cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
984
Views
0
Helpful
3
Replies

Standalone AP802AGN Web Authentication

hakenkreuz
Level 1
Level 1

On a Cisco C891FW with an integrated AP802AGN-A-K9 running Version 15.3(3)JF10.

4 SSIDs: 3 "2.4 GHz" & 1 "5 GHz"

2 of the 2.4 GHz & the 5 GHz are running WPA2 pre-shared key. Everything OK with this set up.

1 of the 2.4 GHz is set for Web authentication but the end users, never get the screen to login.

Users are indeed getting IPs of the correct vLAN.

nslookup is getting responses on client

I ran a capture on the router module, and the only thing I see is the DNS query/response, no HTTP GET or so. I run a capture on AP module, but nothing showing up.

I tried with local RADIUS & external, but none make a difference....Users just associate, but no Internet.

Config of the SSID and some other stuff:

 

!

aaa authentication login WEB-LIST group radius

!

ip auth-proxy proxy http login redirect http://192.0.2.253/index.html
ip admission proxy http login redirect http://192.0.2.253/index.html
ip admission name WEB-AUTH proxy http list WEB-AUTH-ACL
ip admission name WEB-AUTH method-list authentication WEB-LIST

!

dot11 ssid Invitados
vlan 300
web-auth
max-associations 5
authentication open
mbssid guest-mode
!

interface Dot11Radio0
no ip address
!
encryption vlan 13 mode ciphers aes-ccm
!
encryption vlan 88 mode ciphers aes-ccm
!
ssid Invitados
!
ssid Sc
!
ssid Ts
!
antenna gain 0
mbssid
speed basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
no dot11 extension aironet
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
ip admission WEB-AUTH
!

interface Dot11Radio0.300
encapsulation dot1Q 300
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
!

interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!

interface GigabitEthernet0.300
encapsulation dot1Q 300
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
!

interface BVI1
mac-address 0035.1a69.2d16
ip address 172.16.255.254 255.255.255.0
!

ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 192.0.2.252 255.255.255.252 172.16.255.1

!

ip access-list extended WEB-AUTH-ACL
permit ip any any
!

!
radius server DebSer
address ipv4 192.0.2.253 auth-port 1812 acct-port 1813
key R4diu5_k3Y

 

 

 

debug ip admission detailed
IP Admission Detailed Debug debugging is on

Sep 1 22:57:31.831: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:32.023: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:34.799: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:42.827: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:44.147: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:53.159: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300

 

802.11 Client Stations on Dot11Radio0:

SSID [Invitados] :

MAC Address IP address IPV6 address Device Name Parent State
88ad.d2f7.919b 172.16.0.3 :: unknown - self Assoc

3 Replies 3

patoberli
VIP Alumni
VIP Alumni

I have never configured this, but based on the error you lack the command 

ip admission WEB-AUTH

under the interface Dot11Radio0.300

Nope. Same behaviour.

interface Dot11Radio0.300
encapsulation dot1Q 300
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
ip admission WEB-AUTH

 

Wondering if I need to configure a virtual IP like in a Controller or something like that:

(config)#ip admission virtual-ip ?
A.B.C.D Virtual Ip Address

Check this manual: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/116897-configure-technology-00.html

Or here the manual: https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3/configuration/guide/cg15-3-3/cg15-3-3-chap11-authtypes.html#pgfId-1101213
It does look fairly simple, compare your configuration with the sample one. You could also try it to configure it in the GUI, I think that is easier with this model.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: