topic Re: WLC 9800-80 fail to redurect to guest portal in Wireless

WLC 9800-80 fail to redurect to guest portal

DexterRoot — Fri, 16 Sep 2022 12:03:38 GMT

Hi,

We have WLC 9800-80 and use a third-party server to authenticate guest clients using guest portal.

When a client try to authenticate, they get IP address but the guest portal behave differently every time we try to login. These behaviors happen with exact same configuration.

We face these three scenarios:

1- Client get the IP-address> the splash pages opens> client write the authentication information and the get connected. No problem at all!

2- Client get the IP-address, the splash page does not comes up but the browser page get into a loop and every few seconds, same url adds to the current url. For ex. if the guest urls is test.com, the loop types, test.com in the url and write again test.com after test.com every time the webpage loops. It continues without stopping and client does not get connect.

3- Client get the IP-address> the splash pages opens> client write the authentication information> Splash page redirect the client to another page with this url: https://1.1.1.1/login.html and it warns for certificate error. (Even we have a valid certificate on our authenticator server).

The authentication server works well with our WLC 8540 but the new WLC 9800 get in trouble.

Any Idea how we can fix the guest authentication?

Thank you in advance.

Re: WLC 9800-80 fail to redurect to guest portal

Mark Elsen — Fri, 16 Sep 2022 13:58:08 GMT

- For starters and or a good place to start review the current 9800-80 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

Re: WLC 9800-80 fail to redurect to guest portal

Rich R — Sat, 17 Sep 2022 13:06:15 GMT

You should not be using 1.1.1.1 for your captive portal - you need a FQDN DNS domain name which matches your certificate otherwise it simply won't be reliable.
Make sure your pre-auth URLs and ACLs allow access to all the resources needed to load the captive portal and content. Watch out for 3rd party content included in any of those pages - like fonts, jscript, images, social media links, tracking tags etc which will all trigger redirects if not permitted.

Re: WLC 9800-80 fail to redurect to guest portal

Arshad Safrulla — Sat, 17 Sep 2022 13:50:21 GMT

Make sure that you have a proper working DNS setup and all the pre-auth ACL's are configured to allow DNS, DHCP and HTTP access to your captive portal solution. Also share how is your paramter map is configured in you 9800 WLC, importantly make sure that ip http server is enabled in your WLC, this will enable http access to WLC management GUI as well. Below is my parameter map when HTTP server is disabled in my WLC, however I still recommend that you enable it and check.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
webauth-http-enable

As @Rich R mentioned 1.1.1.1 is now a public IP, so not recommended by Cisco to use it anymore to be used within an organization. Consider changing that as well.

Certificate error can be mostly due to DNS issues, make sure that clients can resolve DNS before authenticated to captive portal.

Re: WLC 9800-80 fail to redurect to guest portal

Rasika Nayanajith — Sat, 17 Sep 2022 22:33:53 GMT

I had the similar issues

You have to get CA signed certificate (that issued for your 9800 virtual IP address) installed on your 9800. Most likely you have to use OpenSSL (use v 1.1.1) to generate CSR & follow the instruction given below document to install the cert for WebAuth

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#anc15

For external WebAuth, those ACL will created automatically, so you do not want to define them manually.

HTH
Rasika
*** Pls rate all useful responses ***

Re: WLC 9800-80 fail to redurect to guest portal

Rich R — Sun, 18 Sep 2022 09:35:07 GMT

The automatically created ACL only includes the single external portal IP. If there's more than one IP you need to use the parameter map to add extra lines (max 9 lines). Also must use the URL ACL for any external content used in the portal content. Many now offer social media login etc which all require domains to be included in URL list as well as for any tracking tags, fonts, scripts used in the page.

Re: WLC 9800-80 fail to redurect to guest portal

Rasika Nayanajith — Sun, 18 Sep 2022 09:39:03 GMT

Good points @Rich R

Re: WLC 9800-80 fail to redurect to guest portal

eeebbunee — Tue, 19 Sep 2023 18:34:13 GMT

Hello @Mark Elsen

Thank you for your comment.

Is there any way that I can grab the 'sh tech wireless' as a file so that I can upload to Wireless Analyzer?

The result is too long to get, so I would get your opinion.

Thank you so much.

Re: WLC 9800-80 fail to redurect to guest portal

Rich R — Tue, 19 Sep 2023 23:07:31 GMT

@eeebbunee either enable logging on your terminal emulator and log the output to file or if you're using ssh on a linux box then you can ssh <hostname> | tee <filename> and the output will be logged to <filename>.