cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2819
Views
5
Helpful
15
Replies

Web-auth not automatically redirecting

vikas01234das
Level 1
Level 1

1) ipconfig - correct

2) DNS resolving - correct

3) WLC-> controller -> interface -> Virtual -> ip address - 1.1.1.1 and DNS Host Name -> Empty 

  • 4) When i reboot WLC - web-auth redirect not working.
15 Replies 15

marce1000
Hall of Fame
Hall of Fame

 

 - FYI ->  https://community.cisco.com/t5/wireless/1-1-1-1-is-no-more-recommended-as-a-virtual-ip/td-p/3831937

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Changed the virtual ip address to 192.168.X.X but still it is not working.

Note:My WLC and Web authentication page is not opening in HTTPS whereas it is opening in HTTP.

 

 - Have a checkup of the controller configuration with : https://cway.cisco.com/wireless-config-analyzer

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Uploaded file into given link but it is not giving any output.Its seems
that tool is not working

 

 - It works but you need to take care, for aireos controllers it needs the 'raw' output of show run without any prompting (output) in between, have a look at : https://community.cisco.com/t5/networking-knowledge-base/show-the-complete-configuration-without-breaks-pauses-on-cisco/ta-p/3115114/page/2#toc-hId-1039672820 Probably in aireos the best method would be to  transfer the running config and put it on to a tftp server and use that for WirelessAnalyzer. For 9800  based controllers Wireless Analyzer  needs the output of show tech wireless (not just show tech)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Arshad Safrulla
VIP Alumni
VIP Alumni

Do you have specific set of clients impacted? (only impacting apple devices etc.)

If you are using 9800, For HTTPS redirection you can enable Web Auth intercept HTTPS under the web auth parameter map, but there will be a hit on CPU usage of WLC. If you need more support please post the web auth parameter map configuration, redirection ACL and http/s server status along with the controller model, code and CWA or LWA

I am using 5508 WLC .secure web enabled .HTPS enabled .but not getting gui of WLC in https also web auth page not coming automatically .virtual ip is 2.2.2.2.If i enter ip http://2.2.2.2 in chrome browser than the page is comming., 

@vikas01234das opening the page directly with http is *not* the same as a redirect to https!
If you enter any https domain which then gets redirected to your https page then the browser/device expects to see a certificate matching the domain entered initially.  If it doesn't then the page is blocked.  Some browsers will still provide a warning and option to proceed.  Most captive portal assistants will simply block the page.  Similarly even when the redirect is from a http page (that's what all captive portal assistants use now) the https cert *must* match the domain of the page and be issued by a trusted root CA.  This is the reality you must work with or you WILL have problems.  Security enforcement is getting stricter all the time on devices and browsers so something that worked 10 years ago will not work today.

Is there any more in depth info about this? I'm trying to find more information which explains the interaction of said devices but can't find anything concrete

Info about what specifically @istoleyowifi ?

How https web redirect works with aironet wireless controllers

I think you mean AireOS controllers.

The WLC simply intercepts the TCP connection and responds masquerading as the destination IP address.
Because most browsers and clients now strictly enforce security with certificate verification https will normally be blocked and is NOT recommended.  All device and browser captive portal detection now use http (not https) because that can be safely redirected.  

The other reason you should not redirect https is because on modern devices you have dozens of apps trying to connect on https.  The connections will all fail (because the redirect to captive portal fails certificate verification) so all you do is overload the WLC.  8540 running 8.10 code can cope with a moderate number of these - older WLC and code cannot.  9800 running IOS-XE is very weak at handling https redirects and will simply cause high CPU and dropped customer connections.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html
https://learn.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals
https://en.wikipedia.org/wiki/Captive_portal
If you search you can find plenty of other articles explaining how captive portals work.

se essentially I should use an http instead of https on my redirect url?

The captive portal URL you redirect to should be https (with valid trusted public certificate which matches the fully qualified domain name of the portal) but you should only intercept and redirect http traffic from the client eg http://www.neverssl.com or any of the OS and browser URLs as per https://en.wikipedia.org/wiki/Captive_portal which as you can see are always http because they're intended to be redirected.

Review Cisco Networking for a $25 gift card