01-23-2012 04:10 AM - edited 03-04-2019 02:59 PM
Hi,
I have a WLC 3750 and use the web authentication method with the internal login-page. Now I would like to add a link to a PDF document which is supposed to be available before logging in. In other words: Clients connect to the W-LAN and get access to the login-page. They can download the PDF document (which has by the way a size of ca 10MB) from the login-page and after that they login to get access to the internet.
As far as I understood the manuals I won't be able to use the internal login-page because the size of a file is not allowed to be bigger than 1MB.
So I thought about using the external authentication by using the webserver of my website. Unfortaunely the IP-Adress of my website doesn't work. Behind this IP-adress there's more than one website hosted. So I can't use my webserver either ...
Is there any other possibilty to add this PDF (size 10MB) on the login-page? Maybe I can add my website to a kind of a "pass through list" which is accessible even without authentication?
Thanks in advance!
Solved! Go to Solution.
01-23-2012 06:33 AM
Got it. Your requirement is to have authentication as well. Then pass-through will not help as it's insecure mechanism. To get your things working. You need to select customized (Downloadable) option. What you may do :
1) Create a customized login.html site. Where in you can have a link to the website with the PDF file hosted. NOTE : you may need to create a pre-auth ACL to allow access to that website (IP address to the website).
2) Is that PDF kind of Security policy / Usage Guidelines etc? If yes, then probably you can have a NOTE on your login page that users may need to navigate to the link in order to read the security policy etc. Once they downloaded it, they can then authenticate with their login credentials.
Is this what you looking for? If yes, then your option is Customized (Downloadable)
01-23-2012 07:32 AM
Ok, if the URL you are typing is a name (i.e http://mywebserver.com/pdf.html) then DNS server should also be allowed via pre-auth ACL. If its IP address only, then i assume the ACLs should work fine.
01-23-2012 05:04 AM
I think even the pass-through will have the same issue. All your files needs to be hosted on the WLC itself. Restriction of 1MB would still be applicable i assume. I think you can re-explore the external authentication again. You can host multiple websites on the same server using same IP address. Probably, using host header names?
Because, i remember uploading a file of 1.5MB on WLC & it failed for me as well. So, had to make things work via External web auth.
Thanks
Vivek
01-23-2012 05:12 AM
Hey Vivek,
thanks for your quick reply. I was more thinking of a "white-list" which provides access for one specific website. So in other words: Clients connect to my W-LAN, open their browser and get redirected to the loginpage (which is hosted internal on the WLC). But on this login-page there's a link to my website (and on this website my PDF file is hosted). They can access that particular website even without authentication.
So I want a specific website to be accessible even without authentication. No matter if the authentication is internal or external.
Is there any solution for this problem?
And yes I guess the webserver's using host head names. So I don't see any chance to get the external webauthentication work on that webserver.
Thanks!
01-23-2012 05:19 AM
Oh yes, your idea seems to be perfect. I think that should work. There is a sample available on cisco site in WLC auth bundle. You need a CCO account to download the bundle. In that you will find the sample pass-through configs.
Good Luck & let me know if it works. Eager to know
Thanks
Vivek
01-23-2012 05:47 AM
Hey,
thanks again for your quick response. I got the web authentication bundle and I found the pass-through configs. Still, I'm not sure if that is what I want. Just be sure:
I still want the authentication by a login-page. So clients have to type in their username and their password to get access to the entire internet. But before logging in clients are able to get access to one specific website. On this website my PDF-file will be hosted. A link to this specific website shall be on the login-page. Clients shall not be able to get access to the entire internet before logging in.
As far as I understood the pass through config from the web authentcation bundle is just a website usually with a policy clients have to accept. But that's not what I want
Do you think your idea is still working? Or did I understand something wrong?
Thanks for your help!
01-23-2012 06:33 AM
Got it. Your requirement is to have authentication as well. Then pass-through will not help as it's insecure mechanism. To get your things working. You need to select customized (Downloadable) option. What you may do :
1) Create a customized login.html site. Where in you can have a link to the website with the PDF file hosted. NOTE : you may need to create a pre-auth ACL to allow access to that website (IP address to the website).
2) Is that PDF kind of Security policy / Usage Guidelines etc? If yes, then probably you can have a NOTE on your login page that users may need to navigate to the link in order to read the security policy etc. Once they downloaded it, they can then authenticate with their login credentials.
Is this what you looking for? If yes, then your option is Customized (Downloadable)
01-23-2012 06:41 AM
Hi,
YES that's exactly what I want!
Still two questions
First: Do I need to take the customized(Downloadable) option or can I just add the link to the internal login.html? I can edit the internal login.html under Security - Web Auth - Web Login Page
Second: As you said I need to create the ACL. I thought about something like this: Is this correct?
I typed in the IP-adress of the website I want to upload my PDF to. What shall I type in for the netmask?
Thanks again for your help! I highly appreciate it!
btw I don't have any other ACL.
01-23-2012 06:50 AM
I feel its better to select Customized (Downloadable) option. Editing internal login.html may goof-up something (i personally don't prefer). Though you can give a try by editing the HTML page (internal)
Secondly, your ACL. Netmask would be 255.255.255.255. You need two ACLs. One inbound, another outbound. So, it should look something like this
Seq 1
Src : Any
Dst : PDF webserver IP
Netmask : 255.255.255.255
Direction : Outbound
Action : Permit
Seq 2
Src : PDF web server IP
Dst : Any
Netmask : 255.255.255.255
Direction : Inbound
Action : Permit.
01-23-2012 07:01 AM
Hey,
alright regardless of the login-page I tried to use your settings but it didn't work. Anything else I have to take care of?
I created a new ACL with two rules with the exact same data you have given to me I typed in the IP-Adress of my webserver. Then I let my client connect to the W-LAN but without authentication. Then I tried to type in the URL of my website, but it still redirected me to the Login-Page of the Cisco Controller.
Anything I did wrong? Or did I misunderstand something?
01-23-2012 07:32 AM
Ok, if the URL you are typing is a name (i.e http://mywebserver.com/pdf.html) then DNS server should also be allowed via pre-auth ACL. If its IP address only, then i assume the ACLs should work fine.
01-23-2012 08:41 AM
Vivek thank you sooo much! I got it to work
I created two new rules for the DNS-Server. Then I had to select the ACL under the W-LAN Security/Layer 3 Tab. And last but not least I had to switch the outbound/inbound server. So it didn't work with "Scr:Any", Dest: "PDF Webserver IP" and "Direction Outbound". But it worked the opposite way so "Scr:Any", "Dest: PDF Webserver IP" and "Direction Inbound". The same with the other rules. I just tried it this way after reading this manual:
Btw for everyone who tries to do the same: If you insert a link on the login.html don't forget to type in "http://". Otherwise it will stay on the Controller and the link will look something like "http://1.1.1.1/login.html,redirect=LINK".
So now everything's working fine and again thank you Vivek for your incredible help!
01-23-2012 06:19 PM
Great to hear that & thanks to let me know. Have a great time
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide