cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
838
Views
20
Helpful
8
Replies
Highlighted
Beginner

Web Auth with HREAP

Hello!

I am trying to find out if web auth (with HREAP APs) follows same documented principles as with local APs (ie passing all traffic through WLC)

The below initial phases in the Web Auth process are what I am querying - ie do they pass through to WLC over the WAN or bridged locally by the AP

DNS resolution of initial url

TCP session creation phase

HTTP GET  phase for original url

Note: client DHCP is supplied locally by L3 switch and is ok

Many thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

So to clarify. DHCP will be done locally.

DNS will be done locally too (But only after the Client is in run state) Until the Client has not authenticated succesfully all the traffic comes back across the WAN.

Till the client is in WEBAUTH_REQD state all the traffic will come back. You can check that using

>show client detail (mac-addr)

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Hi,

The AP will automatically direct initial traffic to the controller for authentication, and once authenticated, traffic will be bridged locally.. I assume we are using internal WEB AUTH page not external..

lemme know if this answered your question!!

Regards

Surendra

===

Please dont forget to rate the usefull posts which answered your question or was helpfull

Regards
Surendra BG
Highlighted

Hi Surendra

Thanks for your prompt reply.

Web auth page is internal.

So to clarify the first part of the auth process:  the client opens a browser session, the DNS request (resolving URL to IP) gets forwarded to the WLC across the WAN - is this correct?

Thanks

Highlighted

yes that correct..

lemme know if this answered your question!!

Regards

Surendra

===

Please dont forget to rate the usefull posts which answered your question or was helpfull

Regards
Surendra BG
Highlighted

Hi Surendra

Thanks very much - that helps alot.  Does that mean that the TCP sessions created are proxied by the WLC across the WAN and upon successfull authentication this TCP session is handed off locally to the original WLAN client?

Thanks

Highlighted

Hi Fabian,

Think of it this way. The Wireless Controller manages all the traffic for a client connecting through an HREAP until it goes in Run state.

If you run the following command,

>debug client (tes-mac-addr)

>show client detail (tes-mac-addr) --> Check the state of the client.

You will see all the client traffic relayed across the WAN to the controller. Once the client completes webauth the, client goes in run state and all the traffic is locally switched. With webauth the controller blocks all the traffic except DNS . Once authenticated based on the WLAN setup for local switching all the traffic will be done by the HREAP AP. The controller still however maintains an (Association ID) for the client.


My 2 cents....

Highlighted

Thanks for the 2 cents

This goes back to my original query regarding DNS.  My understanding is that DNS (and DHCP) requests will be bridged locally however Surendra states not.

Thanks for the debugs - I'll give them a go.

Regards

Highlighted

So to clarify. DHCP will be done locally.

DNS will be done locally too (But only after the Client is in run state) Until the Client has not authenticated succesfully all the traffic comes back across the WAN.

Till the client is in WEBAUTH_REQD state all the traffic will come back. You can check that using

>show client detail (mac-addr)

View solution in original post

Highlighted

Thanks to everyone who has helped, I've got it now.