topic Re: Proxy Config in Wireless

Proxy Config

wynneit — Sat, 03 Jul 2021 23:52:06 GMT

Has anyone deployed guest access with proxy servers? I am looking to have a guest SSID cross proxy servers so cannot deploy proxy settings with group policy and need it to be automatic.

I have seen PAC, WPAD, DNS and DHCP may provide a solution but have not tested as yet. Any sugestions.

Re: Proxy Config

Scott Fella — Tue, 09 Dec 2008 04:03:57 GMT

Unless they have added a new feature on the 5.2 code, WebbAuth will not work. I have tried this in the past and what is required is that the client have proxy disabled on their browser and then after a successfull webauth login, he or she enables proxy to be able to browse. This is due to how webauth works and verifies the users homepage or url he or she is trying to get. Here is a link that might help:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml#tshoot1

Re: Proxy Config

Rajesh Kongath — Mon, 19 Jan 2009 08:15:53 GMT

Hi Fella,

Whats new in 5.2 code? we are stuck in our wireless guest configuration via proxy. did anyboyd found any workaround on this issue?

regards

raj=

Re: Proxy Config

wesleyterry — Mon, 19 Jan 2009 16:31:14 GMT

So I guess you have your proxy's manually configured and are not using WCCP?

With WCCP, you wouldn't need your clients manually configured with a proxy server. You could have the client web-auth to the WLC as expected, but then when they try to reach the internet, the WCCP policy takes into effect and requires the proxy authentication...

Just a theory, and I'm not sure what all proxy devices support WCCP (we use Blue Coat), but I'm pretty sure this "could" work...

Just a quick run-down on WCCP:

Configure WCCP on your link to the internet from the router and all HTTP traffic will automatically go to the proxy device you have configured for WCCP. So when a client opens the Internet, and attempts to access a page, the request is automatically hi-jacked by the Proxy server without any client side configuration.

Re: Proxy Config

Matthew Fowler — Tue, 20 Jan 2009 00:38:57 GMT

You can use WebAuth with a proxy, but you will need to:

1) Exclude the virtual address from the proxy

2) Configure the WLC to listen on the correct port (i.e. 8080 if you are using this). config network web-auth-port 8080

If using WPAD, you will need a pre-authentication ACL to allow the client to download the PAC file before passing web authentication. The PAC file should look similar to this:

function FindProxyForURL(url, host)

{

// variable strings to return

var proxy_yes = "PROXY :";

var proxy_no = "DIRECT";

if (shExpMatch(url, "http://*")) { return proxy_no; }

if (shExpMatch(url, "https://*")) { return proxy_no; }

// Proxy anything else

return proxy_yes;

}

Hope this helps.

-Matt

Re: Proxy Config

Rajesh Kongath — Wed, 21 Jan 2009 16:00:10 GMT

Thank wesleyterry for the comments but unfortunatly we are having MS ISA proxy which is not supported by WCCP

hello matt i will test your solution and let you know the feedback. by the way, wht exactly i have allow in pre auth ACl? my proxy port (8080) or all http traffic?

Re: Proxy Config

Matthew Fowler — Fri, 23 Jan 2009 01:26:47 GMT

The port that WPAD uses...80 I think?

Re: Proxy Config

Rajesh Kongath — Thu, 29 Jan 2009 08:29:55 GMT

Thanks Matt

It worked, after applying the bidirectional ACLs in the contoller.

by the way, the redirection is not working properly, suppose if typed www.cisco.com after authentication it redirects to www.cisco.comwww.cisco.com do you have any clue on this ?

Apart from this, is there anyway to have AD or ACS created Lobby Admins?

Thanks for your effors

Re: Proxy Config

jain.nitin — Thu, 14 May 2009 18:42:44 GMT

Hi, Could you please let me know what you have allowed in Pre Authentication ACL. what is WPAD ? I am trying to deploy same thing on a customer place...any kind of help will be appreciated..

Re: Proxy Config

brodierad — Tue, 05 Oct 2010 06:08:11 GMT

Hello there

I'm having the same issue and I have seen this solution posted in quite a few places but being pretty new to this I still find it confusing.

I don't understand what it means to "exclude the virtual address from the proxy."

Can someone tell me in a bit more detail please how I might do this? The virtual address being used is the default 1.1.1.1

Thanks

Edit: nevermind, I got this now.