12-08-2008 02:35 PM - edited 07-03-2021 04:52 PM
Has anyone deployed guest access with proxy servers? I am looking to have a guest SSID cross proxy servers so cannot deploy proxy settings with group policy and need it to be automatic.
I have seen PAC, WPAD, DNS and DHCP may provide a solution but have not tested as yet. Any sugestions.
12-08-2008 08:03 PM
Unless they have added a new feature on the 5.2 code, WebbAuth will not work. I have tried this in the past and what is required is that the client have proxy disabled on their browser and then after a successfull webauth login, he or she enables proxy to be able to browse. This is due to how webauth works and verifies the users homepage or url he or she is trying to get. Here is a link that might help:
01-19-2009 12:15 AM
Hi Fella,
Whats new in 5.2 code? we are stuck in our wireless guest configuration via proxy. did anyboyd found any workaround on this issue?
regards
raj=
01-19-2009 08:31 AM
So I guess you have your proxy's manually configured and are not using WCCP?
With WCCP, you wouldn't need your clients manually configured with a proxy server. You could have the client web-auth to the WLC as expected, but then when they try to reach the internet, the WCCP policy takes into effect and requires the proxy authentication...
Just a theory, and I'm not sure what all proxy devices support WCCP (we use Blue Coat), but I'm pretty sure this "could" work...
Just a quick run-down on WCCP:
Configure WCCP on your link to the internet from the router and all HTTP traffic will automatically go to the proxy device you have configured for WCCP. So when a client opens the Internet, and attempts to access a page, the request is automatically hi-jacked by the Proxy server without any client side configuration.
01-19-2009 04:38 PM
You can use WebAuth with a proxy, but you will need to:
1) Exclude the virtual address from the proxy
2) Configure the WLC to listen on the correct port (i.e. 8080 if you are using this). config network web-auth-port 8080
If using WPAD, you will need a pre-authentication ACL to allow the client to download the PAC file before passing web authentication. The PAC file should look similar to this:
function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY
var proxy_no = "DIRECT";
if (shExpMatch(url, "http://
if (shExpMatch(url, "https://
// Proxy anything else
return proxy_yes;
}
Hope this helps.
-Matt
01-21-2009 08:00 AM
Thank wesleyterry for the comments but unfortunatly we are having MS ISA proxy which is not supported by WCCP
hello matt i will test your solution and let you know the feedback. by the way, wht exactly i have allow in pre auth ACl? my proxy port (8080) or all http traffic?
01-22-2009 05:26 PM
The port that WPAD uses...80 I think?
01-29-2009 12:29 AM
Thanks Matt
It worked, after applying the bidirectional ACLs in the contoller.
by the way, the redirection is not working properly, suppose if typed www.cisco.com after authentication it redirects to www.cisco.comwww.cisco.com do you have any clue on this ?
Apart from this, is there anyway to have AD or ACS created Lobby Admins?
Thanks for your effors
05-14-2009 11:42 AM
Hi, Could you please let me know what you have allowed in Pre Authentication ACL. what is WPAD ? I am trying to deploy same thing on a customer place...any kind of help will be appreciated..
10-04-2010 11:08 PM
Hello there
I'm having the same issue and I have seen this solution posted in quite a few places but being pretty new to this I still find it confusing.
I don't understand what it means to "exclude the virtual address from the proxy."
Can someone tell me in a bit more detail please how I might do this? The virtual address being used is the default 1.1.1.1
Thanks
Edit: nevermind, I got this now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide