cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2917
Views
10
Helpful
4
Replies

9800 WLC L-F. need splash page and guest wifi SSID

cisconn00b
Level 1
Level 1

Hello, I am trying to figure out how to create a guest wifi SSID with limited privileges. I also need it to have a splash page, kind of like when you go into a Starbucks to connect to their wifi and you need to accept their terms and conditions before getting internet access.  Wireless controller is 9800 WLC L-F.  Currently have one WLAN running on the "user" vlan, and clients are able to connect to it, pull an IP address from DHCP on the switch, and connect to the internet after entering the PSK password.  

 

Any help or push in the right direction would be much appreciated.  I am new to configuring wireless controllers, (and anything network related overall), and have been stuck on this for the last week and a half.  Thank you

4 Replies 4

cisconn00b
Level 1
Level 1

Is there a way to force the client device to open a browser to navigate straight to the splash page virtual ip address 192.0.2.1? If I am on a laptop connecting to the guest wifi, I almost always have to input a random website address such as cisco.com in order to be redirected to the splash page.  Some websites like cisco are able to redirect to splash page and some aren't able to like youtube or google.  This is a problem because if it doesn't redirect right away, the user might not try another website in order to redirect and they definitely won't know the splash ip address 192.0.2.1

I configured it using Local web authentication.  

Configuration>Security>webauth > web Auth Parameter-map name global.  

Type: webauth

Virtual IPv4 address: 192.0.2.1 by default

Configuration>security>AAA>AAA Method List> Authentication

      Type: login     group type: local

Configuration>security>AAA>AAA Method List> Authorization

      Type: network      group type: local

 

under Configuration> tags and Profiles > WLANs> guestnetwork

Layer 2-  layer 2 security mode: none.    

IMG_8279.JPG

IMG_8278.JPG

 

 

Arshad Safrulla
VIP Alumni
VIP Alumni

Do you have both http and http secure-server enabled in your WLC? If no enable it and check.

Taking security in to consideration my recommendation will be as below;

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
virtual-ip ipv6 2001:DB8::1
webauth-http-enable (this is to enable captive portal on port 80)

!

ip http secure-server

no ip http server (disable management access for WLC for http)

!
You can enable intercept-https-enable under parameter map if you have a public certificate assigned to the WLC.

That being said most of the clients running latest Operating systems have built-in captive portal detection mechanisms. This will check for captive portals without any user intervention and prompt the user to login as a notification or some clients can open a web page by default. That being said Apple clients and Windows 11 clients are well known to cause issues similar to yours, so if thats the case try to install the latest patches and try again or reach out to their support teams.

I had the settings you have below minus the virtual ipv6. I don't have a public certificate assigned to WLC or a trustpoint set up in webauth global. Just need for users to access the wifi on site with Chrome and login to splash page with guest user account without too much troubleshooting on their end. I tried on multiple laptops running Windows 10 and latest version of Chrome.
When using firefox, it actually has a captive portal detector and I can get to it with ease after adding exception for invalid security certificate self signed error.


parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
banner text ^Ctesting testing^C
logout-window-disabled
success-window-disable
webauth-http-enable

no ip http server
ip http authentication local
ip http secure-server

 

https://192.0.2.1/login.html?redirect=http://cisco.com/
This is what the link looks like when it redirects successfully right away.

Using Chrome, if I type in a .com website it will usually redirect right away for many sites. However if I try some other sites like google/youtube/google search in address bar, it will time out

This site can’t be reached reddit.com
took too long to respond.
Your connection was interrupted
A network change was detected.
ERR_NETWORK_CHANGED

https://192.0.2.1/login.html?redirect=http://www.gstatic.com/generate_204
I mostly time out for sites like google or it might finally redirect me after 3-5 minutes and multiple tries.
might be because it is automatically trying to go for HTTPS

Thank you all for your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: