Re: Internal Web Auth

nseja · ‎05-15-2019

Good day

i have a problem which is rather weird. i configured web auth (internal) using lobby account to create passwords for guests. however when i test only phones pass the auth stage and have access to internet. difference now is i have tested 2 laptops thus far redirection takes 10mins to pop up. after i submit credentials there is no internet connection. changed browsers aswell

am using both layer 2 and 3 security

thanks in advance

Flavio Miranda · ‎05-15-2019

Hi,

Check DNS e proxy on laptos. Keep in mind that this is probably devices problem and not network problem. The main reason problem for web redirect is DNS problem.

Also, try different browsers. Try to open a site with http website instead https.

-If I helped you somehow, please, rate it as useful.-

nseja · ‎05-15-2019

please see below outputs for network summary and debug output

network summary

---------------

(Cisco Controller) >show network summary

RF-Network Name............................. Lea-Wireless

DNS Server IP............................... 0.0.0.0

Web Mode.................................... Enable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode SSL Protocol................ Disable

Web CSRF check.............................. Enable

OCSP........................................ Disabled

OCSP responder URL..........................

Secure Shell (ssh).......................... Enable

Secure Shell (ssh) Cipher-Option High....... Disable

Telnet...................................... Disable

Ethernet Multicast Forwarding............... Disable

Ethernet Broadcast Forwarding............... Disable

IPv4 AP Multicast/Broadcast Mode............ Unicast

IPv6 AP Multicast/Broadcast Mode............ Unicast

IGMP snooping............................... Disabled

IGMP timeout................................ 60 seconds

IGMP Query Interval......................... 20 seconds

MLD snooping................................ Disabled

MLD timeout................................. 60 seconds

--More-- or (q)uit

MLD query interval.......................... 20 seconds

User Idle Timeout........................... 300 seconds

ARP Idle Timeout............................ 300 seconds

Cisco AP Default Master..................... Enabled

AP Join Priority............................ Disable

Mgmt Via Wireless Interface................. Enable

Mgmt Via Dynamic Interface.................. Disable

Bridge MAC filter Config.................... Enable

Bridge Security Mode........................ EAP

Mesh Full Sector DFS........................ Enable

Mesh Backhaul RRM........................... Disable

AP Fallback ................................ Enable

AP EasyAdmin ............................... Disable

AP Virtual IP .............................. 0.0.0.0

Web Auth CMCC Support ...................... Disabled

Web Auth Redirect Ports .................... 80

Web Auth Proxy Redirect ................... Disable

Web Auth Captive-Bypass .................. Disable

Web Auth Secure Web ....................... Enable

Web Auth Secure Web Cipher Option ......... Disable

Web Auth Secure Web Sslv3 ................. Disable

Web Auth Secure Redirection ............... Enable

debug web-auth

---------------

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- bytes parsed = 306

*webauthRedirect: May 15 17:14:59.285: captive-bypass detection disabled, Not checking for wispr in HTTP GET, client mac=94:39:e5:18:f0:73

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Preparing redirect URL according to configured Web-Auth type

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- unable to get the hostName for virtual IP, using virtual IP =192.0.2.1

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Checking custom-web config for WLAN ID:2

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Global status is enabled, checking on web-auth type

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Web-auth type Internal, no further redirection needed. Presenting defualt login page to user

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- http_response_msg_body1 is <HTML><HEAD><TITLE> Web Authentication Redirect</TITLE><META http-equiv="Cache-control" content="no-cache"><META http-equiv="Pragma" content="

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- http_response_msg_body2 is "></HEAD></HTML>

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- parser host is 192.0.2.1

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- parser path is /

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- added redirect=, URL is now https://192.0.2.1/login.html?

d*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- str1 is now https://192.0.2.1/login.html?redirect=192.0.2.1/

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- clen string is Content-Length: 301

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Message to be sent is

HTTP/1.1 200 OK

Location: https://192.0.2.1/login.html?redirect=192.0.2.1/

Content-Type: text/html

Content-Length: 301

<HTML><HEAD><TITLE> W

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- 200 send_data =HTTP/1.1 200 OK

Location: https://192.0.2.1/login.html?redirect=192.0.2.1/

Content-Type: text/html

Content-Length: 301

<HTML><HEAD><TITLE> Web Authe

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- send data length=426

*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Web-auth type External, but unable to get URL

u*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- cleaning up after send

*webauthRedirect: May 15 17:14:59.285: 2335 - 94:39:e5:18:f0:73- closing socket= 99

*emWeb: May 15 17:15:02.245: SSL Connection created for MAC:94:39:e5:18:f0:73

*emWeb: May 15 17:15:02.267:

ewaURLHook: Entering:url=/login.html, virtIp = 192.0.2.1, ssl_connection=1, secureweb=1

*emWeb: May 15 17:15:02.267: WLC received client 94:39:e5:18:f0:73 request for Web-Auth page /login.html

*emWeb: May 15 17:15:02.268: WLC received client 94:39:e5:18:f0:73 request for Web-Auth page /login.html

*emWeb: May 15 17:15:02.268: No redirect URL configured

*emWeb: May 15 17:15:02.268: WLC received client 94:39:e5:18:f0:73 request for Web-Auth page /login.html

d*emWeb: May 15 17:15:02.268: WLC received client 94:39:e5:18:f0:73 request for Web-Auth page

Flavio Miranda · ‎05-15-2019

I see something weird. :

"*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Web-auth type Internal,"

"*webauthRedirect: May 15 17:14:59.285: 94:39:e5:18:f0:73- Web-auth type External"

What do you have on SECURITY > Web Auth > Web Login Page ?

-If I helped you somehow, please, rate it as useful.-

nseja · ‎05-15-2019

web authentication type : internal (default)

redirect URL after login: https://www.google.com

see attached: UE can get ips etc,

patoberli · ‎05-17-2019

Can you reboot the WLC and try again?