topic 9800 External Webauth in Wireless

9800 External Webauth

dm2020 — Sat, 02 Jul 2022 13:04:14 GMT

Hi All,

I'm currently setting up External Webauth on a Cisco 9800 and I'm trying to work out what commands need to be configured under the global parameter map. So far I have the following

parameter-map type webauth global
virtual-ip ipv4 192.0.2.1 virtual-host wifi.domain.com

trustpoint <trustpoint for wifi.domain.com>

However I'm unsure if I need any of the following commands

intercept-https-enable
webauth-http-enable
secure-webauth-disable

This is going to be used for a public hotspot. I know that some devices will complain if they are redirected to a non-secure site so I'm assuming that 'secure-webauth-disable' is probably not recommended, however I'm unsure about the other commands. What have other configured that works well for public guest wireless?

Re: 9800 External Webauth

Mark Elsen — Sat, 02 Jul 2022 16:51:18 GMT

- You may find these documents informational :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers/m-external-web-authentication-configuration.html

Re: 9800 External Webauth

dm2020 — Sat, 02 Jul 2022 19:13:44 GMT

Thanks,

I've had a read and it appears that the behaviours have changed in IOS-XE 17.3 with regards to http/https for Webauth.

As we only want HTTPs access to the WLC for admin, and both HTTP and HTTPs access to the WLC for Webauth then we need to configure the following

parameter-map type webauth global
virtual-ip ipv4 192.0.2.1 virtual-host wifi.domain.com

trustpoint <trustpoint for wifi.domain.com>

webauth-http-enable

no ip http server

ip http secure-server

Question - We also have the following configured on the WLC for hardening the web interface. Will this have an impact on Webauth or are these commands only applicable for the WLC admin web interface? I couldn't find this documented anywhere

ip http access-class ipv4 <access list>
ip http authentication aaa

ip http tls-version TLSv1.2

Re: 9800 External Webauth

Mark Elsen — Sun, 03 Jul 2022 06:49:05 GMT

>...Will this have an impact on Webauth or are these commands only applicable for the WLC admin web interface? I couldn't find this documented anywhere

>...ip http tls-version TLSv1.2

- I tend to believe this does not impact webauth , as a consistency check however for the current 9800 configuration you may review the it with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer

Re: 9800 External Webauth

Rich R — Sun, 03 Jul 2022 22:51:47 GMT

Ours is:
parameter-map type webauth global
type webauth
virtual-ip ipv4 <ip> virtual-host <FQDN>
intercept-https-enable
trustpoint <trustpoint>.p12

Don't know about the access-class or TLS and aaa definitely only applies to admin GUI. But I do seem to recall breaking something when turning off ip http server (we have it enabled now) - possibly the device captive portal assistant redirect (which are always http to avoid cert errors). Test with and without to confirm and let us know for the record.

Re: 9800 External Webauth

dm2020 — Sun, 03 Jul 2022 23:43:27 GMT

Thanks for the reply. That is very helpful.

Regarding https intercept, do you have any issues with this and is there any noticeable performance issues/high CPU increase on the WLC?

Re: 9800 External Webauth

Rich R — Mon, 04 Jul 2022 07:50:19 GMT

> Regarding https intercept, do you have any issues with this and is there any noticeable performance issues/high CPU increase on the WLC?

We haven't seen any problems with it. Obviously a user getting https redirected will get cert and/or security warnings but that's unavoidable.