Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2086
Views
20
Helpful
6
Replies

9800 External Webauth

dm2020
Level 5
Level 5

‎07-02-2022 06:04 AM

Hi All,

 

I'm currently setting up External Webauth on a Cisco 9800 and I'm trying to work out what commands need to be configured under the global parameter map. So far I have the following

 

parameter-map type webauth global
 virtual-ip ipv4 192.0.2.1 virtual-host wifi.domain.com

 trustpoint <trustpoint for wifi.domain.com>

 

However I'm unsure if I need any of the following commands

 

intercept-https-enable
webauth-http-enable
secure-webauth-disable

 

This is going to be used for a public hotspot. I know that some devices will complain if they are redirected to a non-secure site so I'm assuming that 'secure-webauth-disable' is probably not recommended, however I'm unsure about the other commands. What have other configured that works well for public guest wireless?

 

0 Helpful
6 Replies 6

Mark Elsen
Hall of Fame
Hall of Fame

‎07-02-2022 09:51 AM

 

                                            - You may find these documents informational :

           https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217457-configure-and-troubleshoot-external-web.html

           https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/web-authentication/b-configuring-web-based-authentication-on-cisco-catalyst-9800-series-controllers/m-external-web-authentication-configuration.html

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

dm2020
Level 5
Level 5
In response to Mark Elsen

‎07-02-2022 12:10 PM - edited ‎07-02-2022 12:13 PM

Thanks,

 

I've had a read and it appears that the behaviours have changed in IOS-XE 17.3 with regards to http/https for Webauth.

 

As we only want HTTPs access to the WLC for admin, and both HTTP and HTTPs access to the WLC for Webauth then we need to configure the following

 

parameter-map type webauth global
 virtual-ip ipv4 192.0.2.1 virtual-host wifi.domain.com

 trustpoint <trustpoint for wifi.domain.com>

 webauth-http-enable

!

no ip http server

ip http secure-server

 

Question - We also have the following configured on the WLC for hardening the web interface. Will this have an impact on Webauth or are these commands only applicable for the WLC admin web interface? I couldn't find this documented anywhere

 

ip http access-class ipv4 <access list>
ip http authentication aaa

ip http tls-version TLSv1.2

0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to dm2020

‎07-02-2022 11:49 PM

 

  >...Will this have an impact on Webauth or are these commands only applicable for the WLC admin web interface? I couldn't find this documented anywhere

                                                          >...ip http tls-version TLSv1.2

  - I tend to believe this does not impact webauth ,  as a consistency check however for the current  9800 configuration  you may   review the it with the CLI command : show  tech wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer

 M.

  



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Rich R
VIP
VIP

‎07-03-2022 03:51 PM

Ours is:
parameter-map type webauth global
type webauth
virtual-ip ipv4 <ip> virtual-host <FQDN>
intercept-https-enable
trustpoint <trustpoint>.p12

Don't know about the access-class or TLS and aaa definitely only applies to admin GUI.  But I do seem to recall breaking something when turning off ip http server (we have it enabled now) - possibly the device captive portal assistant redirect (which are always http to avoid cert errors).  Test with and without to confirm and let us know for the record.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

dm2020
Level 5
Level 5
In response to Rich R

‎07-03-2022 04:43 PM

Thanks for the reply. That is very helpful.

 

Regarding https intercept, do you have any issues with this and is there any noticeable performance issues/high CPU increase on the WLC?

0 Helpful

Rich R
VIP
VIP

‎07-04-2022 12:50 AM

Regarding https intercept, do you have any issues with this and is there any noticeable performance issues/high CPU increase on the WLC?

We haven't seen any problems with it.  Obviously a user getting https redirected will get cert and/or security warnings but that's unavoidable.

 

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card