Of course I totally missed that you said you're using NSLOOKUP to return an address....  so that would typicaly invalidate my DNS theory..

I vote on the client side packet capture, and you post it here.

ok there you go... well, jsut a question is why would you use web authentication when you are using a proxy server?? isnt it possible to use the proxy as web authentication or web redirect?

The WLC will try to redirerct to the virtual interface, therefore how can it be redirected to another IP while he is being proxy?

For me it doesnt make sense having an additional proxy.  why dont you just try using it without the proxy feature and as it is recommended?

Remeber that the web authentication is a method that intereracts with DNS intercepting it and therefore it redirects the traffic to the virtual IP at first so the client can see the page to be authenticated. SO what youare making on using both methods is adding a force redirect of all the traffic to another IP... so thats when the problems start showing up. so even if the WLC is telling the client to go to 1.1.1.1 the client is going to PROXY... and WLC WILL not allow another other traffic to be sended to any other IP than 1.1.1.1 or its interface domain name...

dmantill,    two things to remember:

siriphan says that everything works if they browse via IP Address. If that is a true statement, then proxy generally doesn't behave differently based on IP or Hostname look ups.

Often when people use a "proxy" like bluecoat, they are using it for web filtering and logging (not neccessarily for authentication). If its a wccp implementation, then its all handled in the background...

sirphan,

I think the best explanation you're going to get is by looking at the wireshark capture of a client who has a problem.  We can all speculate all day long, but right now there is no real explanation for why nslookup works and clients only redirect if they type IP address instead of name.....

By the way, when you do get a capture, make sure you capture a non-working scenario as well as a working scenario.   With the working scenario, use the IP address of the webserver for example, 74.125.224.50 is a www.google.com address.

-Wesley Terry

Now i remove proxy on clients , the clients can redirect Web authen, but when i remove internet connectivity from WLC user can't redirect.

How configuration WLC for web authen without internet connection

diagram

No internet

WLC ==== Switch ==== AP ))) Clients

Client can connect and get DHCP from WLC but not resolve by dns because not have internet connection

Please helph

You cannot be redirected by the WLC if you do not make an HTTP Request.

You cannot make an HTTP Request if you do not know the IP Address of the http://website.com

You cannot get the IP address if you do not provide DNS services.

So... Bottom line is that you need to provide some form of DNS, otherwise for users to "web authenticate" they would have to type in an IP address for the web server instead of a name, since a computer doesn't make HTTP Requests to a name.....

Siriphan

Thanks for the update.

Well basically, as Weterry mentioned, you need an accessible DNS server.

Thats the only way to make the redirection work with names.. WLC hijack the DNS and place the virtual interface name as the address to the one the wireless client so they resolve it in order to access the webauthentnication page.  So, DNS  is a MUST... that is why when using webnauthentication, it only allow traffic to go from wireless client to DNS and to virtual IP address/name.

Why dont you try setting up a private DNS for your cliennts?

Can anyone tell me how to make Guests redirect to another web page without authentication

when Guests connect to network they must be redirected to (google.com) without additional page or authentication and get access to internet