Solved: Cisco 2504 Controller webauth login.html failed on windows

trakimanhminh · ‎07-08-2020

Hi everyone,

I meet an issue about Cisco 2504 web authentication with firmware: 8.5.140. Here is the configuration:

DNS Server IP............................... 8.8.8.8
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode SSL Protocol................ Disable
Web CSRF check.............................. Enable

IPv4 AP Multicast/Broadcast Mode............ Multicast Address : 239.0.0.0
IPv6 AP Multicast/Broadcast Mode............ Multicast Address : ::
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds

Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
Mesh Backhaul RRM........................... Disable
AP Fallback ................................ Enable
AP EasyAdmin ............................... Disable
AP Virtual IP .............................. 0.0.0.0
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect ................... Disable
Web Auth Captive-Bypass .................. Disable
Web Auth Secure Web ....................... Enable
Web Auth Secure Web Cipher Option ......... Disable
Web Auth Secure Web Sslv3 ................. Disable
Web Auth Secure Redirection ............... Disable
IP/MAC Addr Binding Check .................. Enabled
Link Local Bridging Status ................. Disabled
CCX-lite status ............................ Disable
oeap-600 dual-rlan-ports ................... Disable
oeap local-network ......................... Enable
oeap-600 Split Tunneling (Printers)......... Disable
WebPortal Online Client .................... 0
WebPortal NTF_LOGOUT Client ................ 0
mDNS snooping............................... Disabled
mDNS Query Interval......................... 15 minutes
Web Color Theme............................. Default
Capwap Prefer Mode.......................... IPv4
Network Profile............................. Disabled
Client ip conflict detection (DHCP) ........ Disabled
Mesh BH RRM ................................ Disable
Mesh Aggressive DCA......................... Disable
Mesh Auto RF................................ Disable
HTTP Profiling Port......................... 80
HTTP-Proxy Ip Address....................... 0.0.0.0
HTTP-Proxy Port............................. 80
WGB Client Forced L2 Roam................... Disabled

The IP Virtual is: 192.0.2.1, DNS Hostname is blank.

Layer2 Security: None

Layer 3 Security: Web Policy, Passthrough

The problem is web authentication work perfectly on Apple device, but not succeed on Windows.

Can anyone suggest me how to solve this trouble?

Thanks a lot!

trakimanhminh · ‎07-08-2020

At last, my problem is solved. It is caused by Chrome Browser. I change to Microsoft Edge, and the login page appear.
Further more, can anyone tell me how to solve this problem on Google Chrome?

View solution in original post

Rich R · ‎07-08-2020

> can anyone tell me how to solve this problem on Google Chrome?
Well you need to answer the questions people have already asked you and/or provide the screenshots requested.
As Pat suggested this could be a certificate problem.
Have you installed a proper certificate on the WLC which can be verified/trusted by Chrome?
Also www.gstatic.com/generate_204 is the Google/Chrome captive portal detection URL and if you actually get redirected to that after login it might seem like nothing happened but all that URL does is deliver a 204 response with a blank page.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Rich R · ‎07-08-2020

"but not succeed on Windows" - what do you mean?
What doesn't succeed?
What debugging have you done?
Have you got a packet capture?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

trakimanhminh · ‎07-08-2020

When I connect to the SSID, it appears the link:

https://192.0.2.1/fs/customwebauth/login.html?switch_url=https://192.0.2.1/login.html&ap_mac=70:b3:17:96:50:60&client_mac=d4:3b:04:78:4a:8d&wlan=Test&redirect=www.gstatic.com/generate_204

Picture is attached. I have tried to turn the firewall off, but it's no use. Otherwise, it works perfectly on Iphone and Android.

"What debugging have you done?" What command should I use to get the information? I check the message logs, but it seems to show nothing.

Thanks in advance!

Best regards

M.

patoberli · ‎07-08-2020

And what happens if you click on Connect in the image you've attached?
Please also include the URL bar in the next image, I'm curious if the browser trusts the certificate (I guess it doesn't).

patoberli · ‎07-08-2020

And most important, do you get an error message on the client?
What happens if you browse directly to the guest portal IP in the browser?

trakimanhminh · ‎07-08-2020

When I press connect, there's nothing happen! Also, I don't receive any error message from client.

I have try http (or) https:// 192.0.2.1/login.html, but look like can't connect. Always the picture like above appears.

trakimanhminh · ‎07-08-2020

At last, my problem is solved. It is caused by Chrome Browser. I change to Microsoft Edge, and the login page appear.
Further more, can anyone tell me how to solve this problem on Google Chrome?

marce1000 · ‎07-08-2020

- For starters clear your cache and all cookies.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎07-08-2020

> can anyone tell me how to solve this problem on Google Chrome?
Well you need to answer the questions people have already asked you and/or provide the screenshots requested.
As Pat suggested this could be a certificate problem.
Have you installed a proper certificate on the WLC which can be verified/trusted by Chrome?
Also www.gstatic.com/generate_204 is the Google/Chrome captive portal detection URL and if you actually get redirected to that after login it might seem like nothing happened but all that URL does is deliver a 204 response with a blank page.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

trakimanhminh · ‎07-11-2020

Yes, I haven't installed the trusted certificate which is verified by Chrome. And that's my problem.

Besides, I am choosing to disable https because it maybe convenience to me. The web authentication works with all browser without any trouble now!

Here is the command:
(WLC)> config network web-auth https-redirect disable
After that, reboot the controller to get this command to work.

Thanks all for helping me to solve this trouble!

Cisco 2504 Controller webauth login.html failed on windows

Cisco ISE and Microsoft Windows Autopilot

Cisco CML: "Failed to Choose a Suitable Compute Host"

Doc - L4-L7 Services con Cisco Nexus Dashboard Fabric Controller

Umbrella: Cisco Secure Client の DART について (Windows 版)

Cisco Wireless 1.1.1.1/login.html redirect issues