Dhiresh Yadav is a wireless expert and working for the Cisco's High Touch Technical Support (HTTS) team, a team that provides reactive technical support to majority of Cisco’s premium customers. In this document Dhiresh provides the configuration and explain about the web-auth redirection over the HTTPS. This is a feature introduced in the CUWN 8.0.
Basic Knowledge of WLC Web-auth
How to configure Wireless LAN Controller (WLC) for Web-authentication.
The information in this document is based on these software and Hardware versions:
Cisco 5500 series WLC that runs firmware 22.214.171.124 CUWN version.
Note: The Configuration and web-auth explanation provided below is applicable to all WLC models and any CUWN image equal to or above 126.96.36.199.
Before CUWN 8.0 release i.e up to 7.6 , if you try HTTPS://page , the page was not getting redirected using web-authentication. In CUWN 8.0 and onwards ,this is supported. So if any client tries https://page , it will be redirected to the web-auth login page which was not possible earlier.Basically, if you go to port 443 , there was no redirection for web authentication. As more and more websites have started using HTTPS, so this feature will support that HTTPS redirect, which means if you go to HTTPS:// during web-auth , you would be redirected to the controller. Also this feature is very useful for the devices that send https requests with an application ( but not using browser ) to see if it can join anywhere based on response.
You might get the message “certificate is not issued by a trusted certificate authority.” on your browser after configuring https-redirect feature even if you have a valid root or chained certificate on the Controller as shown in the Figure-1 and Figure-2.The certificate you installed on the controller is issued to your virtual IP address. So during HTTP-Redirect, if you have this certificate on the WLC , you will not get Security certificate warning error .However in the case of HTTPS-redirect, you would still get the error . Some browser's because of the use of HTTPS://page , expect a certificate issued to the IP address of the site resolved by the DNS but what they are returned is a redirect page from the WLC and having certificate issued to the Internal web server (virtual ip address). Hence they might still throw this error. This is purely because of the way HTTPS works and will always happen if you try to intercept the HTTPS session for web-auth redirection to work.
In the Chrome , You might see like below:
Configure the WLC
(WLC)>config wlan security web-auth enable 10
(WLC)> config network web-auth https-redirect enable
WARNING! - You have chosen to enable https-redirect. This might impact performance significantly
So as you see , this might impact throughput while doing https redirection than http redirection For more understanding and information on the web authentication , Please refer to the below link:
(WLC)>show network summary
Web Auth Secure Web ....................... Enable
Web Auth Secure Redirection ............... Enable
(WLC) >show debug
MAC Addr 1.................................. 24:77:03:52:56:80
Debug Flags Enabled:
webauth redirect enabled.
*webauthRedirect: Jan 16 03:35:35.678: 24:77:3:52:56:80- received connection. client socket = 9
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- trying to read on socket 95
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- calling parser with bytes = 204
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- bytes parsed = 204
*webauthRedirect: Jan 16 03:35:35.679: captive-bypass detection enabled, checking for wispr in HTTP GET, client mac=24:77:3:52:56:80
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Preparing redirect URL according to configured Web-Auth type
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- got the hostName for virtual IP(wirelessguest.test.com)
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Checking custom-web config for WLAN ID:10
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Global status is enabled, checking on web-auth type
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Web-auth type Customized, using URL:https://wirelessguest.test.com/fs/customwebauth/login.html
Secure web (config network secureweb enable/disable) and web-auth secure (config network web-auth secureweb enable/disable), either of them should be enabled to make HTTPS redirect work.
There might be slight reduction in the throughput when using redirection over https.
There is currently no specific troubleshooting information available for this configuration.
Access point should negotiate required power with PoE switch via CDP / LLDP and switch should be able to provide requested power per its design (we exclude the case of old standard PoE switch and new standard access point).On a WEB interface of WLC its po...
Hi Team, I have 2 setups that need a code upgrade.Two 3504 in HA systemTwo 5508 in HA system. I have some questions on code upgrade in HA mode:1. As far as I understand you have to perform upgrade only on the primary and the second one will be a...
Hi thereI need help with my APs joining 2504 controller. only one joins and another in close proximity would not join. It only joins when it further from the first one that already joined. what is the solution t this, if there's any?
Regarding the WLAN-Poller script that's recommended to be run prior to an AireOS upgrade:
I have around 2500 APs and I have run the Poller twice as recommenced. Pass #1 and Pass #2 were run with mode