Dhiresh Yadav is a wireless expert and working for the Cisco's High Touch Technical Support (HTTS) team, a team that provides reactive technical support to majority of Cisco’s premium customers. In this document Dhiresh provides the configuration and explain about the web-auth redirection over the HTTPS. This is a feature introduced in the CUWN 8.0.
Basic Knowledge of WLC Web-auth
How to configure Wireless LAN Controller (WLC) for Web-authentication.
The information in this document is based on these software and Hardware versions:
Cisco 5500 series WLC that runs firmware 126.96.36.199 CUWN version.
Note: The Configuration and web-auth explanation provided below is applicable to all WLC models and any CUWN image equal to or above 188.8.131.52.
Before CUWN 8.0 release i.e up to 7.6 , if you try HTTPS://page , the page was not getting redirected using web-authentication. In CUWN 8.0 and onwards ,this is supported. So if any client tries https://page , it will be redirected to the web-auth login page which was not possible earlier.Basically, if you go to port 443 , there was no redirection for web authentication. As more and more websites have started using HTTPS, so this feature will support that HTTPS redirect, which means if you go to HTTPS:// during web-auth , you would be redirected to the controller. Also this feature is very useful for the devices that send https requests with an application ( but not using browser ) to see if it can join anywhere based on response.
You might get the message “certificate is not issued by a trusted certificate authority.” on your browser after configuring https-redirect feature even if you have a valid root or chained certificate on the Controller as shown in the Figure-1 and Figure-2.The certificate you installed on the controller is issued to your virtual IP address. So during HTTP-Redirect, if you have this certificate on the WLC , you will not get Security certificate warning error .However in the case of HTTPS-redirect, you would still get the error . Some browser's because of the use of HTTPS://page , expect a certificate issued to the IP address of the site resolved by the DNS but what they are returned is a redirect page from the WLC and having certificate issued to the Internal web server (virtual ip address). Hence they might still throw this error. This is purely because of the way HTTPS works and will always happen if you try to intercept the HTTPS session for web-auth redirection to work.
In the Chrome , You might see like below:
Configure the WLC
(WLC)>config wlan security web-auth enable 10
(WLC)> config network web-auth https-redirect enable
WARNING! - You have chosen to enable https-redirect. This might impact performance significantly
So as you see , this might impact throughput while doing https redirection than http redirection For more understanding and information on the web authentication , Please refer to the below link:
(WLC)>show network summary
Web Auth Secure Web ....................... Enable
Web Auth Secure Redirection ............... Enable
(WLC) >show debug
MAC Addr 1.................................. 24:77:03:52:56:80
Debug Flags Enabled:
webauth redirect enabled.
*webauthRedirect: Jan 16 03:35:35.678: 24:77:3:52:56:80- received connection. client socket = 9
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- trying to read on socket 95
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- calling parser with bytes = 204
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- bytes parsed = 204
*webauthRedirect: Jan 16 03:35:35.679: captive-bypass detection enabled, checking for wispr in HTTP GET, client mac=24:77:3:52:56:80
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Preparing redirect URL according to configured Web-Auth type
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- got the hostName for virtual IP(wirelessguest.test.com)
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Checking custom-web config for WLAN ID:10
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Global status is enabled, checking on web-auth type
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Web-auth type Customized, using URL:https://wirelessguest.test.com/fs/customwebauth/login.html
Secure web (config network secureweb enable/disable) and web-auth secure (config network web-auth secureweb enable/disable), either of them should be enabled to make HTTPS redirect work.
There might be slight reduction in the throughput when using redirection over https.
There is currently no specific troubleshooting information available for this configuration.
My organization inherited a 9 slot 6500 chassis from another department. Included with this chassis was a WISM2, The 720 supervisory engine, and 48 port switch blades. We are currently using just those 3 blades to provide our organization with Wireless co...
hoping someone can point me to a resource... We have a Cisco c1111-4plteea with GPS enabled, but it is flooding the server with coordinates, reporting over 200 times per minute.. Is there a way to throttle or control how often the coordina...
We aquired a 840 and 860 Webex Wifi Phone recently to test. We have an internal WiFi that is secured via certificates from ISE.From the very start we had big issues with the two phones - our Windows PCs run just fine on the WiFi, but the phones lose conne...
tenho uma controladora 5508 no que consegue com facilidade controlar meus roteadores 1852 e 2802 no entanto no consigo fazer a junção dos 1522 <!--LOG do AP% CDP não é compatível com esta interface ou para este encapsulamento * 3 de agosto 10: 13:...