Dhiresh Yadav is a wireless expert and working for the Cisco's High Touch Technical Support (HTTS) team, a team that provides reactive technical support to majority of Cisco’s premium customers. In this document Dhiresh provides the configuration and explain about the web-auth redirection over the HTTPS. This is a feature introduced in the CUWN 8.0.
Basic Knowledge of WLC Web-auth
How to configure Wireless LAN Controller (WLC) for Web-authentication.
The information in this document is based on these software and Hardware versions:
Cisco 5500 series WLC that runs firmware 188.8.131.52 CUWN version.
Note: The Configuration and web-auth explanation provided below is applicable to all WLC models and any CUWN image equal to or above 184.108.40.206.
Before CUWN 8.0 release i.e up to 7.6 , if you try HTTPS://page , the page was not getting redirected using web-authentication. In CUWN 8.0 and onwards ,this is supported. So if any client tries https://page , it will be redirected to the web-auth login page which was not possible earlier.Basically, if you go to port 443 , there was no redirection for web authentication. As more and more websites have started using HTTPS, so this feature will support that HTTPS redirect, which means if you go to HTTPS:// during web-auth , you would be redirected to the controller. Also this feature is very useful for the devices that send https requests with an application ( but not using browser ) to see if it can join anywhere based on response.
You might get the message “certificate is not issued by a trusted certificate authority.” on your browser after configuring https-redirect feature even if you have a valid root or chained certificate on the Controller as shown in the Figure-1 and Figure-2.The certificate you installed on the controller is issued to your virtual IP address. So during HTTP-Redirect, if you have this certificate on the WLC , you will not get Security certificate warning error .However in the case of HTTPS-redirect, you would still get the error . Some browser's because of the use of HTTPS://page , expect a certificate issued to the IP address of the site resolved by the DNS but what they are returned is a redirect page from the WLC and having certificate issued to the Internal web server (virtual ip address). Hence they might still throw this error. This is purely because of the way HTTPS works and will always happen if you try to intercept the HTTPS session for web-auth redirection to work.
In the Chrome , You might see like below:
Configure the WLC
(WLC)>config wlan security web-auth enable 10
(WLC)> config network web-auth https-redirect enable
WARNING! - You have chosen to enable https-redirect. This might impact performance significantly
So as you see , this might impact throughput while doing https redirection than http redirection For more understanding and information on the web authentication , Please refer to the below link:
(WLC)>show network summary
Web Auth Secure Web ....................... Enable
Web Auth Secure Redirection ............... Enable
(WLC) >show debug
MAC Addr 1.................................. 24:77:03:52:56:80
Debug Flags Enabled:
webauth redirect enabled.
*webauthRedirect: Jan 16 03:35:35.678: 24:77:3:52:56:80- received connection. client socket = 9
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- trying to read on socket 95
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- calling parser with bytes = 204
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- bytes parsed = 204
*webauthRedirect: Jan 16 03:35:35.679: captive-bypass detection enabled, checking for wispr in HTTP GET, client mac=24:77:3:52:56:80
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Preparing redirect URL according to configured Web-Auth type
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- got the hostName for virtual IP(wirelessguest.test.com)
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Checking custom-web config for WLAN ID:10
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Global status is enabled, checking on web-auth type
*webauthRedirect: Jan 16 03:35:35.679: 24:77:3:52:56:80- Web-auth type Customized, using URL:https://wirelessguest.test.com/fs/customwebauth/login.html
Secure web (config network secureweb enable/disable) and web-auth secure (config network web-auth secureweb enable/disable), either of them should be enabled to make HTTPS redirect work.
There might be slight reduction in the throughput when using redirection over https.
There is currently no specific troubleshooting information available for this configuration.