Re: Local Captive portal in ewc controller without ISE AD

Sharanjeet_Kumar · ‎12-23-2024

Hi,

I have a 9115 ewc controllter and like other OEMs like Ruckus and Aruba i want to configure local Guest captive portal SSID, but internal webauth is not working.

i checked cisco documents too but all are with either ISE or LDAP or external web page

I just want internal web page for SSID redirect and internal Guest user for access

MHM Cisco World · ‎12-23-2024

MHM

Sharanjeet_Kumar · ‎12-24-2024

in policy section i don't find any mobilty tab like in blog

MHM Cisco World · ‎12-24-2024

this need only for HA, this step is OP

MHM

Sharanjeet_Kumar · ‎12-24-2024

After connecting ssid it got directly connected and not popoing login page but when i do https://<virtual-ip> it opened the login page

MHM Cisco World · ‎12-24-2024

MHM

Flavio Miranda · ‎12-24-2024

@Sharanjeet_Kumar

As per your description below, you might be missing the ACL configuration. IF you are able to reach the Guest portal by using the WLC virtual IP, but, you are not getting there when testing from wifi network, that means the redirect is not taking place.

You need to deny the traffic on port 80. Take a close look on "4. Configuring Pre-Auth Web Authentication ACL (GUI)"

Sharanjeet_Kumar · ‎12-25-2024

Hi @Flavio Miranda

I have added the ACL and applied to the guest ssid but still not redirecting

perhaps i am missing a little thing
still when after ssid got connected, i search https://192.0.2.1 then the cisco page opened

PHH!!!

Sharanjeet_Kumar · ‎12-25-2024

Also, when i apply the pre-auth ACL in advance security section then neither redirecting happened nor https://192.0.2.1 opened
after removing ACL redirecting still not happened but i can able to do htttps://192.0.2.1 and cisco default login webauth page was opening

Flavio Miranda · ‎12-26-2024

@Sharanjeet_Kumar

You need the ACL.

What about DNS? When you connect to the guest SSID, are you receiving DHCP and DNS? Can you test?

Sharanjeet_Kumar · ‎12-26-2024

Yes, i already applied the ACL in the pre-auth field
and i have DHCP configured on my cisco switch and after connecting i am receiving IP with DNS and DHCP IPs.

Flavio Miranda · ‎12-26-2024

Got it. Your DHCP comes from the Switch and what about your DNS server? Is it local ?

There are two things that usually cause problem with the URL redirect in Guest networks. Access List and DNS.

https://wifininjas.net/2019/10/24/wn-blog-017-cisco-c9800-local-web-auth-config/

ACL is maybe more importante.

You can see that the ACL allows you to communicate with DNS server, DHCP server and deny everything else.

The deny is responsible for the redirect. You can change that and deny the HTTP/HTTPS traffic insteadl

Pay attention with browser. Sometimes the redirect occours only with HTTP traffic but browser now a days will always use HTTPS first.

Make sure when connected to the guest, you can reach your DNS server. You can run nslookup command to test the DNS.

Sharanjeet_Kumar · ‎12-26-2024

We don't have any DNS server in infra, we are using 8.8.8.8 as DNS server
we have simple topology
ISP-->Router-->Switch(DHCP SERVER)-->WLC/AP-->Lan/WiFi Users
I have denied http and https traffic in ACL but still no luck

Sharanjeet_Kumar · ‎12-26-2024

Now it is redirecting but opening just some edge page

ACL is now good also

client statrus

Flavio Miranda · ‎12-27-2024

@Sharanjeet_Kumar

It is redirecting? Did you authenticated before you get this MSN page?

Local Captive portal in ewc controller without ISE AD

【原创】Cisco Catalyst 9120AXI Embedded Wireless Controller(EWC) 升级测试

C9800 Wireless Controller Local Mac-filterを適用する手順

ISE 2.1 - Certificate Provisioning Portal の構築例

事象: FMC/FTD Captive Portal 認証失敗時に通信が許可されてしまう

ISEを用いたAD連携による、ASAでのVPN認証（Cisco Secure Client）の設定方法について