Re: Splash Page Redirect for Mobile Phones

jpl861 · ‎10-05-2017

Hi,

We are trying to implement splash page redirect for mobile phones and we can't get it working. On the WLC, we configured the security to use web policy/splash page web redirect. I didn't define ACL for now. On the ACS5.x server, I defined an authorization profile that using cisco-av-pair and the corresponding URL. The user can authenticate successfully and browse the internet but no redirection is happening. I also tried to define an ACL (which is just permit any any) but also the same.

Can someone help me here?

Thanks,

John

Derrick Hurley · ‎10-05-2017

In the WLAN advanced settings tab for that WLAN make sure AAA Override is checked.

-Derrick

jpl861 · ‎10-05-2017

Yes. That one is checked but still not working.

Derrick Hurley · ‎10-05-2017

If you click on a client and look at the client details, do you see the redirect URL in there under Security Information?
If not, you may check your configurations on the ACS and make sure it's part of your access-accept policy. Can you post screenshots of your ACS config?

jpl861 · ‎10-05-2017

Hi,

Where can I see that? Sorry I am working remotely so I only ask office employees to try it out for me. They are testing it using iPhone and Android phones. Based from the logs of the ACS server, it is sending the URL back to the client as a result of the matched condition in the Access Policy.

I only configured the following under the authorization profile. 1) URL for Redirect 2) URL Redirect ACL. There is no option not to configure #2 as it is a required field if #1 was filled out. The ACL is basically permit any that I configured in WLC under the ACL section in Security tab. I used that same name for #2 as pre-authentication ACL. I don't know what the ACL should look like as I cannot find a good example anywhere else. I tried both using permit any and deny any but same results. However, the ACL counter in WLC increments significantly.

Thanks!

The user can browse the internet after entering his credentials. On the ACS, we mapped the entire domain users group to be allowed to access wireless. I tried using both FQDN and IP as redirect URL but nothing works.

Divya · ‎10-05-2017

Hi John,

Please share "show wlan <wlan-id>" & "show client detail <test-client-macaddr>" outputs from the WLC.

Redirect ACL can be configured as the attached example and double confirm whether the ACL is mapped on the WLAN.

Regards,

Divya

jpl861 · ‎10-05-2017

Hi,

Here's the output. I will try to copy your redirect ACL and test. Let me know if you see anything wrong with my configuration. Thank you so much! Really appreciate all the help.

(Cisco Controller) >show wlan 4

WLAN Identifier.................................. 4
Profile Name..................................... IS_TEST
Network Name (SSID).............................. IS_TEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Disabled
AAA Policy Override.............................. Enabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum Clients Allowed.......................... Unlimited
Maximum number of Clients per AP Radio........... 200

ATF Policy....................................... 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... none
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ sykes-open-access
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
WLAN URL ACL..................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured

PMIPv6 Mobility Type............................. none
    PMIPv6 MAG Profile........................... Unconfigured
    PMIPv6 Default Realm......................... Unconfigured
    PMIPv6 NAI Type.............................. Hexadecimal
    PMIPv6 MAG location.......................... WLC
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Disabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... 802.1P (Tag=0)
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ 10.199.64.254 1812 *
   Accounting.................................... 10.199.64.254 1813 *
      Interim Update............................. Enabled
      Interim Update Interval.................... 0
      Framed IPv6 Acct AVP ...................... Prefix
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Mu-Mimo.......................................... Enabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Adaptive

   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      OSEN IE.................................... Disabled
      Auth Key Management
         802.1x.................................. Enabled
         PSK..................................... Disabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
         OSEN-1X................................. Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   Wi-Fi Direct policy configured................ Disabled

   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web Authentication Timeout.................... 300
   Web-Passthrough............................... Disabled
   Mac-auth-server............................... 0.0.0.0
   Web-portal-server............................. 0.0.0.0
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Enabled
        IPv4 ACL........................................ acl-redirect
        IPv6 ACL........................................ Unconfigured
        Web-Auth Flex ACL............................... Unconfigured
        Web Authentication server precedence:
        1............................................... local
        2............................................... radius
        3............................................... ldap
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Disabled
   FlexConnect Central Association............... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled

   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel Configuration
    Split Tunnel................................. Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Enabled
802.11k Neighbor List Dual Band.................. Disabled

802.11v Directed Multicast Service............... Enabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled
Broadcast Tagging................................ Disabled

Mobility Anchor List
WLAN ID     IP Address            Status                             Priority
-------     ---------------       ------                             --------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------

Priority Policy Name
-------- ---------------

Lync State ...................................... Disabled
Audio QoS Policy................................. Silver
Video QoS Policy................................. Silver
App-Share QoS Policy............................. Silver
File Transfer QoS Policy......................... Silver
QoS Fastlane Status.............................. Disable

Thanks,

John

Divya · ‎10-06-2017

Hi,

Thanks for sharing the WLAN details. Please share the client detail o/p.

Regards,

Divya

jpl861 · ‎10-06-2017

Hi Divya,

What o/p?

Thanks,
John

jpl861 · ‎10-06-2017

If you mean output, we are getting different results. When I asked the user to connect using his Android phone, after successful authentication, a browser opened but went to google.com right away although I configured an internal IP address. Can't connect using iPhone.

jpl861 · ‎10-06-2017

Without doing any change, iPhone redirected to this URL, http://captive.apple.com/

Divya · ‎10-06-2017

Hi John,

Yes, o/p means output :)

Though the client behaviour is different, I would like to see the client state on the Controller. Share the "show client detail <macaddr>" for both Android & iPhone clients.

Regards,

Divya

jpl861 · ‎10-06-2017

Here's the output of one connected Android device. The user said it can connect to internet and browse but no redirection.

(Cisco Controller) >show client detail 5c:70:a3:7d:82:cc
Client MAC Address............................... 5c:70:a3:7d:82:cc
Client Username ................................. apac\xxxxxxx
AP MAC Address................................... 2c:33:11:23:08:c0
AP Name.......................................... LWAP010
AP radio slot Id................................. 0
Client State..................................... Associated
Client User Group................................ apac\xxxxxxx
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 4
Wireless LAN Network Name (SSID)................. TEST_IS
Wireless LAN Profile Name........................ TEST_IS
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 2c:33:11:23:08:c2
Connected For ................................... 76 secs
Channel.......................................... 11
IP Address....................................... 10.166.55.218
Gateway Address.................................. 10.166.52.1
Netmask.......................................... 255.255.252.0
IPv6 Address..................................... fe80::5e70:a3ff:fe7d:82cc
Association Id................................... 1
Authentication Algorithm......................... Open System
Reason Code...................................... 1

--More-- or (q)uit
Status Code...................................... 0
Client CCX version............................... 4
Client E2E version............................... No E2E support
Re-Authentication Timeout........................ 1734
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
Avg Uplink data Rate............................. 0
Burst Uplink data Rate........................... 0
Avg Uplink Real time data Rate................... 0
Burst Uplink Real Time data Rate................. 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
Qos Map Capability............................... Yes
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Current Rate..................................... m10
Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local

--More-- or (q)uit
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
AAA Override ACL Name............................ acl-redirect
AAA Override ACL Applied Status.................. Yes
AAA Override Flex ACL Name....................... none
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. http://10.199.66.200
Audit Session ID................................. f50ac70a001a1d4377afd759
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
URL ACL Name..................................... none
URL ACL Applied Status........................... Unavailable
Client Type...................................... SimpleIP
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile

--More-- or (q)uit
No. of mDNS Services Advertised.................. 0
Policy Type...................................... WPA2
Authentication Key Management.................... 802.1x
Encryption Cipher................................ CCMP (AES)
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... PEAP
FlexConnect Data Switching....................... Central
FlexConnect Dhcp Status.......................... Central
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central
FlexConnect Central Association.................. No
Interface........................................ open-access
VLAN............................................. 1980
Quarantine VLAN.................................. 0
Access VLAN...................................... 1980
Local Bridging VLAN.............................. 1980
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented

--More-- or (q)uit
Listen Interval............................ 1
Fast BSS Transition........................ Not implemented
11v BSS Transition......................... Implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 28893
Number of Bytes Sent....................... 44830
Total Number of Bytes Sent................. 44830
Total Number of Bytes Recv................. 28893
Number of Bytes Sent (last 90s)............ 44830
Number of Bytes Recv (last 90s)............ 28893
Number of Packets Received................. 216
Number of Packets Sent..................... 158
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0

--More-- or (q)uit
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 253
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 14
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -74 dBm
Signal to Noise Ratio...................... 22 dB
Client Rate Limiting Statistics:
Number of Data Packets Received............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Received.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Received........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Received.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0

--More-- or (q)uit
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
PHKPTLWAP011(slot 0)
antenna0: 29 secs ago.................... -87 dBm
antenna1: 29 secs ago.................... -82 dBm
PHKPTLWAP010(slot 0)
antenna0: 8 secs ago..................... -75 dBm
antenna1: 8 secs ago..................... -74 dBm
PHKPTLWAP002(slot 0)
antenna0: 19 secs ago.................... -95 dBm
antenna1: 19 secs ago.................... -92 dBm
PHKPTLWAP007(slot 0)
antenna0: 9 secs ago..................... -77 dBm
antenna1: 9 secs ago..................... -81 dBm
PHKPTLWAP003(slot 0)
antenna0: 8 secs ago..................... -94 dBm
antenna1: 8 secs ago..................... -92 dBm
PHKPTLWAP001(slot 0)

--More-- or (q)uit
antenna0: 8 secs ago..................... -63 dBm
antenna1: 8 secs ago..................... -63 dBm
PHKPTLWAP001(slot 1)
antenna0: 8 secs ago..................... -69 dBm
antenna1: 8 secs ago..................... -66 dBm
DNS Server details:
DNS server IP ............................. 208.67.222.222
DNS server IP ............................. 208.67.220.220
Assisted Roaming Prediction List details:

Client Dhcp Required: False
Allowed (URL)IP Addresses
-------------------------

AVC Profile Name: ............................... none
Fastlane Client: ................................ No

Divya · ‎10-06-2017

Hi,

Looks like the client is getting the redirect URL and moving to RUN state. Do you see this redirect URL in the client while testing?

Policy Manager State............................. RUN
AAA Override ACL Name............................ acl-redirect
AAA Override ACL Applied Status.................. Yes
AAA Override Flex ACL Name....................... none
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. http://10.199.66.200

Regards,

Divya

jpl861 · ‎10-06-2017

No. There was one instance where an iPhone automatically opened a browser aftwr successful authentication. However, ot opened captive.apple.com and not http://10.199.66.200 as stated on my url-redirect. Another test was done from an Android phone and this time, it opened www.google.com.