cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21878
Views
11
Helpful
34
Replies

Web-auth redirect not working

bgp.ripe901
Level 1
Level 1

 

When i connecting in my SSID, no automatic redirect to https://1.1.1.1/

But when i enter url https://1.1.1.1 with my hands everything is ok working !

 

WLC-5508 - software: 8.0.152.0
 

My config:

 

WLAN Identifier.................................. 16
Profile Name..................................... Guest-WEB
Network Name (SSID).............................. Guest-WEB
Status........................................... Enabled

Web Based Authentication...................... Enabled
Web Authentication Timeout.................... 300
IPv4 ACL........................................ web-acl
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... ldap
2............................................... local
3............................................... radius
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled

 

##

 

(Cisco Controller) show>custom-web wlan 16


WLAN ID: 16
WLAN Status................................... Enabled
Web Security Policy........................... Web Based Authentication
Global Status................................. Enabled
WebAuth Type.................................. Internal

 

###

WLC -> Management -> HTTP-HTTPS

 

HTTP-HTTPS Configuration:

HTTP Access - Disable
HTTPS Access - Enabled
WebAuth SecureWeb - Enabled
HTTPS Redirection - Enabled
Web Session Timeout - 30 Minutes

 

##

 

My Preauthentication ACL  :

 

(Cisco Controller) show>acl detailed web-acl

Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
1 Any 0.0.0.0/0.0.0.0 10.0.253.20/255.255.255.255 17 0-65535 53-53 Any Permit 468
2 Any 10.0.253.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 466
3 Any 0.0.0.0/0.0.0.0 10.1.254.20/255.255.255.255 17 0-65535 53-53 Any Permit 2
4 Any 10.1.254.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 2
5 Any 0.0.0.0/0.0.0.0 1.1.1.1/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
6 Any 1.1.1.1/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 9159

DenyCounter : 12069

 

 

 

Full config in attachment.

34 Replies 34

bgp.ripe901
Level 1
Level 1
ip: 10.0.253.20/10.1.254.20 - my private DNS

patoberli
VIP Alumni
VIP Alumni

Do NOT use 1.1.1.1, that IP belongs to the company Cloudflare.

Use 192.168.x.x and it should start working. 

I change Virtual ip to 192.0.2.1 and reboot WLC. But web-redirect not working !

What happens on the client?

Can you use a Windows based client with a real browser for testing? 

Do you get a warning message?

 

Also add a DNS name pointing to the IP and I suggest to also get a public signed certificate for that name (or mobile phones will have issues/not connect) to the IP/name. 

 

One more thing to check, does the client get a correct IP address?

The output of the logfile seems wrong to me, but I might be wrong.

Safari empty in the browser !
when i turn on url https://192.0.2.1 - WLC portal loading ok !
there is no warning either!
I created in DNS new A record: web-portal.
By name, it also loads normally! But you need to indicate it with your hands

Have you enabled the following command:
​config network web-auth captive-bypass enable

Also have you updated the ACL with the new IP address?

My config :

 

Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Enable
Web Auth Captive-Bypass .................. Enable
Web Auth Secure Web ....................... Enable
Web Auth Secure Redirection ............... Enable

 

and my acl:

 

permit ALL DNS                                                                                         Number of hits
permit 0.0.0.0/0.0.0.0 192.0.2.1/255.255.255.255 Any Any Any Any Any 0
permit 192.0.2.1/255.255.255.255 0.0.0.0/0.0.0.0 Any Any Any Any Any 1115

 

But ! Not working redirect ! 

Testing on Windows client, in attach !

Sorry I'm not sure if I can help you any further.

I know that some clients require a valid certificate and the redirect must go to the URL (not IP address), but I think Windows 7 didn't require that.

What surprises me is the really weak wi-fi signal, but I don't think that is the reason for the guest-portal not working correctly.

 

Can you compare your settings (mostly the SSID ones) with those here: 

https://rscciew.wordpress.com/2014/06/19/wlc-webauth-configuration/ (don't use the suggested IP written there, keep 192.0.2.1)

Maybe try it without an ACL for testing?

 

Alternative to the above link:

1. Under WLAN settings, configure the following
Security -> Layer 2 -> {Security Type WPA+WPA2} {WPA+WPA2 Paramters: WPA enabled, WPA2 Enabled}{Authentication Key Management: PSK}{PSK: Your Password}
Security -> Layer 3 -> {Layer 3 Security: Web Policy}{Webauth type: Passthrough}

When i disable pre-ACL, redirect and internet not working ! And https://192.0.2.1 not working !

HELP me !

I'm having the same issue on 8.0.152.0. Did you find a fix for this?

   

If your controller does not have a valid SSL certificate you need to change Web Auth redirect URL to be non-https so web users dont get ssl warning.

(Cisco Controller) config> network web-auth secureweb disable

or you usually may change SSL setting via WLC web interface:

 

----> Go to MANAGEMENT on the top menu on the top menu and then click on HTTP-HTTPS on the left-hand side menu.
----> Under WebAuth SecureWeb use the drop down box to select:

 

Disabled: If your controller does not have a valid SSL certificate
Enabled: If your controller has a valid SSL certificate

Hi

 

im having similar issues however I’m setting my re-direct to my ISE box.

The issue I’m expecting is where my windows 10 device is connect to the guest SSID but it is not auto loading a web page with the re-direct url.

 

The WLC is on code 8.3.113 and ISE on 2.3(patch 4)

Can you log into the CLI and do a client debug and post it here
The command is
Client debug " mac address of the client goes here"
Once the debug command is ran please have the client try and join the SSID and past the debug results here


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: