cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6667
Views
0
Helpful
13
Replies
Highlighted

Web authentication don't redirect when enter URL

Web authentication don't redirect when enter URL but i can enter IP address.It's OK.

I use WLC4404 and WLC 5508 and i enable Web authentication function when i access with SSID its enable Web authen.I enter www.google.com in URL it's not redirect to Cisco Web authen from WLC but if I enter any IP address (ie. 8.8.8.8) it can redirect to Cisco Web Authen. It's Work. Please tell solution for fix it.

now i connect directly with AP and WLC / DHCP i get from WLC

Router

||

||

||

WLC 5508 / WLC 4404 ========> Switch =======> AP =======> clients

IP of WLC can access to internet via router it's same subnet.

form clients i can use nslookup www.google.co.th it's show ip of google

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

AFAIK ... DNS server does not resolves IPs to iPs.. it resolves names to IPs..

.If bluecot is used as you mentioned, then it should be used as the gateway and not as a proxy.

Therefore if its used as a gateway it can filter or act as a firewall for that subnet..

As I mentioned, I would strongly recommend testing it at first without proxy IE settings and without bluecot jsut to make sure that its working with a simple deployment...

View solution in original post

13 REPLIES 13
Highlighted
Enthusiast

99.9999% chance your DNS is hosed (or non-existent)

But I could be wrong.

If you can type in any IP address and get redirected, but typing in a name doesn't get you anywhere, then my money is on "DNS is not resolving www.google.com to an IP address, therefor the client is never making an HTTP request, which is why we aren't redirecting it...."

Want to prove it?   Run Wireshark against the wireless NIC of a client.

I bet you see it query www.google.com all day long with no response.

If the client doesn't make an HTTP Request (which requires an IP address and ARP of gateway), then the WLC has nothing to hijack and redirect.

-Wesley Terry

Highlighted

Of course I totally missed that you said you're using NSLOOKUP to return an address....  so that would typicaly invalidate my DNS theory..

I vote on the client side packet capture, and you post it here.

Highlighted
Enthusiast

the DNS that you are using is a public DNS? or your own private DNS?

Please make sure that the name that you configured on the virtual IP address is matching the virtual IP configured as a host in your DNS.

The problem is with names, and therefore as has already being mentioned... is 99.9%is a DNS issue...

Try this:

disable firewalls, and ACLs.

Disable web authetnication.

Test the nslookup with the name of the virtual interface and your DNS should provide the virtual interface IP address.

enable web authentication.

run ipconfig /flushdns

use nslookup again and look for the virutal interface name and see what the DNS is replying back, then try google.com and you should still be getting the IP address of the virtual interface since the WLC should be hijacking it..


If still not working please save cofniguration and reload the WLC test it again.

If none of above recommentaions are working for you ,please give us more details and pack captures while issue is happeneing and the url that is showing up in the internet explorer or Firefox....

Oh, by the way, every time you restart the wireless connection, please CLOSE the web browers and open those again..

Highlighted

thank you for best support, i attached network diagram

all client must use proxy in internet explorer for access internet

now i create ssid for web authen use authentication mothod

virtual interface ip : 1.1.1.1  hostname ip : 137.40.78.5

use private DNS

when i nslookup form clients it's show name only ip and name of bluecoat

why cisco don't be config to easy

Highlighted

ok there you go... well, jsut a question is why would you use web authentication when you are using a proxy server?? isnt it possible to use the proxy as web authentication or web redirect?

The WLC will try to redirerct to the virtual interface, therefore how can it be redirected to another IP while he is being proxy?

For me it doesnt make sense having an additional proxy.  why dont you just try using it without the proxy feature and as it is recommended?

Remeber that the web authentication is a method that intereracts with DNS intercepting it and therefore it redirects the traffic to the virtual IP at first so the client can see the page to be authenticated. SO what youare making on using both methods is adding a force redirect of all the traffic to another IP... so thats when the problems start showing up. so even if the WLC is telling the client to go to 1.1.1.1 the client is going to PROXY... and WLC WILL not allow another other traffic to be sended to any other IP than 1.1.1.1 or its interface domain name...

Highlighted

dmantill,    two things to remember:

siriphan says that everything works if they browse via IP Address. If that is a true statement, then proxy generally doesn't behave differently based on IP or Hostname look ups.

Often when people use a "proxy" like bluecoat, they are using it for web filtering and logging (not neccessarily for authentication). If its a wccp implementation, then its all handled in the background...

sirphan,

I think the best explanation you're going to get is by looking at the wireshark capture of a client who has a problem.  We can all speculate all day long, but right now there is no real explanation for why nslookup works and clients only redirect if they type IP address instead of name.....

Highlighted

By the way, when you do get a capture, make sure you capture a non-working scenario as well as a working scenario.   With the working scenario, use the IP address of the webserver for example, 74.125.224.50 is a www.google.com address.

-Wesley Terry

Highlighted

AFAIK ... DNS server does not resolves IPs to iPs.. it resolves names to IPs..

.If bluecot is used as you mentioned, then it should be used as the gateway and not as a proxy.

Therefore if its used as a gateway it can filter or act as a firewall for that subnet..

As I mentioned, I would strongly recommend testing it at first without proxy IE settings and without bluecot jsut to make sure that its working with a simple deployment...

View solution in original post

Highlighted

Now i remove proxy on clients , the clients can redirect Web authen, but when i remove internet connectivity from WLC user can't redirect.

How configuration WLC for web authen without internet connection

diagram

No internet

WLC ==== Switch ==== AP ))) Clients

Client can connect and get DHCP from WLC but not resolve by dns because not have internet connection

Please helph

Highlighted

You cannot be redirected by the WLC if you do not make an HTTP Request.

You cannot make an HTTP Request if you do not know the IP Address of the http://website.com

You cannot get the IP address if you do not provide DNS services.

So... Bottom line is that you need to provide some form of DNS, otherwise for users to "web authenticate" they would have to type in an IP address for the web server instead of a name, since a computer doesn't make HTTP Requests to a name.....

Highlighted

Siriphan

Thanks for the update.

Well basically, as Weterry mentioned, you need an accessible DNS server.

Thats the only way to make the redirection work with names.. WLC hijack the DNS and place the virtual interface name as the address to the one the wireless client so they resolve it in order to access the webauthentnication page.  So, DNS  is a MUST... that is why when using webnauthentication, it only allow traffic to go from wireless client to DNS and to virtual IP address/name.

Why dont you try setting up a private DNS for your cliennts?

Highlighted

Can anyone tell me how to make Guests redirect to another web page without authentication

when Guests connect to network they must be redirected to (google.com) without additional page or authentication and get access to internet 

Highlighted

Redirect happens with an initial page the user hits first then comes a redirect. I don’t think you can just do a straight redirect with a controller. You might have to do some custom html that auto “accepts” but the user probably would see a page pop up and then gets redirected.
-Scott
*** Please rate helpful posts ***
Content for Community-Ad