Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1085
Views
0
Helpful
4
Replies

CT5760 - virtual-host in parameter-map not used in webauth redirect

stokke
Level 1
Level 1

‎11-05-2014 05:58 AM - edited ‎07-05-2021 01:53 AM

Hi all.

I'll try posting my issue here before I post a TAC on this:

 

Cisco CT5760 wireless controller running IOS-XE version 3.6.0.

 

This issue is related to web authentication on an SSID with external web portal. It seems that the statement "virtual-host" in "parameter-map type webauth global" is not used as intended. I'll try to explain:

 

When a user connects to an SSID with external web authentication enabled and the user opens a web browser, the user will get redirected to the external web portal for authentication. In this redirect URL we see the parameter "switch_url=http://1.2.3.4/login.html". The IP address 1.2.3.4 is, in this example, our virtual IP. But we have also configured "virtual-host" to be webauth.example.com. And in my opinion the "switch_url" parameter should be "switch_url=http://webauth.example.com/login.html". This is how it works on our old Cisco WiSM1 implementation.

The reason why this is a problem is that the clients web browser will not accept the certificate installed on "http://1.2.3.4" because it is not issued with that IP address, only the hostname webauth.example.com. I know that it is possible to get certificates issued with an IP address (as long as it's not an RFC1918 IP address), but rumors say that many Certificate Authorities will stop issuing these soon, even with "real IPs". Therefore it is important that the redirect URL gets corrected.

Does anyone disagree with me that this is a bug?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Rasika Nayanajith
VIP Alumni
VIP Alumni

‎11-05-2014 09:33 AM

No , this is not a bug. You have to use external webserver as redirect portal IP/URL under custom webauth parameter as shown below.

parameter-map type webauth ABC
 type webauth
 redirect for-login https://xyc.abc.com/guest/xxxx.php
 redirect portal ipv4 x.x.x.x

Does your virtual IP resolve to name in your DNS ?

 

HTH

Rasika

0 Helpful

stokke
Level 1
Level 1
In response to Rasika Nayanajith

‎11-06-2014 02:37 AM

Hi and thank you for your response.

I feel that I need to clarify a few things. Here is my parameter-map config (a bit edited):

parameter-map type webauth global
 virtual-ip ipv4 1.1.1.1 virtual-host webauth.example.com
 intercept-https-enable
!
!
parameter-map type webauth webauth_external
 type webauth
 redirect for-login https://webauth-external.example.com/v2/login.html
 redirect portal ipv4 x.x.x.x

So the problem here is that a web browser of the client gets the following redirect URL:

https://webauth-external.example.com/v2/login.html?switch_url=https://1.1.1.1/login.html&redirect=http://www.cnn.com

Then after a successful login on the external portal, the user gets redirected back to https://1.1.1.1/login.html. Here is the core of my problem. I think that the parameter "switch_url" should be with the name webauth.example.com since I configured it as the "virtual-host". This is the behavior we see with our old Cisco WiSM1.

When the redirect goes to https://1.1.1.1/login.html the client complains about the certificate, because it is not issued to that IP address but to the hostname.

I can verify that the client does not complain about this if I manually edit the redirect URL on the client to the following:

https://webauth-external.example.com/v2/login.html?switch_url=https://webauth.example.com/login.html&redirect=http://www.cnn.com

Then the redirect after authentication goes to https://webauth.example.com/login.html and the client accepts the certificate and everything is peachy.

Do you see my problem? And yes, the virtual IP resolves to the name in DNS.

0 Helpful

cnegrete
Level 1
Level 1

‎08-17-2015 05:12 PM

I do think this is a bug as well.

 

Did you manage to solve this issue?  I'm having the exact same problem, Cisco WLC 5760 with IOS XE 3.7.0.

 

The parameter "switch_url" contains the controller virtual ip address, even when the virtual hostname is configured.  Funny thing: even if I configure the hostname it doesn't appear in the web interface, but it does in the CLI configuration.

 

We have a 5508, OS version 7.6.130.0, and it does sent the hostname instead of the virtual ip address to the external server.

 

Is there anything else that we need to configure?  Thanks!

 

0 Helpful

stokke
Level 1
Level 1
In response to cnegrete

‎08-17-2015 11:45 PM

Here are details on this bug: CSCuq63532

It appears to be fixed, but I fear that this is only for 3.3 releases.

We have tried to upgrade to 3.7.2E, but we encountered another bug that results in all radios in shutdown. So we rolled back to 3.7.0.

But there is a workaround I got presented from Cisco TAC. What you need to do is this:

Edit login.html page (on the external web portal) and replace

document.forms[0].redirect_url.value = redirectUrl;
document.forms[0].submit();

with this code:

document.forms[0].redirect_url.value = redirectUrl;
document.forms[0].action = document.forms[0].action.replace("1.1.1.1", "w-5760-2.cisco.com");
document.forms[0].submit();

Replace with your switch FQDN.

 

Hope this works and helps you with your issue.

0 Helpful
Review Cisco Networking for a $25 gift card
Top