Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

WLC Web Authentication fails with IAS Radius Server

 

 

Introduction

WLC Web Authentication fails with Radius Server

 

Scenario

User has a web authentication setup for a guest SSID.  When a guest connects to the guest SSID, they are given the correct IP address.  The guest then sends a request to e.g. google.com and they get the redirect to the internal web auth login page hosted on the WLC.  User enters username and password and gets Error:

 

"Login Error. The User Name and Password combination you have entered is invalid. Please try again" 

 

However, if we check the logs on the Radius server the user is authenticated and is allowed.

 

Debug AAA on the WLC also shows Access-Accept received from RADIUS server for guest ID. 

 

Failed Logs

Fri Mar  5 15:41:17 2010: 00:1e:52:xx:e7:34 Sending Accounting request (2) for station 00:1e:52:xx:e7:34

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Successful transmission of Authentication Packet (id 232) to 10.222.xx.62:1813, proxy state 00:1e:52:xx:e7:34-52:70

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Access-Challenge received from RADIUS server 10.222.xx.62 for mobile 00:1e:52:xx:e7:34 receiveId = 3

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Successful transmission of Authentication Packet (id 233) to 10.222.xx.62:1813, proxy state 00:1e:52:xx:e7:34-52:70

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Access-Challenge received from RADIUS server 10.222.xx.62 for mobile 00:1e:52:xx:e7:34 receiveId = 3

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Successful transmission of Authentication Packet (id 234) to 10.222.xx.62:1813, proxy state 00:1e:52:xx:e7:34-52:70

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Access-Challenge received from RADIUS server 10.222.xx.62 for mobile 00:1e:52:xx:e7:34 receiveId = 3

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Successful transmission of Authentication Packet (id 235) to 10.222.xx.62:1813, proxy state 00:1e:52:xx:e7:34-52:70

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Access-Challenge received from RADIUS server 10.222.xx.62 for mobile 00:1e:52:xx:e7:34 receiveId = 3

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Successful transmission of Authentication Packet (id 236) to 10.222.xx.62:1813, proxy state 00:1e:52:xx:e7:34-52:70

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Access-Challenge received from RADIUS server 10.222.xx.62 for mobile 00:1e:52:xx:e7:34 receiveId = 3

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Successful transmission of Authentication Packet (id 237) to 10.222.xx.62:1813, proxy state 00:1e:52:xx:e7:34-52:70

Fri Mar  5 15:41:18 2010: 00:1e:52:xx:e7:34 Access-Challenge received from RADIUS server 10.222.xx.62 for mobile 00:1e:52:xx:e7:34 receiveId = 3

Fri Mar  5 15:41:30 2010: 00:1e:52:xx:e7:34 Sending Accounting request (2) for station 00:1e:52:xx:e7:34

Fri Mar  5 15:42:04 2010: 00:1e:52:xx:e7:34 Successful transmission of Authentication Packet (id 211) to 10.222.yy.62:1813, proxy state 00:1e:52:xx:e7:34-52:70

Fri Mar  5 15:42:04 2010: 00:1e:52:xx:e7:34 Access-Accept received from RADIUS server 10.222.yy.62 for mobile 00:1e:52:xx:e7:34 receiveId = 0

 

Fri Mar  5 15:09:30 2010: 00:1e:52:xx:e7:34 Username entry (madison_guest) created for mobile 00:1e:52:xx:e7:34

Fri Mar  5 15:09:30 2010: 00:1e:52:xx:e7:34 Plumbing web-auth redirect rule due to user logout for 00:1e:52:xx:e7:34

Fri Mar  5 15:09:30 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleting mobile policy rule 155

Fri Mar  5 15:09:30 2010: 00:1e:52:xx:e7:34 Adding Web RuleID 156 for mobile 00:1e:52:xx:e7:34

Fri Mar  5 15:09:30 2010: 00:1e:52:xx:e7:34 Web Authentication failure for station 00:1e:52:xx:e7:34

Fri Mar  5 15:09:30 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Reached ERROR: from line 4237

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleting policy rule

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleted mobile LWAPP rule on AP [00:17:0f:d8:b9:30]

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 Updated location for station 00:1e:52:xx:e7:34 - old AP 00:00:00:00:00:00-0, new AP 00:17:xx:8c:12:c0-1

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 Association received from mobile 00:1e:52:xx:e7:34 on AP 00:17:xx:8c:12:c0

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 Applying site-specific override for station 00:1e:52:xx:e7:34 - vapId 8, site 'Floor_10_Access_Points', interface 'ssid_public_floor_10'

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1080)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 STA: 00:1e:52:xx:e7:34 - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Change state to START (0)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 START (0) Initializing policy

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 START (0) Change state to AUTHCHECK (2)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:17:xx:8c:12:c0

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 L2AUTHCOMPLETE (4) Change state to WEBAUTH_REQD (8)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Adding TMP rule

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Adding Fast Path rule

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Deleting mobile policy rule 156

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 Adding Web RuleID 157 for mobile 00:1e:52:xx:e7:34

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Adding TMP rule

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Replacing Fast Path rule

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8)

Fri Mar  5 15:09:36 2010: 00:1e:52:xx:e7:34 10.222.190.182 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255)

 

 

Network Component

Radius server: IAS Radius server

 

Solution

In the Advanced tab in Edit Dial-In Profile, make sure the Service Type is set to Login.

 

The service type was set to framed.

 

In case of webauth,  EAP would need to be Login and not Framed.

 

Web Authentication on WLCs

 

Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic, except DHCP-related packets/ DNS-related packets, from a particular client until that client has correctly supplied a valid username and password with an exception of traffic allowed through Pre-Auth ACL. Web authentication is the only security policy that allows the client to get an IP address before Authentication. It is a simple Authentication method without the need for a supplicant or client utility.Web authentication can be done either locally on a WLC or over a RADIUS server. Web authentication is typically used by customers who want to deploy a guest-access network.

 

Web authentication starts when the controller intercepts the first TCP HTTP (port 80) GET packet from the client. In order for the client's web browser to get this far, the client must first obtain an IP address, and do a translation of the URL to IP address (DNS resolution) for the web browser. This lets the web browser know which IP address to send the HTTP GET.

 

When web authentication is configured on the WLAN, the controller blocks all traffic (until the authentication process is completed) from the client, except for DHCP and DNS traffic. When the client sends the first HTTP GET to TCP port 80, the controller redirects the client to https:1.1.1.1/login.html for processing. This process eventually brings up the login web page.

 

Note: When you use an external web server for web authentication, some of the WLC platforms need a pre-authentication ACL for the external web server, which includes the Cisco 5500 Series Controller, a Cisco 2100 Series Controller ,Cisco 2000 series and the controller network module. For the other WLC platforms the pre-authentication ACL is not mandatory.

 

Note: But, it is a good practice to configure a preauthentication ACL for the external web server when you use an external web authentication.

 

 

This section explains the Web authentication redirection process in detail.

 

webauth-tshoot5.gif

 

 

 

Reference

This document was generated from the following discussion: WLC Web Auth with Radius server fails

 

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

 

 

 

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 07:38 AM
Updated by:
 
Contributors