Showing results for 
Search instead for 
Did you mean: 

Web Authentication on WLC (wireless and wired) : complete guide

Nicolas Darchis
Cisco Employee

I didn't understand the question correctly so then yes I agree with David :-)

Hi, guys.

That is exactly what I meant ... :-)

I have configured a pre-auth acl on this wlan allowing as destination with tcp port any to any, and I

didn't forget to allow the tcp answer packets, too.

But still not working, the site shows up fine when browsed to directly (on a lan, not with redirection .....)

What am I missing, any ideas ???


Can you share the ACL you created?  Did you apply it as a "preauthentication ACL" on the L3 policy for the WLAN in question?

This is the ACL:

And yes, I applied it as preauth-acl:

Hi, all.

I think I found my logical mistake, please correct me if I am wrong somewhere:

It is the Client, that needs to have connectivity to the external webauth server, not the WLC .... right ???

If so, I need to move the server, because the IP Address that the client gets via DHCP is taken from a different

VRF than the VRF the IP Address of the server is in..... No routing between both VRFs is allowed.

Moving the server to the clients VRF would allow the client to talk to the server and load the redirected login page .....

I will do some testing on that and report the results here....

Reginald Pugh

Hi Nicholas,, great summary of all the web auth features using different devices. Quick question on Splash Page Redirect.If you are using the ACS for uinput of redirection ., is the slash page hosted on the ACS Server or is it on the WLC? . Need to be able to customize the page for users and need to know where that page is created. They (corporate users) will be on a BYOD net using EAP-PEAP/WPA2 with AD Group Policy. The redirect is after they login they need to see that page that is created.



Hi  Nicolas,

if we want to modify the success page for showing the remain time of use login. How we do ?

Many Thank.

Nicolas Darchis
Cisco Employee

You cannot modify the success page.


Hi Nicolas,

I encounter one issue web auth with external AD for user credential. With local account is ok. But if we use AD account to login, it is not successful even though we configure properly. Can help to suggest what cound be the issue?

WLC & AD are working properly with different SSIDs. Now we just want to create new SSID with L3 security web auth.

Thank you so much,

Community Member

Hi Nicholas,

I have an urgent issue going on. the guest users are not getting the webauth page to type their username and password. I have checked almost everything, they are getting correct ip and dns from the pool, even i tried using new guest account with PSK even then they are not able to connect to internet though wireless showing connected.

Also i am not able to traceroute of resolve neither with its ip nor with the name.

Could it be a DNS issue or webauth issue. Its very urgent

Nicolas Darchis
Cisco Employee

Urgent problem means you should open a TAC case. Otherwise ask your question on the forum but don't put it as a comment to a document please.

VIP Advisor

The URL to the feature request doesn't work for people without TAC access (or is it even Cisco internal?). Here the URL to the bugtoolkit:

Akhtar Samo

Hi Nicholas,

May i know if its possible to disable the port 80 service on WLC used for user web authentication page.

So currently the user is using and is redirected to, so we want to disable http service on the wlc so that the user gets no service on it, but only in case he directly types https:// the authentication page should open.


taufeeq taufeeq

Hi Anuj,

I am facing the same probles as u. Guest WLAN is broadcasting, clients are able to recv ip adress but shows limited internet access...Did u solve the issue..Please share ur expereince.

Thanks in advance,




Dear Nicolas


I nee your help i have wireless controller 5508 i want to configer dedicate SSID with deferent vlan i want broadcast only one SSID in each erea

Content for Community-Ad