Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1815
Views
0
Helpful
9
Replies

Web Auth 9800 Redirection Issue

Tinei
Level 1
Level 1

‎07-31-2023 08:14 PM

We have recently migrated to Cisco Catalyst 9800 and we having an issue with a captive portal/web authentication. in the old 5508 we point to the same portal with no issues. However, the portal doesn't work on the new WLC. We have a publicly signed certificate for the virtual IP address that is resolvable on the internet.

When a user connects to Wi-Fi they are redirected to the external web server where they enter details. However, when it redirects it resolves to the Virtual IP DNS entry and we get error as attached "Page isn't working right now" with an err_empty_response, when you refresh that page you get redirected to the cisco consent page also attached, then you will get redirected to the success URL. We want the return from the external web server to auto redirect as with the old portal.

I have run a test with a RADIUS captive portal that also redirects to an external web portal and I have no issues. However, this portal doesn't authenticate but just captures information. 

The ACL where created automatically by the controller, I have captures of traces, packet captures and cannot seem to see why the return response from the external web portal fails to redirect.

 

Preview file
42 KB
Preview file
42 KB
0 Helpful
9 Replies 9

Flavio Miranda
VIP
VIP

‎07-31-2023 08:35 PM

Hi @Tinei 

 Did you install the certificate to the WLC?

What did you mean by "The ACL where created automatically by the controller, "

 You must create the ACL on the wlc.

"However, when it redirects it resolves to the Virtual IP DNS entry and we get error as attached "Page isn't working right now" with an err_empty_response"

How does it worked before? Dont you have a DNS entry pointing to an external DNS?

 

0 Helpful

Tinei
Level 1
Level 1

‎07-31-2023 09:12 PM

Yes the certificate is installed on the WLC

When we create a new web auth parameter map and add the portal IP and redirect URL the controller automatically creates the WA-SEC ACL attached in the text file

On the old controller we see the redirect from the external portal back to Virtual IP DNS Name and it redirects to the success page, but on the 9800 it stops and doesn't automate that process.

 

Preview file
2 KB
0 Helpful

marce1000
VIP
VIP

‎07-31-2023 11:43 PM

 

  - Have a checkup of your controller configuration with the CLI command : show tech wireless , feed tha output into : https://cway.cisco.com/wireless-config-analyzer/
   Captive port web redirection issues can be analyzed with : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Tinei
Level 1
Level 1

‎07-31-2023 11:58 PM

I have ingested the wireless config analyser with no help, but will look at the second one

We have narrowed it down to the POST from the web server "buttonclick: =4" which seems not be getting posted correctly, instead of auto redirect it stops on page.

0 Helpful

marce1000
VIP
VIP
In response to Tinei

‎08-01-2023 07:36 AM

 

   - Check logs on the webserver too  , also for the 9800 controller , use a recent software version if applicable , preferably 17.9.3 or above ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Tinei
Level 1
Level 1

‎08-03-2023 08:02 PM

 

I posted the output from a successful portal and the one that is failing. As you can note that the process is almost similar but the failed one gets stuck on HTTP GET and it never proceeds from there.

Success Portal

 

Applying of intercept ACL

023/07/31 06:08:46.900070 {wncd_x_R0-0}{1}: [webauth-acl] [17797]: (info): capwap_9000000c[98af.65a7.d2e9][        0.0.0.0]Applying IPv4 intercept ACL via SVM, name: WA-v4-int-107.178.250.42-33, priority

2023/07/31 06:08:46.900462 {wncd_x_R0-0}{1}: [epm-redirect] [17797]: (info): [0000.0000.0000:unknown] URL-Redirect-ACL = WA-v4-int-107.178.250.42

 

Layer 3 Authentication Initiation

2023/07/31 06:08:46.996802 {wncd_x_R0-0}{1}: [client-auth] [17797]: (note): MAC: 98af.65a7.d2e9  L3 Authentication initiated. LWA

2023/07/31 06:08:46.996914 {wncd_x_R0-0}{1}: [client-auth] [17797]: (info): MAC: 98af.65a7.d2e9  Client auth-interface state transition: S_AUTHIF_L2_WEBAUTH_DONE -> S_AUTHIF_WEBAUTH_PENDING

2023/07/31 06:08:47.118937 {wncd_x_R0-0}{1}: [client-iplearn] [17797]: (info): MAC: 98af.65a7.d2e9  Client IP learn method update successful. Method: DHCP IP: 10.180.210.84

2023/07/31 06:08:47.119278 {wncd_x_R0-0}{1}: [client-iplearn] [17797]: (info): MAC: 98af.65a7.d2e9  IP-learn state transition: S_IPLEARN_COMPLETE -> S_IPLEARN_COMPLETE

 

HTTP Request

2023/07/31 06:09:18.281669 {wncd_x_R0-0}{1}: [webauth-httpd] [17797]: (info): capwap_9000000c[98af.65a7.d2e9][  10.180.210.84]HTTP GET request

2023/07/31 06:09:18.281690 {wncd_x_R0-0}{1}: [webauth-httpd] [17797]: (info): capwap_9000000c[98af.65a7.d2e9][  10.180.210.84]Parse GET, src [10.180.210.84] dst [121.79.127.49] url [http://www.msftconnecttest.com/connecttest.txt]

2023/07/31 06:08:57.978207 {wncd_x_R0-0}{1}: [webauth-httpd] [17797]: (info): capwap_9000000c[98af.65a7.d2e9][  10.180.210.84]GET rcvd when in LOGIN state

 

Radius Phase

2023/07/31 06:09:46.083207 {wncd_x_R0-0}{1}: [radius] [17797]: (info): RADIUS: Send Access-Request to 35.189.58.100:24403 id 0/6, len 449

2023/07/31 06:09:46.249538 {wncd_x_R0-0}{1}: [radius] [17797]: (info): RADIUS: Received from id 24403/6 35.189.58.100:0, Access-Accept, len 57

2023/07/31 06:09:46.249628 {wncd_x_R0-0}{1}: [radius] [17797]: (info): Valid Response Packet, Free the identifier

 

Acknowledgement of success – removal of intercept ACL

2023/07/31 06:09:46.249855 {wncd_x_R0-0}{1}: [webauth-acl] [17797]: (info): capwap_9000000c[98af.65a7.d2e9][  10.180.210.84]Unapply IPv4 intecept ACL via SVM, name "WA-v4-int-107.178.250.42-33",                

2023/07/31 06:09:46.250871 {wncd_x_R0-0}{1}: [webauth-acl] [17797]: (info): capwap_9000000c[98af.65a7.d2e9][  10.180.210.84]Unapply IPv6 intecept ACL via SVM, name "IP-Adm-V6-Int-ACL-global",

 

2023/07/31 06:09:46.251496 {wncd_x_R0-0}{1}: [auth-mgr] [17797]: (info): [98af.65a7.d2e9:capwap_9000000c] Authc success from WebAuth, Auth event success

2023/07/31 06:09:46.251549 {wncd_x_R0-0}{1}: [ewlc-infra-evq] [17797]: (note): Authentication Success. Resolved Policy bitmap:4 for client 98af.65a7.d2e9

 

Redirecting to the original URL

2023/07/31 06:09:46.253438 {wncd_x_R0-0}{1}: [webauth-page] [17797]: (info): capwap_9000000c[98af.65a7.d2e9][  10.180.210.84]Redirect to Initial URL [https://www.xxxxyyyy.com.au/]

2023/07/31 06:09:46.253746 {wncd_x_R0-0}{1}: [client-auth] [17797]: (note): MAC: 98af.65a7.d2e9  L3 Authentication Successful. ACL:[]

 

>>>>>>>>>>>>>>>>>>>>>>>>>>>> 

 

Failed Portal

 

Applying of intercept ACL

2023/08/02 04:54:49.290925 {wncd_x_R0-1}{1}: [webauth-acl] [18028]: (info): capwap_9040000f[98af.65a7.d2e9][        0.0.0.0]Applying IPv4 intercept ACL via SVM, name: WA-v4-int-172.64.149.27-25, priority:

2023/08/02 04:54:49.291212 {wncd_x_R0-1}{1}: [epm-redirect] [18028]: (info): [0000.0000.0000:unknown] URL-Redirect-ACL = WA-v4-int-172.64.149.27

 

Layer 3 Authentication Initiation

2023/08/02 04:54:49.375374 {wncd_x_R0-1}{1}: [client-auth] [18028]: (note): MAC: 98af.65a7.d2e9  L3 Authentication initiated. LWA

2023/08/02 04:54:49.375466 {wncd_x_R0-1}{1}: [client-auth] [18028]: (info): MAC: 98af.65a7.d2e9  Client auth-interface state transition: S_AUTHIF_L2_WEBAUTH_DONE -> S_AUTHIF_WEBAUTH_PENDING

2023/08/02 04:54:49.422632 {wncd_x_R0-1}{1}: [client-iplearn] [18028]: (info): MAC: 98af.65a7.d2e9  Client IP learn method update successful. Method: DHCP IP: 10.180.210.84

2023/08/02 04:54:49.422932 {wncd_x_R0-1}{1}: [client-iplearn] [18028]: (info): MAC: 98af.65a7.d2e9  IP-learn state transition: S_IPLEARN_COMPLETE -> S_IPLEARN_COMPLETE

 

HTTP Request

2023/08/02 04:54:50.087918 {wncd_x_R0-1}{1}: [webauth-httpd] [18028]: (info): capwap_9040000f[98af.65a7.d2e9][  10.180.210.84]HTTP GET request

2023/08/02 04:54:50.087939 {wncd_x_R0-1}{1}: [webauth-httpd] [18028]: (info): capwap_9040000f[98af.65a7.d2e9][  10.180.210.84]Parse GET, src [10.180.210.84] dst [121.79.127.34] url [http://www.msftconnecttest.com/connecttest.txt]

2023/08/02 04:54:50.642191 {wncd_x_R0-1}{1}: [webauth-httpd] [18028]: (info): capwap_9040000f[98af.65a7.d2e9][  10.180.210.84]GET rcvd when in LOGIN state

023/08/02 04:55:19.132139 {wncd_x_R0-1}{1}: [webauth-httpd] [18028]: (info): capwap_9040000f[98af.65a7.d2e9][  10.180.210.84]Parse GET, src [10.180.210.84] dst [172.217.24.35] url

0 Helpful

Captain82
Level 1
Level 1
In response to Tinei

‎05-09-2024 02:20 PM

Tinei - What was the fix? Having the same issue over here..

0 Helpful

jspilde
Level 1
Level 1

‎02-01-2024 11:16 AM

Was this issue resolved? I have a similar issue with web auth redirection. Thanks.

0 Helpful

MHM Cisco World
VIP
VIP
In response to jspilde

‎02-01-2024 11:28 AM

Make new post for this case it better 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card