Web portal cisco C9800 does not appear

Aimad Ghoudane · ‎10-20-2022

Hi

I have an issue with my Guest portal in my Cisco C9800.

Weh i try to connect to my SSID Guest, I have

An Ip

I can lunch the web portal by https://192.0.2.1

but the Web Portal not appear mannually or maybe 1 time / 5.

Do you know how to resolve it ?

Regards

balaji.bandi · ‎10-20-2022

check below guide and check the config :

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/wireless-web-authentication.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aimad Ghoudane · ‎10-20-2022

but the Web Portal not appear AUTOMATICALLY (soory) or maybe 1 time / 5.

balaji.bandi · ‎10-20-2022

maybe 1 time / 5.

You mean 1 works out of 5 times ?

on same device ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aimad Ghoudane · ‎10-20-2022

Hi

You mean 1 works out of 5 times --> Yes exactly

on same device --> No, Multiple device (W10 / Iphone)

Regards

Arshad Safrulla · ‎10-20-2022

Are you using CWA or LWA? If CWA please post the ACL.

Can you post your web auth parameter map and also the http server configuration from the WLC. I would recommend having something similar.

parameter-map type webauth global
type webauth
virtual-ip ipv4 192.0.2.1
virtual-ip ipv6 2001:DB8::1
webauth-http-enable

!

no ip http server
ip http secure server

!

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Aimad Ghoudane · ‎10-20-2022

Hello

This is my config

parameter-map type webauth Web_Portal_MYNAME
type webauth
redirect on-success https://www.MYWEBSITE.ch/accueil
max-http-conns 120
cisco-logo-disable
!

I try

it's seem to be better when i add

ip http server ( iknow that normally is better when we desactivate http server).

Now I have a better situation ... I don't know how

The user has the web portal login but with an certificate error and he has to validate the connection before to connect to the web portal.

Arshad Safrulla · ‎10-20-2022

You can avoid enabling the http server in the WLC by adding "webauth-http-enable" under the web auth parameter map. Certificate is important, it is recommended to use publicly signed certificate. Please consider adding the parameter map config I shared before.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Aimad Ghoudane · ‎10-20-2022

Thanks for your help

"webauth-http-enable" does not seems to exist on my WLC.

conf t

cwlc(config)#parameter-map type webauth Web_portal_MYNAME
wlc(config-params-parameter-map)#webauth-http-enable
^
% Invalid input detected at '^' marker.

wlc(config-params-parameter-map)#

Arshad Safrulla · ‎10-20-2022

Hi Aimad,
Looks like you are running a older code in box. Please consider upgrading your boxes to the latest Cisco TAC recommended code ASAP. Refer the signature for the links.
For the moment I would suggest that you have the "ip http server" configured in your WLC, as this is somewhat compulsory in the older codes for Web Auth to work properly. Also write your pre-auth ACL's properly to allow required communication to DNS, DHCP etc.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rich R · ‎10-20-2022

As @Arshad Safrulla said you're running an old version of IOS-XE - update to current release.
webauth-http-enable was a feature enhancement to allow webauth to use http while disabling http server for GUI access.

To avoid certificate errors your splash/landing page must have a valid public certificate matching the DNS name of the URL for the page.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Aimad Ghoudane · ‎10-23-2022

Hello
Thanks for your return.
Except error on my part, I use the last firmware available on cisco web site.

But now, my spalh page arrive quickly when I change my certificat.

But i would like to understand (for my understanding) the relationship between the certificate and the automatic launch of the splah page.

Rich R · ‎10-23-2022

Modern devices and browsers implement strict security protocols now.

That means any secure web page must have a valid certificate before it will load. If you don't provide a valid certificate the page is considered insecure (= DANGEROUS/MITM/HACKERS/MALWARE) and will not load for the safety of the user and device.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Aimad Ghoudane · ‎10-23-2022

Great ! many thanks for your return !