Re: Web Auth on wlc5508

sysadm_uvsq · ‎03-28-2012

Hello I have à strange problème: ont my new WLC 5508 with the 7.0.116.0 software version, under SECURITY - Web Auth - Web login Page I want to set web authentification type on "External" but I cannot add an External Web Serveurs. This field does not appear.

Strange, on the wlc 4400 with the same software version I d'ont have this problme. Somebody have an solution for that?

Amjad Abdullah · ‎03-30-2012

Can u try see global web-auth config under security tab? Is it the same on both controllers or different?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Scott Fella · ‎03-30-2012

Can you try to choose custom and then hit apply then try to choose external? Can you post a screen shot?

-Scott
*** Please rate helpful posts ***

sysadm_uvsq · ‎03-30-2012

Thank you for your answers.

Finally I found the answers. It seems that the configuration for series 5500 is different from 4400 even both have the same software version. On the 5500 series it is mandatory to use the preauthentication access control list instead the external Web authentication server.

The screen shots, that can help the others :

So on the wlc 5500

For this model, the next step is to configure the the preauthentication access control list to permit the tcp connection for the IP adress x.y.z.w

like hier: http://www.cisco.com/image/gif/paws/71881/ext-web-auth-wlc.pdf

On the old (already) wlc 4400

"When using an external web server for web authentication, some of the WLC platforms need a pre−authentication ACL for the external web server (the Cisco 5500 Series Controller, a Cisco 2100 Series Controller ,Cisco 2000 series and the controller network module). For the other WLC platforms the pre−authentication ACL is not mandatory. "

from

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70users.html#wp1049273

Amjad Abdullah · ‎03-30-2012

Although 4400 controllers don't need pre-auth acl, they need another command to be used instead. This command is not available on 5500 controllers.

I forgot the exact command but it starts with "config custom-web".

There was something like the word "webauth" after that.

The document was not accurate and we asked doc team to modify it but even after modification it is not now clear.

'''sninp'''

When using an external web server for web authentication, some of the WLC platforms need a pre-authentication ACL for the external web server (the Cisco 5500 Series Controller, a Cisco 2100 Series Controller ,Cisco 2000 series and the controller network module). For the other WLC platforms the pre-authentication ACL is not mandatory.

However, it is a good practice to configure a preauthentication ACL for the external web server when using external web authentication.

'''snip'''

The above is not accurate. It is either to use pre-auth acl or the command. Without acl or command external page it will not work (tried it in practice and this is why we asked them to amend the 3 documents the had for web auth configuration).

The point is 4400 controllers have that command but 5500, 2100 and WLC module do not.

I have no access to wlcs at the moment or I would have checked the exact command for you.

HTH.

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

sysadm_uvsq · ‎03-30-2012

indeed, I aleready tried to use this command:

(Cisco Controller) >config custom-web ext-webserver add

I can use it on the 4400 but it is no more available on 5500.

Amjad Abdullah · ‎03-30-2012

Exactly. This is the one.

It has the same effect as creating pre-auth ACL.

Either ACL or this command should be used. Without any of them external web-auth will not work.

Amjad

Rating useful replies is more useful than saying "Thank you"