Verify your configuration as follows.

How to Make an Internal (Local) WebAuth Work with an Internal Page

If you need to configure a WLAN with an operational dynamic interface, the clients should also receive a DNS server IP address through DHCP. Before you set any webauth, you should test that your WLAN works properly, that you can resolve DNS requests (nslookup), and that you can browse web pages. Then, you can set the web authentication as Layer 3 security features. You can create your users in the local database or on an external RADIUS server, for example. Refer to the Wireless LAN Controller Web Authentication Configuration Example document.

How to Configure a Custom Local WebAuth with Custom Page

Custom webauth can be configured with redirectUrl from the Security tab. This forces a redirect to a specific web page you enter. When the user is authenticated, it overrides the original URL the client requested and displays the page for which the redirect was assigned.

The custom feature allows you to use a custom HTML page instead of the default login page. Upload your html and image files bundle to the controller. In the upload page, look for webauth bundle in a tar format. Usually, PicoZip creates tars that work compatibly with the WLC. For an example of a WebAuth bundle, refer to the Download Software page for Wireless Controller WebAuth Bundles. Be sure to select the appropriate release for your WLC. A good recommendation is to customize a bundle that exists; do not create a bundle from scratch.

There are some limitations with custom webauth that vary with versions and bugs. Things to watch for include:

• the .tar file size (no more than 1Mb)
   
• the number of files in the .tar
   
• the filename length of the files (should be no more than 30 characters)
   

If your customer package does not work, try with a simple custom package. Then add files and complexity one at a time to reach the package the customer tried to use. This should help you identify the problem. For an example on how to configure a custom page, refer to Creating a Customized Web Authentication Login Page, a section within the Cisco Wireless LAN Controller Configuration Guide, Release 7.0.

Override Global Configuration Technique

For each WLAN, you configure with the override global config command and set a WebAuth type for each WLAN. This means you can have an internal/default WebAuth with a custom internal/default WebAuth for another WLAN. This also allows you to configure different custom pages for each WLAN. You must combine all your pages in the same bundle and upload them to the WLC. Then, you can set your custom page with the override global config command on each WLAN and select which file is the login page from all of the files within the bundle. You can choose a different login page inside the bundle for each WLAN.

Redirection Issue

There is a variable within the HTML bundle that allows the redirection. Do not put your forced redirection URL there. For any redirection issues in custom WebAuth, Cisco recommends to check the bundle. If you enter a redirect URL with += in the WLC GUI, this could overwrite or add to the URL defined inside the bundle. For example, in the WLC GUI, the redirectURL field is set to www.cisco.com; however, in the bundle it shows: redirectURL+= 'www.google.com'. The += redirects users to www.cisco.comwww.google.com, which is an invalid URL.

How to Make an External (Local) Web Authentication Work with an External Page

As already briefly explained, the utilization of an external WebAuth server is just an external repository for the login page. The user credentials are still authenticated by the WLC. The external web server only allows you to use a special or different login page. Here are the steps performed for an external WebAuth:

1. The client (end user) opens a web browser and enters a URL.
    
2. If the client is not authenticated and external web authentication is used, the WLC redirects the user to the external web server URL. In other words, the WLC sends an HTTP redirect to the client with the website's spoofed IP address and points to the external server IP address. The external web authentication login URL is appended with parameters such as the AP_Mac_Address, the client_url (www.website.com), and the action_URL that the customer needs to contact the switch web server.
    
3. The external web server URL sends the user to a login page. Then the user can use a pre-authentication access control list (ACL) in order to access the server. The ACL is needed for all WLC models except 4400 series and Wism1.
    
4. The login page takes the user credentials input and sends the request back to the action_URL, such as http://1.1.1.1/login.html, of the WLC web server. This is provided as an input parameter to the customer redirect URL, where 1.1.1.1 is the virtual interface address on the switch.
    
5. The WLC web server submits the username and password for authentication.
    
6. The WLC initiates the RADIUS server request or uses the local database on the WLC, and then authenticates the user.
    
7. If authentication is successful, the WLC web server either forwards the user to the configured redirect URL or to the URL the client entered.
    
8. If authentication fails, then the WLC web server redirects the user back to the customer login URL.

Before you configure and customize WebAuth, ensure that your PC:

• Has an IP address on an open Service Set Identifier (SSID)
• Can ping the default gateway
• Can identify and locate the Domain Name Server (DNS) (ipconfig/all)
• Can resolve names (with nslookup)
• Can access the Internet
• http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117728-configure-wlc-00.html