On a Cisco C891FW with an integrated AP802AGN-A-K9 running Version 15.3(3)JF10.
4 SSIDs: 3 "2.4 GHz" & 1 "5 GHz"
2 of the 2.4 GHz & the 5 GHz are running WPA2 pre-shared key. Everything OK with this set up.
1 of the 2.4 GHz is set for Web authentication but the end users, never get the screen to login.
Users are indeed getting IPs of the correct vLAN.
nslookup is getting responses on client
I ran a capture on the router module, and the only thing I see is the DNS query/response, no HTTP GET or so. I run a capture on AP module, but nothing showing up.
I tried with local RADIUS & external, but none make a difference....Users just associate, but no Internet.
Config of the SSID and some other stuff:
!
aaa authentication login WEB-LIST group radius
!
ip auth-proxy proxy http login redirect http://192.0.2.253/index.html
ip admission proxy http login redirect http://192.0.2.253/index.html
ip admission name WEB-AUTH proxy http list WEB-AUTH-ACL
ip admission name WEB-AUTH method-list authentication WEB-LIST
!
dot11 ssid Invitados
vlan 300
web-auth
max-associations 5
authentication open
mbssid guest-mode
!
interface Dot11Radio0
no ip address
!
encryption vlan 13 mode ciphers aes-ccm
!
encryption vlan 88 mode ciphers aes-ccm
!
ssid Invitados
!
ssid Sc
!
ssid Ts
!
antenna gain 0
mbssid
speed basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
no dot11 extension aironet
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
ip admission WEB-AUTH
!
interface Dot11Radio0.300
encapsulation dot1Q 300
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.300
encapsulation dot1Q 300
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
!
interface BVI1
mac-address 0035.1a69.2d16
ip address 172.16.255.254 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 192.0.2.252 255.255.255.252 172.16.255.1
!
ip access-list extended WEB-AUTH-ACL
permit ip any any
!
!
radius server DebSer
address ipv4 192.0.2.253 auth-port 1812 acct-port 1813
key R4diu5_k3Y
debug ip admission detailed
IP Admission Detailed Debug debugging is on
Sep 1 22:57:31.831: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:32.023: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:34.799: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:42.827: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:44.147: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
Sep 1 22:57:53.159: ip_admission_det:No IP admission/Auth-Proxy config on Dot11Radio0.300
802.11 Client Stations on Dot11Radio0:
SSID [Invitados] :
MAC Address IP address IPV6 address Device Name Parent State
88ad.d2f7.919b 172.16.0.3 :: unknown - self Assoc
