cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2885
Views
0
Helpful
12
Replies

Xiaomi problem with external captive portal.

felipemoretti
Level 1
Level 1

I'm with a problem between Xiaomi and external captive portal (+ external RADIUS), the wlc isn't processing back the requisition. 

My virtual interface address is 1.2.3.4 (for avoid troubles with cloudfare for example), and in callback moment that the application (external captive portal) send back to wlc the packet nothing happens, only connection refuse error like show bellow:

Captura de tela de 2019-09-16 17-33-45.png

What was to happen is the controller (wlc) process back the requisition, send to radius a authentication package, the radius response with ok, the controller generates a accounting package and allow internet to device. 

 

In anothers vendors like motorola, samsung (and others) this error don't happens (all this process work perfectly). Anyone know how i can solve this problem? 

 

 

12 Replies 12

jonathga
Cisco Employee
Cisco Employee

Hello Felipe, could you check if you are not able to get the web auth login page from different web browsers? just open the browser an go to http://1.2.3.4/login.html

Hey Jonathga, thanks for your reply, i'll try what you suggest... 

Jonathga, sorry for the delay in responding, trying open in Chrome browser the address http://1.2.3.4/login.html i got the same error.
Any ideia?

Hello Felipe, could you please paste the output of show certificate summary and show network summary from the WLC.

Sure! Can you tell me the path for this informations?

What's your WLC model? 

_epH29xYEBMBvqGpnvM7lQszlxXk5mBvcw.png

Hello Felipe, SSH to the WLC then enter the commands that I mentioned before.

(Cisco Controller) >show certificate summary
Web Administration Certificate................... 3rd Party
Web Authentication Certificate................... 3rd Party
Certificate compatibility mode:.................. off
Lifetime Check Ignore for MIC ................... Disable
Lifetime Check Ignore for SSC ................... Disable



(Cisco Controller) >show network summary

RF-Network Name............................. LOJAO
DNS Server IP...............................
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode SSL Protocol................ Disable
Web CSRF check.............................. Enable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Disable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
IPv4 AP Multicast/Broadcast Mode............ Multicast   Address : 225.225.224.2                                                                                        24
IPv6 AP Multicast/Broadcast Mode............ Multicast   Address : ::
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds

Two things, try to enable this:
- Secure Web Mode Cipher-Option High.......... Disable (on the GUI under Management - HTTP HTTPS). You need to reboot the WLC after this change.
- Update to the latest 8.3 release (although I don't think this will solve this specific issue, but it helps in general)

Hello Patoberli, thanks for your reply.
The chiper-option high was already disabled and the update cannot be done now.
Another suggestion?

I wrote "enable cipher-option high" :)
Also it's suggested to change the IP to a real private one, like from the range: 192.0.2.0/24

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: