cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5224
Views
0
Helpful
14
Replies

Cisco Wireless AP 2602 - Web Authentication/Pass NOT working?

loolianwee
Level 1
Level 1
Product/Model                                       Number:AIR-CAP2602E-A-K9
Top                                       Assembly Serial Number: 
System                                       Software Filename:ap3g2-k9w7-xx.152-4.JB3a
System                                       Software Version:15.2(4)JB3a
Bootloader                                       Version:

BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1)

 

When "Web Authentication/Pass" option checked, it is totally unaccessible to internal or external network, any clue/advice?

 

Thanks in advance.

14 Replies 14

Scott Fella
Hall of Fame
Hall of Fame

Can you be more specific? You still have console access correct?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

For the new software update, it added a new authentication method by either using web auth or web pass, i have set that and created an user/password under management for web auth but it's not working...

Have you looked at this guide?

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/116897-configure-technology-00.html

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks, seems I missed the RADIUS part; after I done that it's still no luck, here are some tech support info, are you able to help?

------------------ show version ------------------ Cisco IOS Software, C2600 Software (AP3G2-K9W7-M), Version 15.2(4)JB3a, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Mon 23-Dec-13 08:11 by prod_rel_team ROM: Bootstrap program is C2600 boot loader BOOTLDR: C2600 Boot Loader (AP3G2-BOOT-M) LoaderVersion 12.4(25e)JA1, RELEASE SOFTWARE (fc1) WuGa-CiscoAP uptime is 3 days, 19 minutes System returned to ROM by power-on System restarted at 23:18:39 +0800 Mon Feb 10 2014 System image file is "flash:/ap3g2-k9w7-mx.152-4.JB3a/ap3g2-k9w7-xx.152-4.JB3a" Last reload reason: This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. cisco AIR-SAP2602E-A-K9 (PowerPC) processor (revision A0) with 204790K/57344K bytes of memory. Processor board ID FGL1650Z5X3 PowerPC CPU at 800Mhz, revision number 0x2151 Last reset from power-on 1 Gigabit Ethernet interface 2 802.11 Radios 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: E0:2F:6D:A3:4D:0B Part Number                          : 73-14511-02 PCA Assembly Number                  : 800-37898-01 PCA Revision Number                  : A0 PCB Serial Number                    : FOC164889AN Top Assembly Part Number             : 800-38357-01 Top Assembly Serial Number           : FGL1650Z5X3 Top Revision Number                  : A0 Product/Model Number                 : AIR-CAP2602E-A-K9   Configuration register is 0xF ------------------ show running-config ------------------ Building configuration... Current configuration : 5276 bytes ! ! Last configuration change at 23:36:14 +0800 Thu Feb 13 2014 ! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014 ! NVRAM config last updated at 23:36:14 +0800 Thu Feb 13 2014 version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname WuGa-CiscoAP ! ! logging rate-limit console 9 enable secret 5 ! aaa new-model ! ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login webauth group radius aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login web_list group radius aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct ! ! ! ! ! aaa session-id common clock timezone +0800 8 0 no ip cef ip admission name webpass consent ip admission name webauth proxy http ip admission name webauth method-list authentication web_list ip admission name web_auth proxy http ip admission name web_auth method-list authentication web_list ip admission name web-auth proxy http ip admission name web-auth method-list authentication web_list ip name-server 8.8.8.8 ! ! ! ! dot11 syslog dot11 vlan-name GuestVLAN vlan 2 dot11 vlan-name InternalVLAN vlan 1 ! dot11 ssid Guest    vlan 2    web-auth    authentication open    mbssid guest-mode ! dot11 ssid WuGa-6    vlan 1    authentication open    authentication key-management wpa    mbssid guest-mode    wpa-psk ascii 7 0211115C0A555C721F1D5A4A5644 ! dot11 ssid WuGa-60    vlan 1    authentication open    authentication key-management wpa    guest-mode    wpa-psk ascii 7 03084C070900721F1D5A4A56444158 ! ! dot11 guest   username wuga lifetime 360 password 7 030D5704100A36594908 ! ! ! username Cisco privilege 15 password 7 ! ! bridge irb ! ! ! interface Dot11Radio0 no ip address ! encryption mode ciphers aes-ccm ! encryption vlan 1 mode ciphers aes-ccm ! ssid Guest ! ssid WuGa-6 ! antenna gain 2 stbc mbssid speed  basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23. channel 2452 station-role root dot11 dot11r pre-authentication over-air dot11 dot11r reassociation-time value 500 ip admission web-auth ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.2 encapsulation dot1Q 2 bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 spanning-disabled bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding ip admission webauth ! interface Dot11Radio1 no ip address ! encryption mode ciphers aes-ccm ! encryption vlan 1 mode ciphers aes-ccm ! ssid WuGa-60 ! antenna gain 4 peakdetect no dfs band block stbc speed  basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23. power local 5 channel width 40-above channel dfs station-role root dot11 dot11r pre-authentication over-air dot11 dot11r reassociation-time value 500 ! interface Dot11Radio1.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address duplex auto speed 1000 ! interface GigabitEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning ! interface GigabitEthernet0.2 encapsulation dot1Q 2 bridge-group 2 bridge-group 2 spanning-disabled no bridge-group 2 source-learning ! interface BVI1 ip address 192.168.133.213 255.255.255.0 ! ip default-gateway 192.168.133.200 ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip route 0.0.0.0 0.0.0.0 192.168.133.200 ip radius source-interface BVI1 ! ip access-list extended ALL permit ip any host 0.0.0.0 permit ip any any permit ip 0.0.0.0 255.255.255.0 any ip access-list extended All permit tcp any any established permit tcp any any eq www permit ip any any ! ! radius-server local   nas 192.168.133.213 key 7 070C285F4D06 ! radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! radius server 192.168.10.2 address ipv4 192.168.10.2 auth-port 1812 acct-port 1646 ! radius server local address ipv4 192.168.133.213 auth-port 1812 acct-port 1813 key 7 ! bridge 1 route ip ! ! ! line con 0 terminal-type teletype line vty 0 4 terminal-type teletype transport input all ! sntp server 128.138.141.172 sntp broadcast client end

If you just use an open authentication for guest just to test, can they associate to the guest ssid, obtain an ip address and access the internet.  Let's make sure thats working first.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Oh yes, open authentication with/without cipher works without any issues; so long with web-auth/web-pass checked then it's not working.

Can someone please help???

I have tried many times using web gui and CLI, no luck....

rmarosko
Level 1
Level 1

I can likewise confirm this, on an AP3602i running 15.2(4)JA1. It is also pertinent that I am running dot11 mbssid with subinterfaces. Unfortunately the guide which is linked herein does not cover the use of radio subinterfaces on the access point. I have tried with the "ip admission web_auth" command on both the physical radio interface as well as the radio subinterface applicable to the guest access SSID, and am not seeing the HTTP redirection to the authentication page in either situation.  I'm about to upgrade to 15.2(4)JB4 to see if that has any effect.

Additional info... 15.2(4)JB4 did not resolve the issue.

I factory-defaulted the AP and configured from scratch NOT using any mbssid configuration, and WAS SUCCESSFUL in getting the internal web authentication to work. As soon as I re-enabled my multiple-VLAN mbssid configuration, internal web authentication WAS NO LONGER successful.  Thus, it appears that there is a caveat, internal web authentication DOES NOT WORK when a multiple-vlan/mbssid configuration is in place.

I'm going to poke this data back up through the chain through our channel systems engineer and maybe we can get the configuration guide updated.

there is any solution for this issue?

Hi,

any updates on this post? I am having the same problem with my AP3502i running 15.3(3)JE.

Abha Jha
Cisco Employee
Cisco Employee

Please find the link whic can be a help in config -

 

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107474-web-pass-config.html

 

Also in your radius server port config I can see that you have configred 1646 as acc-port should not it be 1813?

 

radius server 192.168.10.2
 address ipv4 192.168.10.2 auth-port 1812 acct-port 1646
Review Cisco Networking for a $25 gift card