Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1839
Views
0
Helpful
4
Replies

C9800 WLC Web authentication DHCP DNS settings

117222400
Level 1
Level 1

‎06-05-2023 08:56 PM

Hi Experts,

About the Web Authentication on C9800 WLC, we are using 17.3.7 IOS XE . And created a DHCP pool on it for Guest user ( push 8.8.8.8 and 8.8.4.4 as DNS server). We also configured the Web Authentication (Captive Portal - Consent), https, and url guestwifi.xxx.com.

I went through carefully about the Web Auth instruction, and it seems there is nothing mentioned about DNS resolution for the url guestwifi.xxx.com to 192.0.2.1, just curious about how did the client resolve the url to the ip address.

I think it can't be solved from 8.8.8.8, and at the same time the client didn't pass the authentication, it couldn't contact with other DNS servers).

That's the scenario we meet at the production practise. We add the DHCP server's IP address as the third DNS server in the DHCP, and by capturing packets on the client, we can see the DHCP sever (WLC) did replied the DNS request (resolving guestwifi.xxx.com to 192.0.2.1)

Any suggestion about this? is it a right setting? 

Thanks very much.

 

Labels:
0 Helpful
4 Replies 4

Rich R
VIP
VIP

‎06-06-2023 03:44 PM

- Your pre-auth ACL should allow access to DHCP and DNS

- If you rely purely on internet (Google) DNS then you should use a publicly registered domain name, with a public IP which internet DNS will resolve for that domain name. All the Cisco guides say you shouldn't use public IPs but it's fine if it's an actual registered IP which you own and not routable to/from internet.  Your portal certificate must also match that registered domain name,  Otherwise you need to set up an internal DNS which you can use with 192.0.2.1.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

117222400
Level 1
Level 1
In response to Rich R

‎06-06-2023 05:43 PM

Hi Rich,

Thank you very much for your reply.

1. I found it seems there is no pre-auth ACL assigned to the Guest WLAN's policy:

117222400_0-1686097798121.png

There is a preauth_v4 ACL as below, but it seems the default one, and didn't be used.

117222400_1-1686098085146.png

 

Does the setting mean that if the guest user didn't finish web-auth, all traffic will be blocked, including DNS request ? ( But DHCP ACK packet can be receive as the DHCP server is the SVI in the same VLAN , The client did receive the IP address).

2. I checked the guestwifi.xxx.com, it can be solved to 192.0.2.1, so I think using purely Google service should be good in our environment.

Thanks again and much appreciated.

George

 

 

0 Helpful

Rich R
VIP
VIP

‎06-06-2023 10:21 PM

The WLAN ACL is a security/traffic filter ACL - applies to all traffic on the WLAN irrespective of auth state.

The pre-auth ACL is applied on the WLAN:  Configuration -> Tags & Profiles -> WLANs
Edit WLAN -> Security -> Layer3 -> Show Advanced Settings >>> Preauthentication ACL

Personally I don't use the GUI, only CLI, so it took a little while to work out where to find that!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

117222400
Level 1
Level 1
In response to Rich R

‎06-08-2023 09:10 PM - edited ‎06-08-2023 09:44 PM

Hi Rich

Thanks again for your reply, and I checked the Preauthentication ACL settings you mentioned in the WLAN, it is blank, which means no any pre-auth ACL applied.

Then, will all the traffic be blocked if the user didn't finish the Web Auth? If yes, maybe the user can't finish the authentication at all, because the captive portal: https://guestwifi.xxx.com can't be resolved to 192.0.2.1. ( needs to send to 8.8.8.8 for resolution.)

But the weird is, I did see the UDP 53 traffic from the client to 8.8.8.8 was allowed on the firewall's log, which means the traffic was not blocked.(Maybe that is the gateway's fault, the gateway is a Checkpoint firewall, not the SVI )

( A work around solution is to add the SVI as the DNS server in DHCP to resolve the captive portal for the client, or for mobile users, they can keep 4G connected to resolve it from 8.8.8.8)

Much appreciated for your reply.

George

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card