauth server" be using a non-standard port and have the WLC redirect.

ie. user goes to, and WLC redirects to external page at http://server:8080/login.html.

The answer is yes.

For instance, you have decided that your server will be bound using port 8010.  When you specify the "server URL", you will include this in your external webauth server redirect address.

Bobby Jo connectes to your L3 (external) WLAN, then tries to go to

The WLC will hijack, and then redirect the request to your external server

Remember, you will need to be sure your pre-auth ACLs are in place.  Rather than allowing "HTTP" traffic, choose "other" as the port type and configure your customer port#.


I didn't understand the question correctly so then yes I agree with David :-)

Hi, guys.

That is exactly what I meant ... :-)

I have configured a pre-auth acl on this wlan allowing as destination with tcp port any to any, and I

didn't forget to allow the tcp answer packets, too.

But still not working, the site shows up fine when browsed to directly (on a lan, not with redirection .....)

What am I missing, any ideas ???


Can you share the ACL you created?  Did you apply it as a "preauthentication ACL" on the L3 policy for the WLAN in question?

This is the ACL:

And yes, I applied it as preauth-acl:

Hi, all.

I think I found my logical mistake, please correct me if I am wrong somewhere:

It is the Client, that needs to have connectivity to the external webauth server, not the WLC .... right ???

If so, I need to move the server, because the IP Address that the client gets via DHCP is taken from a different

VRF than the VRF the IP Address of the server is in..... No routing between both VRFs is allowed.

Moving the server to the clients VRF would allow the client to talk to the server and load the redirected login page .....

I will do some testing on that and report the results here....

New Member

Hi Nicholas,, great summary of all the web auth features using different devices. Quick question on Splash Page Redirect.If you are using the ACS for uinput of redirection ., is the slash page hosted on the ACS Server or is it on the WLC? . Need to be able to customize the page for users and need to know where that page is created. They (corporate users) will be on a BYOD net using EAP-PEAP/WPA2 with AD Group Policy. The redirect is after they login they need to see that page that is created.



New Member

Hi  Nicolas,

if we want to modify the success page for showing the remain time of use login. How we do ?

Many Thank.

You cannot modify the success page.

New Member

Hi Nicolas,

I encounter one issue web auth with external AD for user credential. With local account is ok. But if we use AD account to login, it is not successful even though we configure properly. Can help to suggest what cound be the issue?

WLC & AD are working properly with different SSIDs. Now we just want to create new SSID with L3 security web auth.

Thank you so much,

New Member

Hi Nicholas,

I have an urgent issue going on. the guest users are not getting the webauth page to type their username and password. I have checked almost everything, they are getting correct ip and dns from the pool, even i tried using new guest account with PSK even then they are not able to connect to internet though wireless showing connected.

Also i am not able to traceroute of resolve neither with its ip nor with the name.

Could it be a DNS issue or webauth issue. Its very urgent

Urgent problem means you should open a TAC case. Otherwise ask your question on the forum but don't put it as a comment to a document please.


The URL to the feature request doesn't work for people without TAC access (or is it even Cisco internal?). Here the URL to the bugtoolkit:

New Member

Hi Nicholas,

May i know if its possible to disable the port 80 service on WLC used for user web authentication page.

So currently the user is using and is redirected to, so we want to disable http service on the wlc so that the user gets no service on it, but only in case he directly types https:// the authentication page should open.


New Member

Hi Anuj,

I am facing the same probles as u. Guest WLAN is broadcasting, clients are able to recv ip adress but shows limited internet access...Did u solve the issue..Please share ur expereince.

Thanks in advance,



New Member

Dear Nicolas


I nee your help i have wireless controller 5508 i want to configer dedicate SSID with deferent vlan i want broadcast only one SSID in each erea

New Member

Hi Nicolas

previosly i had solved the "web-auth certificate warning issue"

input on CLI the command

*config network web-auth secureweb disable

recently i have update my WLC on  version

the warning come back out again , and the  * command is not more present!!!

please any suggestion?

New Member

hi daviwatk,

we have WLC 2504 conroller and 7 APs configured and its working fine. if you an guide me to do the below things:

1. the guest SSID configured web authentication- passthrogh option with entering email address. how to retreive all the email address list which guest users entered on web authentication portal.

2. how to make band width limitation for guest SSID (we have 100mbps connection we need to limit for guest SSID to 30mbps).

if you can help me to sort out this would be great!.