Solved: Re: Cisco WLC : config network web-auth captive-bypass enable

jagan.chowdam · ‎11-19-2014

Hi All,

What does the following comand do?

config network web-auth captive-bypass enable :

Will this command allow Apple devices to open a web browser automatically to input Web Auth credentials when they connect to the SSID?

I've a controller - WiSM2 acting as Foreign and 5508 in the DMZ acting as Anchor for Guest traffic. All internal traffic is terminated on the WiSM2.

2 SSIDs: intenal with Web-auth against LDAP ; Guest with Web-auth passthrough.

On both Controllers, I've enabled "config network web-auth captive-bypass". Both controllers are running on AirOS code 8.0.100.0

Apple devices are not opening web-browser automatically when they connect to the SSID.

If you open the browser and enter google.com or anything; then it'll be redirected to the Web-Auth login page.

Do I need to enable onfig network web-auth captive-bypass or disable it?

Thanks,

Jagan

George Stefanick · ‎11-24-2014

When 'enabled' you have to manually open a webpage to get the screen. When 'disabled' it will auto launch ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Saurav Lodh · ‎11-19-2014

Information About Captive Bypassing

WISPr is a draft protocol that enables users to roam between different wireless service providers. Some devices (For example, Apple iOS devices) have a mechanism using which they can determine if the device is connected to Internet, based on an HTTP WISPr request made to a designated URL. This mechanism is used for the device to automatically open a web browser when a direct connection to the internet is not possible. This enables the user to provide his credentials to access the internet. The actual authentication is done in the background every time the device connects to a new SSID.

This HTTP request triggers a web authentication interception in the controller as any other page requests are performed by a wireless client. This interception leads to a web authentication process, which will be completed normally. If the web authentication is being used with any of the controller splash page features (URL provided by a configured RADIUS server), the splash page may never be displayed because the WISPr requests are made at very short intervals, and as soon as one of the queries is able to reach the designated server, any web redirection or splash page display process that is performed in the background is aborted, and the device processes the page request, thus breaking the splash page functionality.

For example, Apple introduced an iOS feature to facilitate network access when captive portals are present. This feature detects the presence of a captive portal by sending a web request on connecting to a wireless network. This request is directed to http://www.apple.com/library/test/success.html for Apple IOS version 6 and older, and to several possible target URLs for Apple IOS version 7 and later. If a response is received, then the Internet access is assumed to be available and no further interaction is required. If no response is received, then the Internet access is assumed to be blocked by the captive portal and Apple’s Captive Network Assistant (CNA) auto-launches the pseudo-browser to request portal login in a controlled window. The CNA may break when redirecting to an ISE captive portal. The controller prevents this pseudo-browser from popping up.

You can now configure the controller to bypass WISPr detection process, so the web authentication interception is only done when a user requests a web page leading to splash page load in user context, without the WISPr detection being performed in the background.

Source: http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010101.html

jagan.chowdam · ‎11-24-2014

Hi,

A quick question, if the client wants to have the web browser window to auto-lanch when he tries to connect to the SSID, do I need to enter "config network web-auth captive-bypass enable" or "config network web-auth captive-bypass disable"

Thanks,

Jaganmohan Chowdam

George Stefanick · ‎11-24-2014

When 'enabled' you have to manually open a webpage to get the screen. When 'disabled' it will auto launch ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

jagan.chowdam · ‎11-24-2014

Thanks George.

Jagan

gokhanyuceler61 · ‎12-14-2014

hi jagan,

have been solved problem ?

dlavrichev · ‎03-29-2017

I wonder if something got changed in this behavior. We run version 8.0.121 on WLC 5508. Here is en excerpt from our "show network summary":

Web Auth Captive-Bypass .................. Disable

We have Apple iPhone devices running 10.2.1 iOS and none of them display pseudo browser window. Every time we have to manually open browser and navigate somewhere in order to be redirected. Very annoying.

mohanak · ‎11-20-2014

iDevices have a mechanism to detect if there is a WebAuth required on the current wireless connection (Internet access detection). This is done using a WiSPR request over HTTP to an apple.com address.

By default on WebAuth, this connection is intercepted by the WLC, and a login page is presented to the user as soon as the phone starts this captive portal detection. This allows the user to get a quick credential prompt, authenticate directly, and get access to the network.

The captive portal request process has a different handling on the device side than a normal web client triggered by a user on the device. This leads to implications for features like splash page support, login redirection, or untrusted certificate handling.Starting with Release 7.2, the redirection can be disable with the config network web-auth captive-bypass enable command.This allows the WLC to “spoof” the answer expected by the device, and it marks the wireless connection as having Internet access without any credential prompt

There are a couple of workarounds that I know about, but only one that is really feasible.

1) You can disable auto-login under WLAN settings on the Apple device. This of course requires a user to know how to do that – or a call to the help desk for assistance.

2) On the Cisco WLC (Wireless LAN Controller), there is a CLI only command that will bypass this “controlled windows” behavior on the Apple device.

(Controller)> config network web-auth captive-bypass enable

With solution #2, you can now see the WebAuth redirect page in the Apple device’s browser.

jagan.chowdam · ‎11-20-2014

Hi All,

Thanks for the reply. I've enabled captive-bypass on both Controllers (Anchor & Foreign). I can verify it from "show network summary" output.

For Anchor Controller:

(Cisco Controller) >show network summary

RF-Network Name............................. xxxxxx

Web Mode.................................... Disable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode Cipher-Option SSLv2......... Disable

Secure Web Mode RC4 Cipher Preference....... Disable

OCSP........................................ Disabled

OCSP responder URL..........................

Secure Shell (ssh).......................... Enable

Telnet...................................... Disable

Ethernet Multicast Forwarding............... Disable

Ethernet Broadcast Forwarding............... Disable

IPv4 AP Multicast/Broadcast Mode............ Unicast

IPv6 AP Multicast/Broadcast Mode............ Unicast

IGMP snooping............................... Disabled

IGMP timeout................................ 60 seconds

IGMP Query Interval......................... 20 seconds

MLD snooping................................ Disabled

MLD timeout................................. 60 seconds

MLD query interval.......................... 20 seconds

User Idle Timeout........................... 7200 seconds

--More-- or (q)uit

ARP Idle Timeout............................ 300 seconds

Cisco AP Default Master..................... Disable

AP Join Priority............................ Disable

Mgmt Via Wireless Interface................. Enable

Mgmt Via Dynamic Interface.................. Disable

Bridge MAC filter Config.................... Enable

Bridge Security Mode........................ EAP

Mesh Full Sector DFS........................ Enable

AP Fallback ................................ Enable

Web Auth CMCC Support ...................... Disabled

Web Auth Redirect Ports .................... 80

Web Auth Proxy Redirect ................... Disable

Web Auth Captive-Bypass .................. Enable

Web Auth Secure Web ....................... Enable

Web Auth Secure Redirection ............... Disable

Fast SSID Change ........................... Enabled

AP Discovery - NAT IP Only ................. Enabled

IP/MAC Addr Binding Check .................. Enabled

Link Local Bridging Status ................. Disabled

CCX-lite status ............................ Disable

oeap-600 dual-rlan-ports ................... Disable

oeap-600 local-network ..................... Enable

oeap-600 Split Tunneling (Printers)......... Disable

--More-- or (q)uit

WebPortal Online Client .................... 0

WebPortal NTF_LOGOUT Client ................ 0

mDNS snooping............................... Disabled

mDNS Query Interval......................... 15 minutes

Web Color Theme............................. Red

Capwap Prefer Mode.......................... IPv4

For Foreign Controller:

(WiSM-slot5-1) >show network summary

RF-Network Name............................. xxxxxx
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Enable
IPv4 AP Multicast/Broadcast Mode............ Unicast
IPv6 AP Multicast/Broadcast Mode............ Unicast
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 7200 seconds

--More-- or (q)uit
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Enabled
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
AP Fallback ................................ Enable
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Web Auth Captive-Bypass .................. Enable
Web Auth Secure Web ....................... Enable
Web Auth Secure Redirection ............... Disable
Fast SSID Change ........................... Enabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
Link Local Bridging Status ................. Disabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap-600 local-network ..................... Enable
oeap-600 Split Tunneling (Printers)......... Disable

--More-- or (q)uit
WebPortal Online Client .................... 0
WebPortal NTF_LOGOUT Client ................ 0
mDNS snooping............................... Disabled
mDNS Query Interval......................... 15 minutes
Web Color Theme............................. Default
Capwap Prefer Mode.......................... IPv4

I'm still getting compliants that Apple devices redirect page does not pops up automatically. Users has to maunally open a browser and type google.com to redirect to Web-auth login page.

Anything I'm missing in the configuration?

Thanks,

CJ

Ryan Curry · ‎07-14-2015

Hi CJ, did you ever get this working? I'm looking into this issue as I've had a few guest have similar issues and I wanted to verify that you had rebooted your system for this to take affect.

fabianwickman · ‎10-01-2015

Hi CJ,

You have to configure config network web-auth captive-bypass disable, if you want the iOS-device to automatically open the pseudo-browser with the login-screen.

TM13 · ‎08-01-2018

So which one is right to make the auto-login page show up? enable or disable, this is so annoying

Aqdas Muneer · ‎08-01-2018

Disable for auto-login page

TM13 · ‎08-01-2018

After Disabled working

gautham.com · ‎02-24-2023

There is no need to reset the system for newer codes on WLC. We can disable captive-bypass on WLAN settings>Layer 3>Security or we can also disable it globally on CLI. In my case I had to disable it globally & also on WLAN settings.