Solved: Cisco 9800-L-C guest network configuring issu

Demandonio · ‎01-28-2022

Hi all,

I'm having an issue configuring guest authentication with a new Cisco 9800-L-C WLC.

I followed this guide: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213923-configure-a-web-authentication-ssid-on-c.html

When I try to connect, I'm not having any kind of redirect to the login page. For now this is a local network, but when it works I will configure also flex aps for 2 other branches.

Can anybody help me?

Thank you

Scott Fella · ‎02-23-2022

That command is present.

config t

parameter-map type webauth global
   webauth-http-enable
   secure-webauth-disable

-Scott
*** Please rate helpful posts ***

View solution in original post

Arshad Safrulla · ‎02-23-2022

Great to hear that you got it working. Since you want to use http for web auth, I believe that you are aware of security implications that it is bundled with. To control the HTTP and HTTPS requests sent to the web authentication module of WLC you need to run 17.3.1 or higher. Another pre-requisite is that you enable the http servers. based on your requirement.

If you want management access via https, but http access to captive portal

no ip http server
ip http secure-server

parameter-map type webauth global
   webauth-http-enable
   secure-webauth-disable

If you need http access only to both management and captive portal

ip http server
no ip http secure-server

If you need both http and https access to management and http access only to captive portal

ip http server
ip http secure-server

parameter-map type webauth global
   secure-webauth-disable

All the options are listed here for more information;

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_sec_webauth_cg.html#:~:text=Table%202.%20CLI%20Combinations

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

Scott Fella · ‎01-28-2022

Well it seems like you are not using ISE and doing internal web auth from the 9800 controller. If that is the case, review this blog as you most likely are missing a few steps.
https://wifininjas.net/2019/10/24/wn-blog-017-cisco-c9800-local-web-auth-config/amp/

-Scott
*** Please rate helpful posts ***

Demandonio · ‎01-28-2022

Hi Scott,

thank you for your answer.

Correct, I'm not using ISE. I checked the blog you linked, and I could see that I did almost all of the necessary things, but these two:

I didnt configure any kind of external redirection because I'm expecting just a local redirection to the login page;

I couldn't enable mobility anchor, because when I do it, the ssid disappears and even after a lot of time, it doesnt come available again.

The other settings are the same.

What else can I check?

Thank you

Arshad Safrulla · ‎01-28-2022

Hi,

mobiliity anchor is required only if you have an anchor controller. But in your case I guess the issue is that you don't have working DNS server, so client will redirected to the Captive portal once the client's captive portal detection mechanism kicks in. Client has to send a HTTP request, so WLC can intercept it, incase you dont have DNS working client will not be able to send a HTTP request to whatever the URL it uses for captive portal detection. For testing you can either open the page by entering http://192.0.2.1 or any other IP without any dependency on DNS

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Demandonio · ‎01-28-2022

Yep I can confirm that I am configuring it in a lab environment.

In a few hours I can have a working dns server and an internet connection and I will test it.

Thank you for your advice, I'll give you updates soon.

Demandonio · ‎02-23-2022

Hi all,

sorry for the late update.

I joined the WLC and some APs in the environment and now everything is working fine.

While logging with the guest webauth network, I need to let users authenticate via http instead of https, because of ssl error.

How can I do it?

I followed the instructions here but the commands do not exist anymore I guess:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_sec_webauth_cg.html

webauth-http-enable

secure-webauth-disable

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc28

Web Authentication on HTTP Instead of HTTPS

You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.

For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.

For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller!

On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.

In both cases I cant find the commands.

Can you help me finding the way to redirect to the virtual IP 192.0.2.1 with http, for the authentication?

Thank you!

Scott Fella · ‎02-23-2022

That command is present.

config t

parameter-map type webauth global
   webauth-http-enable
   secure-webauth-disable

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎02-23-2022

Keep in mind, you need to install a 3rd party trusted certificate if you want to use https. Here is a link to help you with that if you go that route.

Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco

-Scott
*** Please rate helpful posts ***

Arshad Safrulla · ‎02-23-2022

Great to hear that you got it working. Since you want to use http for web auth, I believe that you are aware of security implications that it is bundled with. To control the HTTP and HTTPS requests sent to the web authentication module of WLC you need to run 17.3.1 or higher. Another pre-requisite is that you enable the http servers. based on your requirement.

If you want management access via https, but http access to captive portal

no ip http server
ip http secure-server

parameter-map type webauth global
   webauth-http-enable
   secure-webauth-disable

If you need http access only to both management and captive portal

ip http server
no ip http secure-server

If you need both http and https access to management and http access only to captive portal

ip http server
ip http secure-server

parameter-map type webauth global
   secure-webauth-disable

All the options are listed here for more information;

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_sec_webauth_cg.html#:~:text=Table%202.%20CLI%20Combinations

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Demandonio · ‎02-24-2022

You got it, there was 16.12 version of IOS.

I updated the IOS and now I'm able to issue secure-webauth-disable command to avoid clients getting ssl error.

Thank you all for your support!

Antonio De Mattia