I'd just like to say thank you!  I just spent many many hours trying to figure out why my WLCs were telling me INVALID_TAR_FILE when I was trying to download an updated webauth bundle.  After much hair-pulling and banging on my desk, I found this guide and quickly discovered that a new image file I added had a name longer than 30 characters.  Once I shortened that, it worked!  Cisco should really incorporate this into their official documentation, as it's far more comprehensive than anything else I've been able to find.

If you have more than one WLC with all WLCs using the same virtual interface, can you use one certiface or do you need a certificate for each WLC?

I have the same certificate installed on about 20 different WLCs.  Just use the same virtual interface IP on all of them (e.g. 1.1.1.1).

What sort of certificate should I request from a CA authority?

Instructions are here:  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Thanks so much.

Dear Nicolas

Thanks a lot for your excellent guide.

Question, you mention that an exemple of bundle is provided with this chunk, but I didn't find it, could you please just tell me where it is ?

Thanks in advance

Alain

The best is to use the one that is up-to-date on cisco.com

Go in the download section, click on any WLC model and it will suggest you :

-WLC software

-MIB

-Mesh software

-Webauth bundle example

Just pick the bundle there, it's far better than any examples that was running around before

http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=282791507&release=1.0.2&relind=AVAILABLE&rellifecycle=&reltype=latest

Found it:

It was under:

Products

Wireless

Wireless LAN Controller

Standalone Controllers

Cisco 5500 Series Wireless Controllers

Cisco 5508 Wireless Controller

Wireless Lan Controller Web Authentication Bundle-1.0.2

Did anybody tried new version 7.2?

Can I set HTTP web-auth, and HTTPS management?

If so, how? I just installed on one of my 5508s, and was not able to figure out how to perform such configuration.

TIA

Ivan Brunello

About Web Auth over HTTP.

I asked to the Cisco support. It is indeed fixed, and I can confirm it to be working.

- update to version 7.2.103.0

- on CLI (no web interface, issue the following command)

config network web-auth secureweb disable

If using a EoIP tunnel to DMZ-dedicated WLCs, you need to upgrade just the DMZ WLCs.

No need to update the core ones.

WCS 7.0.230.0 seems to be able to manage 7.2 controller, but it lacks the newest features (such as RF groups).

Wait for WCS update, or plan for NCS migration.

Ivan Brunello

Thanks for the info Ivan.

I will actually update this document to 7.2 and all the new features.

By the way, there will not be any further WCS versions coming out, so NCS is the way to go for 7.2 WLC management.

Very helpful guide, thanks a lot !!!!!

One more question:

Is it possible to use a non-standard tcp port in your webauth url, that points to the external webauth server ??

Like:

http://11.22.33.44:48880/bla/index.html

If I understand your question correctly : no.

What you can do is:

-the user types the URL with a special port (http://mylocalserver:8010)

-The WLC is configured to listen on 8010 and intercepts it and throws the web authentication.

-After typing his credentials, user is redirected to mylocalserver:8010

What you cannot do is have the web login page itsel using another port (https://1.1.1.1:8080/login.html will not happen)

I think the question is saying can the "external webauth server" be using a non-standard port and have the WLC redirect.

ie. user goes to www.somepage.com, and WLC redirects to external page at http://server:8080/login.html.

The answer is yes.

For instance, you have decided that your server will be bound using port 8010.  When you specify the "server URL", you will include this in your external webauth server redirect address.

Bobby Jo connectes to your L3 (external) WLAN, then tries to go to http://www.google.com

The WLC will hijack, and then redirect the request to your external server http://11.22.33.44:8010/login.html.

Remember, you will need to be sure your pre-auth ACLs are in place.  Rather than allowing "HTTP" traffic, choose "other" as the port type and configure your customer port#.