cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3355
Views
12
Helpful
14
Replies

Cisco WLC and Unsecured WLAN with redirect

Frank Dukes
Level 1
Level 1

Hi Folks,

Can someone point me in the right direction heer.

I have a WLS box - i want to create a WLAN which will

          1.)     allow anyone to connect to without authentication.

          2.)     once connected they need to be redirected to a web server for further instructions.

Any suggestions greatly appreciated.

Cheers

14 Replies 14

Amjad Abdullah
VIP Alumni
VIP Alumni

Hi Rob,

You need to create web-auth security with passthrough.

here is a guide:

http://tiny.cc/517yiw

You choose "passthrough" rather than "Authentication" under L3 security configuration of the WLAN.

configuring the redirect page is under Security-> webauth -> webauth login page. (described in the example above.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Hi Amjad,

Thanks for that. I followed the directions and my clients can connect and are redirected to the desired page.

The only problem is that before they are they are redirected to a https Accept page which states "Cisco is pleased to provide the wireless LAN infrastructure for your network. Please login and put your unified wireless solution to work"

Once i click "Accept", it redirects me to the page i want.

Any idea how to get around this.

Cheers

You can configure the splash page to say the customers name instead of Cisco.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

George Stefanick
VIP Alumni
VIP Alumni

To add to this conversation for clarity.

You can either use the supported default welcome page also called the acceptable use policy.

Or, you can add your own custom screen. If you go to cisco's wireless controller code download section you will see a webauth bundle.

Contained in that bundle are about 1 dozen web page examples. From which, you can modify to your liking and upload to the controller.

I hope this helps ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George,

This sounds like what i need.

I will investigate and report back.

Cheers

Excellent .. Stop back if you have any problems. So you know, TAC DOESN'T SUPPORT HTML pages. So if you run into HTML problems Tacs response is "you are on your own".

But I think you will find the examples easy to modify.

Please support the rating systems if any of these responses by the members were helpful !

Thanks !

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George,

I have downloaded those files and will have a look now.

I have a couple of other questions in relation to this.

When users connect to this SSID and fire up their browser, they are redirected to a https page - https://1.1.1.1/login.html?redirect

Obviously the end users will receive a warning as they will not trust the certificate. The SAN on the certificate URL=https://1.1.1.1, IP Addresss=1.1.1.1

This 1.1.1.1 address maps to a virtual interface on both controllers that we have.

Why does it go to this page?

Also how do i go about getting a public cert so end users dont get a cert warning. Their are obviously dns issues.

Cheers

Robert,

The virtual interface IP address is the IP address used by the WLC for the redirection. It will always appear on the browser address OR its corresponding name when using DNS host name is configured for the virtual interface ip address.

You need to have a certificate from a trusted CA. That CA could be your company CA or third-party CA.

Check those links for the certificate issue:

https://supportforums.cisco.com/docs/DOC-11765

https://supportforums.cisco.com/docs/DOC-13954

HTH

Amjad

p.s: Plz rate useful answers.

Rating useful replies is more useful than saying "Thank you"

If you do not need clients redirected to HTTPS (for example, its just passthrough and no real credentials are sent), you could just disable HTTPS for webauth instead of dealing with a cert.

Prior to 7.2 WLC code, this was accomplished by disabling secureweb on the wlc entirely (means admin login would also not use https, might be a secure concern):

config network secureweb disable

config network webmode enable

(save and reboot)

However, in 7.2 now you could simply disable https for web-auth only:

config network web-auth secureweb disable

(save and reboot).

Hi Guys,

Thanks for the suggestions,

@Amjad - those links were perfect.

@wesleyterry - unfortunately our code level is earlier than 7.2 - this is exactly what i wanted, but looks like i will have to go the long way on this one.

I have a final question regarding the virtual interfaces - as we have two boxes each with 1.1.1.1 as their ip - can i give them the same internal dns information (ie wlcbox.domain.com) and then also install the same certificate on both. They are both in the same mobility group.

Cheers

Actually virtual interface IP address MUST be the same on all WLCs on same mobility group.

'''snip'''

All controllers in a mobility group should have the same IP address for a virtual interface, for example 1.1.1.1. This is important for roaming. If all the controllers within a mobility group do not use the same virtual interface, inter-controller roaming can appear to work, but the hand-off does not complete, and the client loses connectivity for a period of time.

'''snip'''

Reference: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml#mobility

So, the answer is : Yes, one entry in the DNS is enough.

HTH

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

I would only add 1 snip it .. IANA issued IP adress 1.1.1.1. Should a user ever want to or need to visit that address <1.1.1.1> they will hit your wireless lan controllers. In all likley hood not going to happen. But just wantred to mention it.

Cisco recommends 1.1.1.1 be a non routed ip address, which for years was that way untill 2 years ago or so.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George,

No probs - if i change this ip on both boxes to say a 10.x address and ill stick in the dns entry, will it have any knock on effect with connected AP's.

I just want to rule out any issues with AP's associating themselves with the controller when it reboots.

Cheers

Folks,

After much deliberation - i think this is the route i will go as 7.2 is not an option for us at this time.

I have created the certificate and will let you know how i get on.

Thanks for all your help.

Cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: