Showing results for 
Search instead for 
Did you mean: 

How to configure external web authentication in WLC



Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic, except DHCP-related packets, from a particular client until that you have correctly supplied a valid username and password. When you use web authentication to authenticate clients, you must define a username and password for each client. Then when you attempt to join the wireless LAN, you must enter the username and password when prompted by a login window.

When web authentication is enabled under WLAN Security Policies, it is possible that you receive a web-browser security alert the first time that you attempt to access a URL. After you click Yes to proceed, or if the browser does not display a security alert, the web authentication system redirects you to a login window.

This is a brief description of how the External Web Authentication Works:

  1. When you open a web browser with a URL, for example, it is verified for authentication. If it is not authenticated, the controller forwards the request to the controller web server in order to collect authentication details.

  2. The controller web server then redirects the user to the external web server URL. The external web server leads you to a login page. At this point, you are also allowed to access the Walled Garden Sites. The Walled Garden sites are a group of websites that you can browse before the sites are authenticated on to your wireless network.

    Note: For a Cisco 2000 Series Wireless LAN Controller, you must configure a pre-authentication ACL on the WLAN for the external web server. This ACL needs to then be set as WLAN pre-authentication ACL under Web Policy. But, you do not need to configure any pre-authentication ACL for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers.

  3. The login request is sent to the action URL of the controller web server. The controller web server submits the username and password for authentication.

  4. The controller application initiates the RADIUS server request and authenticates the user.

  5. If successful, the controller web connects the client and the controller web server forwards you to the configured redirect URL or to the initially requested URL, for example,

  6. If the user authentication fails, the controller web server redirects you to the URL of the login page.

Refer to these documents for more information on web authentication:

Problem Type

Configure / Configuration issues


Wireless LAN Controllers


LWAPP network

Product OS


Device Access Method

GUI Interface


Terminal Server / Console

SW Features

Web Authentication

Content for Community-Ad