11-11-2022 08:55 AM
1) ipconfig - correct
2) DNS resolving - correct
3) WLC-> controller -> interface -> Virtual -> ip address - 1.1.1.1 and DNS Host Name -> Empty
11-11-2022 10:09 AM
- FYI -> https://community.cisco.com/t5/wireless/1-1-1-1-is-no-more-recommended-as-a-virtual-ip/td-p/3831937
M.
11-11-2022 08:21 PM
Changed the virtual ip address to 192.168.X.X but still it is not working.
Note:My WLC and Web authentication page is not opening in HTTPS whereas it is opening in HTTP.
11-12-2022 02:00 AM
- Have a checkup of the controller configuration with : https://cway.cisco.com/wireless-config-analyzer
M.
11-12-2022 03:39 AM
11-12-2022 03:55 AM - edited 11-12-2022 04:00 AM
- It works but you need to take care, for aireos controllers it needs the 'raw' output of show run without any prompting (output) in between, have a look at : https://community.cisco.com/t5/networking-knowledge-base/show-the-complete-configuration-without-breaks-pauses-on-cisco/ta-p/3115114/page/2#toc-hId-1039672820 Probably in aireos the best method would be to transfer the running config and put it on to a tftp server and use that for WirelessAnalyzer. For 9800 based controllers Wireless Analyzer needs the output of show tech wireless (not just show tech)
M.
11-12-2022 04:09 AM
Do you have specific set of clients impacted? (only impacting apple devices etc.)
If you are using 9800, For HTTPS redirection you can enable Web Auth intercept HTTPS under the web auth parameter map, but there will be a hit on CPU usage of WLC. If you need more support please post the web auth parameter map configuration, redirection ACL and http/s server status along with the controller model, code and CWA or LWA
11-15-2022 01:37 AM
I am using 5508 WLC .secure web enabled .HTPS enabled .but not getting gui of WLC in https also web auth page not coming automatically .virtual ip is 2.2.2.2.If i enter ip http://2.2.2.2 in chrome browser than the page is comming.,
11-15-2022 03:38 AM
@vikas01234das opening the page directly with http is *not* the same as a redirect to https!
If you enter any https domain which then gets redirected to your https page then the browser/device expects to see a certificate matching the domain entered initially. If it doesn't then the page is blocked. Some browsers will still provide a warning and option to proceed. Most captive portal assistants will simply block the page. Similarly even when the redirect is from a http page (that's what all captive portal assistants use now) the https cert *must* match the domain of the page and be issued by a trusted root CA. This is the reality you must work with or you WILL have problems. Security enforcement is getting stricter all the time on devices and browsers so something that worked 10 years ago will not work today.
10-08-2024 05:53 PM
Is there any more in depth info about this? I'm trying to find more information which explains the interaction of said devices but can't find anything concrete
10-09-2024 03:16 PM
Info about what specifically @istoleyowifi ?
10-09-2024 03:59 PM
How https web redirect works with aironet wireless controllers
10-11-2024 02:00 AM
I think you mean AireOS controllers.
The WLC simply intercepts the TCP connection and responds masquerading as the destination IP address.
Because most browsers and clients now strictly enforce security with certificate verification https will normally be blocked and is NOT recommended. All device and browser captive portal detection now use http (not https) because that can be safely redirected.
The other reason you should not redirect https is because on modern devices you have dozens of apps trying to connect on https. The connections will all fail (because the redirect to captive portal fails certificate verification) so all you do is overload the WLC. 8540 running 8.10 code can cope with a moderate number of these - older WLC and code cannot. 9800 running IOS-XE is very weak at handling https redirects and will simply cause high CPU and dropped customer connections.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html
https://learn.microsoft.com/en-us/windows-hardware/drivers/mobilebroadband/captive-portals
https://en.wikipedia.org/wiki/Captive_portal
If you search you can find plenty of other articles explaining how captive portals work.
10-12-2024 12:18 AM
se essentially I should use an http instead of https on my redirect url?
10-12-2024 04:51 AM
The captive portal URL you redirect to should be https (with valid trusted public certificate which matches the fully qualified domain name of the portal) but you should only intercept and redirect http traffic from the client eg http://www.neverssl.com or any of the OS and browser URLs as per https://en.wikipedia.org/wiki/Captive_portal which as you can see are always http because they're intended to be redirected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide