Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1277
Views
6
Helpful
6
Replies

proxy settings in c9800

Go to solution
santhoshkdhanapal
Level 1
Level 1

‎11-17-2023 02:50 AM

Hi All,

    Customer has c9800 controller integrated with cisco ISE. SAML portal configuration done in cisco ISE, user able to redirect to gmail page when they connect to SSID only incase of proxy turned off. When proxy is on unable to redirect the gmail page. Any option to enable on C9800 to redirect wlan client to gmail page if proxy is turned on. I appreciate in advance for your response.

Cheers,

Santhosh

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎11-20-2023 03:03 AM

All the above documentation relates to AireOS - I can't find any documentation for a similar feature on 9800.
So unless anybody knows otherwise, it looks to me like the webauth proxy redirect feature is not supported on 9800.
So best to just tell the clients to ensure their proxy is correctly configured or use policy to push configuration if the client devices are managed.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-17-2023 02:55 AM

what Proxy you have in your environment, what Logs you see on the proxy ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rich R
VIP
VIP

‎11-19-2023 06:33 AM

That's entirely dependent on the client proxy configuration and/or the proxy server configuration - there's nothing you can do on the 9800 to change that.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
MHM Cisco World
VIP
VIP

‎11-19-2023 07:01 AM

HTTP Proxy Server and How it Works

You can use an HTTP proxy server. If you need the client to add an exception in its browser that 192.0.2.1 is not to go through the proxy server, you can make the WLC listen for HTTP traffic on the port of the proxy server (usually 8080).

In order to understand this scenario, you need to know what an HTTP proxy does. It is something you configure on the client side (IP address and port) in the browser.

The usual scenario when a user visits a website is to resolve the name to IP with DNS, and then it asks the web page to the web server. The process always sends the HTTP request for the page to the proxy.

The proxy processes the DNS, if required, and forwards to the web server (if the page is not already cached on the proxy). The discussion is client-to-proxy only. Whether or not the proxy obtains the real web page is irrelevant to the client.

Here is the web authentication process:

  • User types in a URL.

  • Client PC sends to the Proxy server.

  • WLC intercepts and imitations Proxy server IP; it replies to the PC with a redirect to 192.0.2.1

At this stage, if the PC is not configured for it, it asks for the 192.0.2.1 WebAuth page to the proxy so it does not work. The PC must make an exception for 192.0.2.1; then it sends an HTTP request to 192.0.2.1 and proceeds with WebAuth.

When authenticated, all communications go through proxy again. An exception configuration is usually in the browser close to the configuration of the proxy server. You then see the message: "Do not use proxy for those IP addresses".

With WLC Release 7.0 and later, the feature webauth proxy redirect can be enabled in the global WLC configuration options.

When enabled, the WLC checks if the clients are configured to manually use a proxy. In that case, they redirect the client to a page that shows them how to modify their proxy settings to make everything work.

The WebAuth proxy redirect can be configured to work on a variety of ports and is compatible with Central Web Authentication.

For an example on WebAuth proxy redirection, refer to Web Authentication Proxy on a Wireless LAN Controller Configuration Example.

This what I read and I think the wlc must config with aware of proxy.

@Rich R check this info and your opinion is appropriate.

MHM

Go to solution
Rich R
VIP
VIP
In response to MHM Cisco World

‎11-19-2023 07:11 AM

Interesting @MHM Cisco World I wasn't aware of that feature!
I've never used so can't comment on how well it works.
Some more links on that feature:
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113151-web-auth-proxy-00.html
https://wirelessforccie.wordpress.com/2013/01/29/webauth-proxy-redirection-mode/
https://community.cisco.com/t5/wireless/web-auth-proxy-redirection/td-p/2655654

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Rich R
VIP
VIP

‎11-20-2023 03:03 AM

All the above documentation relates to AireOS - I can't find any documentation for a similar feature on 9800.
So unless anybody knows otherwise, it looks to me like the webauth proxy redirect feature is not supported on 9800.
So best to just tell the clients to ensure their proxy is correctly configured or use policy to push configuration if the client devices are managed.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
santhoshkdhanapal
Level 1
Level 1
In response to Rich R

‎11-20-2023 03:28 AM

Hi @Rich R ,

  Also I did the search before posting the content,as per aireos controller ,the redirect option is available but not in c9800. But I want to know am i in right track before suggesting to customer. Thanks for your response.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card