User was using WLC 5500 controller and once the end clients get the DHCP address but the page is not redirecting them to the guest portal.
What is the best way to check as to why the redirection is failing?
That usually points to dns. Is the home page an https, if so, the user will not get redirected. The WLC intercepts the home page when the users opens up a browser and then verifies that dns can resolve the home page. If so, the WLC pushes the WebAuth page to the user. If not, the WLC dies nothing. If your using a 3rd part certificate to get rid of the certificate error, you need to make sure the fqdn can be resolved by the dns the clients are going to use.
Dns should resolve the initial url request then wlc hacks that packet and replace it with 184.108.40.206 instead of the resolved address to show the splash page to user, either u can use the public dns or insider dns that resolves the initial url request.
once client connected to webauth wlan and got an ip, manually type https://220.127.116.11/login.html, does it shows the cert warning and splash page after that, if not try with diff device, could be a browser issue. if it brings the page then like scott mentioned check the dns works thru nslookup.
The main thing if the webauth page does not appear is due to the clients homepage being https not http or dns issues. If you remove the webauth and associate to the ssid, can you access the internet? This will prove that dns is working okay from the guest users.
User followed the below mentioned steps and resolved the issue:
Under Interfaces, virtual interface for 18.104.22.168
Navigate to the Controller > Interfaces menu from the WLC GUI in order to assign a DNS hostname to the virtual interface. Removed the entry for DNS Host Name and set it to blank.
Tested and the redirect seems to work fine.
Web Authentication Redirection Process
Clients Redirected to External Web Authentication Server Receive a Certificate Warning
Problem: When clients are redirected to Cisco's external web authentication server, they receive a certificate warning. There is a valid certificate on the server, and if you connect to the external web authentication server directly the certificate warning is not received. Is this because the virtual IP address (22.214.171.124) of the WLC is presented to the client instead of the actual IP address of the external web authentication server that is associated with the certificate?
Yes. Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.
In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (126.96.36.199) of the WLC.
Error: "page cannot be displayed"
Problem: After the controller is upgraded to 188.8.131.52, the "page cannot be displayed " error message appears when you use a downloaded web page for web authentication. This worked well prior to the upgrade. The default internal web page loads without any problem .
From the WLC version 4.2 and later a new feature is introduced wherein you can have multiple customized login pages for Web authentication.
In order to have the web page load properly, it is not sufficient to set the web-authentication type as customized globally in the Security > Web Auth > Web login page. It must also be configured on a particular WLAN . In order to do this, complete these steps:
Log into the GUI of the WLC.
Click on the WLANs tab, and access the profile of the WLAN configured for Web-authentication.
On the WLAN > Edit page, click the Security tab. Then, choose Layer 3.
On this page, choose None as the Layer 3 Security.
Check the Web Policy box, and choose the Authentication option.
Check the Over-ride Global Config Enable box, choose Customized (Downloaded) as the Web Auth Type, and select the desired login page from the Login Pagepull down menu. Click Apply.
I have upgraded CMX 10.5 to 10.6 and I am having some problems with the upgrade. One of my problems is I am now getting the certificate error again. I need to log in with the root user to correct the certificate issue, but I'm not able to get access with ...
Hello, I have a foreign controller anchored back to a DMZ WLC. Multiple Guest SSIDs use this EOIP/Anchor. QOS on the WAN routers between the Foreign/Anchor WLC is matching on the EOIP tunnel endpoints, using this as the matching criteria for any...
hi all, I have setup a new SSID for BYOD this SSID is configured to the use the same DHCP Servers as Guest SSID to test with ISE I configured the WLAN exactly the same setup as Guest SSID to start with, same DHCP Server in Advanced options etc with s...
Hı,We use 1830 series Mobility Express when AP s reboot apple phones and Ipads try to connect SSID it took wrong password mistake. I opened debug for one of this client and took this logs. When I change anything on SSID all device connected...