06-28-2022 02:47 PM
Hello, I am trying to figure out how to create a guest wifi SSID with limited privileges. I also need it to have a splash page, kind of like when you go into a Starbucks to connect to their wifi and you need to accept their terms and conditions before getting internet access. Wireless controller is 9800 WLC L-F. Currently have one WLAN running on the "user" vlan, and clients are able to connect to it, pull an IP address from DHCP on the switch, and connect to the internet after entering the PSK password.
Any help or push in the right direction would be much appreciated. I am new to configuring wireless controllers, (and anything network related overall), and have been stuck on this for the last week and a half. Thank you
06-28-2022 02:57 PM - edited 06-28-2022 02:58 PM
Check this guide can help you :
https://wifininjas.net/2019/10/24/wn-blog-017-cisco-c9800-local-web-auth-config/
If you have ISE and Radius :
09-26-2022 09:58 PM
Is there a way to force the client device to open a browser to navigate straight to the splash page virtual ip address 192.0.2.1? If I am on a laptop connecting to the guest wifi, I almost always have to input a random website address such as cisco.com in order to be redirected to the splash page. Some websites like cisco are able to redirect to splash page and some aren't able to like youtube or google. This is a problem because if it doesn't redirect right away, the user might not try another website in order to redirect and they definitely won't know the splash ip address 192.0.2.1
I configured it using Local web authentication.
Configuration>Security>webauth > web Auth Parameter-map name global.
Type: webauth
Virtual IPv4 address: 192.0.2.1 by default
Configuration>security>AAA>AAA Method List> Authentication
Type: login group type: local
Configuration>security>AAA>AAA Method List> Authorization
Type: network group type: local
under Configuration> tags and Profiles > WLANs> guestnetwork
Layer 2- layer 2 security mode: none.
09-28-2022 01:23 PM
Do you have both http and http secure-server enabled in your WLC? If no enable it and check.
Taking security in to consideration my recommendation will be as below;
parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
virtual-ip ipv6 2001:DB8::1
webauth-http-enable (this is to enable captive portal on port 80)
!
ip http secure-server
no ip http server (disable management access for WLC for http)
!
You can enable intercept-https-enable under parameter map if you have a public certificate assigned to the WLC.
That being said most of the clients running latest Operating systems have built-in captive portal detection mechanisms. This will check for captive portals without any user intervention and prompt the user to login as a notification or some clients can open a web page by default. That being said Apple clients and Windows 11 clients are well known to cause issues similar to yours, so if thats the case try to install the latest patches and try again or reach out to their support teams.
09-29-2022 08:40 AM
I had the settings you have below minus the virtual ipv6. I don't have a public certificate assigned to WLC or a trustpoint set up in webauth global. Just need for users to access the wifi on site with Chrome and login to splash page with guest user account without too much troubleshooting on their end. I tried on multiple laptops running Windows 10 and latest version of Chrome.
When using firefox, it actually has a captive portal detector and I can get to it with ease after adding exception for invalid security certificate self signed error.
parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
banner text ^Ctesting testing^C
logout-window-disabled
success-window-disable
webauth-http-enable
no ip http server
ip http authentication local
ip http secure-server
https://192.0.2.1/login.html?redirect=http://cisco.com/
This is what the link looks like when it redirects successfully right away.
Using Chrome, if I type in a .com website it will usually redirect right away for many sites. However if I try some other sites like google/youtube/google search in address bar, it will time out
This site can’t be reached reddit.com
took too long to respond.
Your connection was interrupted
A network change was detected.
ERR_NETWORK_CHANGED
https://192.0.2.1/login.html?redirect=http://www.gstatic.com/generate_204
I mostly time out for sites like google or it might finally redirect me after 3-5 minutes and multiple tries.
might be because it is automatically trying to go for HTTPS
Thank you all for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide