Resolution
Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic, except DHCP-related packets, from a particular client until that you have correctly supplied a valid username and password. When you use web authentication to authenticate clients, you must define a username and password for each client. Then when you attempt to join the wireless LAN, you must enter the username and password when prompted by a login window.
When web authentication is enabled under WLAN Security Policies, it is possible that you receive a web-browser security alert the first time that you attempt to access a URL. After you click Yes to proceed, or if the browser does not display a security alert, the web authentication system redirects you to a login window.
This is a brief description of how the External Web Authentication Works:
- When you open a web browser with a URL, for example www.cisco.com, it is verified for authentication. If it is not authenticated, the controller forwards the request to the controller web server in order to collect authentication details.
- The controller web server then redirects the user to the external web server URL. The external web server leads you to a login page. At this point, you are also allowed to access the Walled Garden Sites. The Walled Garden sites are a group of websites that you can browse before the sites are authenticated on to your wireless network.
Note: For a Cisco 2000 Series Wireless LAN Controller, you must configure a pre-authentication ACL on the WLAN for the external web server. This ACL needs to then be set as WLAN pre-authentication ACL under Web Policy. But, you do not need to configure any pre-authentication ACL for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers.
- The login request is sent to the action URL of the controller web server. The controller web server submits the username and password for authentication.
- The controller application initiates the RADIUS server request and authenticates the user.
- If successful, the controller web connects the client and the controller web server forwards you to the configured redirect URL or to the initially requested URL, for example, www.cisco.com.
- If the user authentication fails, the controller web server redirects you to the URL of the login page.
Refer to these documents for more information on web authentication:
Problem Type
Configure / Configuration issues
Products
Wireless LAN Controllers
Topology
LWAPP network
Product OS
IOS
Device Access Method
GUI Interface
Telnet
Terminal Server / Console
SW Features
Web Authentication