User was using WLC 5500 controller and once the end clients get the DHCP address but the page is not redirecting them to the guest portal.
What is the best way to check as to why the redirection is failing?
That usually points to dns. Is the home page an https, if so, the user will not get redirected. The WLC intercepts the home page when the users opens up a browser and then verifies that dns can resolve the home page. If so, the WLC pushes the WebAuth page to the user. If not, the WLC dies nothing. If your using a 3rd part certificate to get rid of the certificate error, you need to make sure the fqdn can be resolved by the dns the clients are going to use.
Dns should resolve the initial url request then wlc hacks that packet and replace it with 188.8.131.52 instead of the resolved address to show the splash page to user, either u can use the public dns or insider dns that resolves the initial url request.
once client connected to webauth wlan and got an ip, manually type https://184.108.40.206/login.html, does it shows the cert warning and splash page after that, if not try with diff device, could be a browser issue. if it brings the page then like scott mentioned check the dns works thru nslookup.
The main thing if the webauth page does not appear is due to the clients homepage being https not http or dns issues. If you remove the webauth and associate to the ssid, can you access the internet? This will prove that dns is working okay from the guest users.
User followed the below mentioned steps and resolved the issue:
Under Interfaces, virtual interface for 220.127.116.11
Navigate to the Controller > Interfaces menu from the WLC GUI in order to assign a DNS hostname to the virtual interface. Removed the entry for DNS Host Name and set it to blank.
Tested and the redirect seems to work fine.
Web Authentication Redirection Process
Clients Redirected to External Web Authentication Server Receive a Certificate Warning
Problem: When clients are redirected to Cisco's external web authentication server, they receive a certificate warning. There is a valid certificate on the server, and if you connect to the external web authentication server directly the certificate warning is not received. Is this because the virtual IP address (18.104.22.168) of the WLC is presented to the client instead of the actual IP address of the external web authentication server that is associated with the certificate?
Yes. Whether or not you perform local or external web authentication, you still hit the internal web server on the controller. When you redirect to an external web server, you still receive the certificate warning from the controller unless you have a valid certificate on the controller itself. If the redirect is sent to https, you receive the certificate warning from the controller and from the external web server, unless both have a valid certificate.
In order to get rid of the certificate warnings all together, you need to have a root level certificate issued and downloaded onto your controller. The certificate is issued for a host name and you put that host name in the DNS host name box under the virtual interface on the controller. You also need to add the host name to your local DNS server and point it to the virtual IP address (22.214.171.124) of the WLC.
Error: "page cannot be displayed"
Problem: After the controller is upgraded to 126.96.36.199, the "page cannot be displayed " error message appears when you use a downloaded web page for web authentication. This worked well prior to the upgrade. The default internal web page loads without any problem .
From the WLC version 4.2 and later a new feature is introduced wherein you can have multiple customized login pages for Web authentication.
In order to have the web page load properly, it is not sufficient to set the web-authentication type as customized globally in the Security > Web Auth > Web login page. It must also be configured on a particular WLAN . In order to do this, complete these steps:
Log into the GUI of the WLC.
Click on the WLANs tab, and access the profile of the WLAN configured for Web-authentication.
On the WLAN > Edit page, click the Security tab. Then, choose Layer 3.
On this page, choose None as the Layer 3 Security.
Check the Web Policy box, and choose the Authentication option.
Check the Over-ride Global Config Enable box, choose Customized (Downloaded) as the Web Auth Type, and select the desired login page from the Login Pagepull down menu. Click Apply.
I'm having trouble getting an L2 ACL to work on the Cat9800 on XE 16.11.1cI have a WLAN policy profile called nm-test-policy with a specific layer2/datalink acl defined in the running config: wireless profile policy nm-test-policyaaa-overrideautoqos ...
Hi All I have been working on existing WLC 2500 with a single individual interface with a handful wlan Ids.The interface is the management 192.168.120.0/25 192.168.121.10 the management interfaceI wanted to create an additional ID that would be dishi...
Hello All. i have 3 AP's cisco aironet 1815i (A, B, C) A is the controller.A and B working perfectly i can get an ip from dhcp and i can access my Network and the internet either,but the problem is with C i can access it with SSH connection and...
Hi all, I managed to block specific machines from connecting to my ssid by blocking their mac addresses on my 3504 WLC via "security->AAA->Disabld CLients->Manual Disable" I also manage to verify the logs via CLI using "client debug mac...