Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
29773
Views
11
Helpful
34
Replies

Web-auth redirect not working

bgp.ripe901
Level 1
Level 1

‎08-07-2019 06:31 AM - edited ‎07-05-2021 10:49 AM

 

When i connecting in my SSID, no automatic redirect to https://1.1.1.1/

But when i enter url https://1.1.1.1 with my hands everything is ok working !

 

1) ipconfig - correct
2) DNS resolving - correct
3) WLC-> controller -> interface -> Virtual -> ip address - 1.1.1.1 and DNS Host Name -> Empty 
4) When i delete pre-acl in WLAN -> Internet working fine.
5) When i upgrade software 8.0.140.0 to 8.0.152.0 - web-auth redirect not working.
6) When i reboot WLC - web-auth redirect not working.
 
 
WLC-5508 - software: 8.0.152.0
 

My config:

 

WLAN Identifier.................................. 16
Profile Name..................................... Guest-WEB
Network Name (SSID).............................. Guest-WEB
Status........................................... Enabled

Web Based Authentication...................... Enabled
Web Authentication Timeout.................... 300
IPv4 ACL........................................ web-acl
IPv6 ACL........................................ Unconfigured
Web-Auth Flex ACL............................... Unconfigured
Web Authentication server precedence:
1............................................... ldap
2............................................... local
3............................................... radius
Web-Passthrough............................... Disabled
Mac-auth-server............................... 0.0.0.0
Web-portal-server............................. 0.0.0.0
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled

 

##

 

(Cisco Controller) show>custom-web wlan 16


WLAN ID: 16
WLAN Status................................... Enabled
Web Security Policy........................... Web Based Authentication
Global Status................................. Enabled
WebAuth Type.................................. Internal

 

###

WLC -> Management -> HTTP-HTTPS

 

HTTP-HTTPS Configuration:

HTTP Access - Disable
HTTPS Access - Enabled
WebAuth SecureWeb - Enabled
HTTPS Redirection - Enabled
Web Session Timeout - 30 Minutes

 

##

 

My Preauthentication ACL  :

 

(Cisco Controller) show>acl detailed web-acl

Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
1 Any 0.0.0.0/0.0.0.0 10.0.253.20/255.255.255.255 17 0-65535 53-53 Any Permit 468
2 Any 10.0.253.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 466
3 Any 0.0.0.0/0.0.0.0 10.1.254.20/255.255.255.255 17 0-65535 53-53 Any Permit 2
4 Any 10.1.254.20/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 2
5 Any 0.0.0.0/0.0.0.0 1.1.1.1/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
6 Any 1.1.1.1/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 9159

DenyCounter : 12069

 

 

 

Full config in attachment.

1 person had this problem
Labels:
wlan_config.txt
Preview file
9 KB
Preauthentication-ACL.txt
Preview file
2 KB
1.jpg
Preview file
68 KB
2.jpg
Preview file
69 KB
3.jpg
Preview file
72 KB
4.jpg
Preview file
124 KB
0 Helpful
34 Replies 34

Marc0
Level 1
Level 1
In response to patoberli

‎04-24-2020 05:17 AM

Hi



Yes, it was the flexconnect acl that needed to be created which im glad now.



I do have a external signed cert and ive added it to the trusted cert section in ise but im not sure how I would get ise or the portal to know that when the redirect takes place to use that external signed cert.


0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Marc0

‎04-24-2020 06:08 AM - edited ‎04-24-2020 06:09 AM

Check on the client if you already get the correct certificate offered.
Otherwise have a look at this bug, which might also affect ISE 2.3: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut26025/?rfs=iqvred

Or this one:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp75207/?rfs=iqvred

 

In any case, for both bugs it's recommended to install the latest ISE patch.

0 Helpful

Marc0
Level 1
Level 1
In response to patoberli

‎04-24-2020 07:58 AM

Update



So it seems the certificate we have is not correctly set to host the portal page, got to order a new external signed certificate so for the moment I will have to suffice with either ip address or a self-gen cert.

While wait on that, I noticed once log into the portal its not taking me to the website and re-drecting back to the portal (like its stuck in a loop)




0 Helpful

Sri Harsha Dasari
Spotlight

‎04-07-2023 06:46 AM

If you are here with same issue and using 9800 WLC's with codes before 17.7, please go to CLI and enable webauth-http-redirect.

conf t
parameter-map type webauth global
webauth-http-enable

After 17.7 this option is available on GUI under Configuring -- Security -- Webauth -- global

Thanks, Sri.

lisa302
Level 1
Level 1

‎07-26-2023 10:02 AM

Ah look you can use some dynamic location ips to go through it or you may use some extension to break it down

0 Helpful
Review Cisco Networking for a $25 gift card
Top