topic Re: WLC Slow web login authenticate in Wireless

WLC Slow web login authenticate

haikalmesiniaga — Sun, 04 Jul 2021 07:12:12 GMT

Hi Guys,my visitor login page very slow to appears .Sometimes it takes 10 - 30minutes to appears even after I enter http://1.1.1.1.

How can i troubleshoot ?Thanks

Re: WLC Slow web login authenticate

Amjad Abdullah — Sun, 09 Jun 2013 07:02:32 GMT

Hi,

This might be handy.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080a38c11.shtml

but, are you using default page? or custom page?

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: WLC Slow web login authenticate

Scott Fella — Sun, 09 Jun 2013 13:59:03 GMT

Really seems like there is a network issue like DNS or maybe a duplicate IP. I would connect a PC to the guest vlan and test if that PC gets an IP address and can access the Internet with no issues.

Sent from Cisco Technical Support iPhone App

WLC Slow web login authenticate

haikalmesiniaga — Mon, 10 Jun 2013 02:15:54 GMT

im using custom page...test nslookup,everyting ok.

my laptop also can get ip without no issue.

the only thing its hard to estbalish login page..

Re: WLC Slow web login authenticate

Scott Fella — Mon, 10 Jun 2013 12:02:28 GMT

When you are performing the test, it has to be from the guest network. The nslookup has to be done from the guest subnet. If you can connect a laptop to the guest subnet and get an IP address and also have Internet access, then we can rule out the guest wired side of things.

The thing is, are you anchoring? What is the setup like? Can you post your show run-config.

Sent from Cisco Technical Support iPhone App

WLC Slow web login authenticate

haikalmesiniaga — Wed, 03 Jul 2013 07:47:00 GMT

Hi All,

Problem solved.Since it using local authenticate,i have remove AAA authenticate server IP under WLAN Settings.

I also adjust order used for authentication and remove radius and ldap.Its work like a champ

Order Used For Authentication

WLC Slow web login authenticate

Amjad Abdullah — Wed, 03 Jul 2013 13:16:26 GMT

Hi Haikal,

Thank you for sharing the valuable info.

This is actually strange behavior with cisco WLC when using Web-Auth.

When normal EAP authentication is going on (Local EAP for example), if one method has a reply (local DB or LDAP) either reject or accept, it does not fall to the next method (if local is on top, it will never fall back to the LDAP as the local DB will always reply with accept - if user credentials are found and correct - or reject - if user not found or bad credentials).

With the Web-Auth this is not correct. If one method (local DB, LDAP and/or RADIUS) is replying with a access-reject radius message, the WLC continues to check the next method until it either finds a success or fails after trying all methods with no success.

In your situation it seems was trying to check the radius servers first. But that would have affected the time of the response after you previde the credentials. From your description I understood you have a problem with showing the login page!

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: WLC Slow web login authenticate

Shaoqin Li — Wed, 03 Jul 2013 16:35:03 GMT

can you try other ip else than 1.1.1.1? Afaik 1.1.1.1 is on internet...

Sent from Cisco Technical Support iPhone App

Re: WLC Slow web login authenticate

mmangat — Mon, 08 Jul 2013 05:10:50 GMT

hello,

Troubleshooting Web Authentication

After you configure web authentication, if the feature does not work as expected, complete these troubleshooting steps:

Check if the client gets an IP address. If not, users can uncheck DHCP Required on the WLAN and give the wireless client a static IP address. This assumes association with the access point. Refer to the IP addressing issues section of Troubleshooting Client Issues in the Cisco Unified Wireless Network for troubleshooting DHCP related issues.
On WLC versions earlier than 3.2.150.10, you must manually enter https://1.1.1.1/login.html in order to navigate to the web authentication window.
The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client connects to a WLAN configured for web authentication, the client obtains an IP address from the DHCP server. The user opens a web browser and enters a website address. The client then performs the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web authentication login page.
Therefore, ensure that the client is able to perform DNS resolution             for the redirection to work. On Windows, choose Start >             Run, enter CMD in order to open a command window, and             do a “nslookup www.cisco.com" and see if the IP address comes back.
On Macs/Linux: open a terminal window and do a “nslookup             www.cisco.com" and see if the IP address comes back.
If you believe the client is not getting DNS resolution, you can             either:
- Enter either the IP address of the URL (for example, http://www.cisco.com is http://198.133.219.25)
- Try to directly reach the controller's webauth page with https:///login.html. Typically this is http://1.1.1.1/login.html.
Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also be a certificate problem. The controller, by default, uses a self-signed certificate and most web browsers warn against using them.
For web authentication using customized web page, ensure that the             HTML code for the customized web page is appropriate.
You can download a sample Web Authentication script from             Cisco Software             Downloads. For example, for the 4400 controllers, choose             Products > Wireless > Wireless LAN Controller > Standalone             Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404             Wireless LAN Controller > Software on Chassis > Wireless Lan Controller             Web Authentication Bundle-1.0.1 and download the             webauth_bundle.zip file.
These parameters are added to the URL when the user's Internet             browser is redirected to the customized login page:
- ap_mac—The MAC address of the access point to which the wireless user is associated.
- switch_url—The URL of the controller to which the user credentials should be posted.
- redirect—The URL to which the user is redirected after authentication is successful.
- statusCode—The status code returned from the controller's web authentication server.
- wlan—The WLAN SSID to which the wireless user is associated.
These are the available status codes:
- Status Code 1: "You are already logged in. No further action is required on your part."
- Status Code 2: "You are not configured to authenticate against web portal. No further action is required on your part."
- Status Code 3: "The username specified cannot be used at this time. Perhaps the username is already logged into the system?"
- Status Code 4: "You have been excluded."
- Status Code 5: "The User Name and Password combination you have entered is invalid. Please try again."
All the files and pictures that need to appear on the Customized             web page should be bundled into a .tar file before uploading to the WLC. Ensure             that one of the files included in the tar bundle is login.html. You receive             this error message if you do not include the login.html             file:

Refer to the             Guidelines             for Customized Web Authentication section of             Wireless             LAN Controller Web Authentication Configuration Example for more             information on how to create a customized web authentication window.
Note: Files that are large and files that have long names will result                 in an extraction error. It is recommended that pictures are in .jpg                 format.
Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication. Other browsers may or may not work.
Ensure that the Scripting option is not blocked on             the client browser as the customized web page on the WLC is basically an HTML             script. On IE 6.0, this is disabled by default for security purposes.
Note: The Pop Up blocker needs to be disabled on the browser if you                 have configured any Pop Up messages for the user.
Note: If you browse to an https site, redirection does                 not work. Refer to Cisco bug ID                 CSCar04580 (registered customers only)          for more information.
If you have a host name configured for the virtual interface of the WLC, make sure that the DNS resolution is available for the host name of the virtual interface.
Note: Navigate to the Controller > Interfaces menu from the WLC GUI in order to assign a DNS hostname to the virtual interface.
Sometimes the firewall installed on the client computer blocks the web authentication login page. Disable the firewall before you try to access the login page. The firewall can be enabled again once the web authentication is completed.

Topology/solution firewall can be placed between the client and web-auth server, which depends on the network. As for each network design/solution implemented, the end user should make sure these ports are allowed on the network firewall.

Protocol	Port
HTTP/HTTPS Traffic	TCP port 80/443
CAPWAP Data/Control Traffic	UDP port 5247/5246
LWAPP Data/Control Traffic (before rel 5.0)	UDP port 12222/12223
EOIP packets	IP protocol 97
Mobility	UDP port 16666 (non secured) UDP port 16667 (secured IPSEC tunnel)

For web authentication to occur, the client should first associate to the appropriate WLAN on the WLC. Navigate to the Monitor > Clients menu on the WLC GUI in order to see if the client is associated to the WLC. Check if the client has a valid IP address.
Disable the Proxy Settings on the client browser until web authentication is completed.
The default web authentication method is PAP. Ensure that PAP authentication is allowed on the RADIUS server for this to work. In order to check the status of client authentication, check the debugs and log messages from the RADIUS server. You can use the debug aaa all command on the WLC to view the debugs from the RADIUS server.
Update the hardware driver on the computer to the latest code from manufacturer's website.
Verify settings in the supplicant (program on laptop).
When you use the Windows Zero Config supplicant built into Windows:
- Verify user has latest patches installed.
- Run debugs on supplicant.
On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start > Run > CMD:
```
netsh ras set tracing eapol enable
      netsh ras set tracing rastls enable
```
In order to disable the logs, run the same command but replace enable with disable. For XP, all logs will be located in C:\Windows\tracing.

If you still have no login web page, collect and analyze this output from a single client:

debug client 
debug dhcp message enable
debug aaa all enable
debug dot1x aaa enable
debug mobility handoff enable

If the issue is not resolved after you complete these steps, collect these debugs and use the TAC Service Request Tool (registered customers only) in order to open a Service Request.
```
debug pm ssh-appgw enable
debug pm ssh-tcp enable
debug pm rules enable
debug emweb server enable
debug pm ssh-engine enable packet 
```