Solved: Re: Webauth DHCP exclusion in WLC 5.0

armonk_netdesk · ‎04-05-2008

Anyone knows what the "Config Guest-lan Webauth exclude" command does in 5.0 controller code? Doesn't seem to be documented anywhere.

Darren Ramsey · ‎07-03-2008

Allows you to turn off the webauth policy exclusion.

config wlan webauth-exclude disable

By default (somewhere around 4.0.179), a web-auth protected SSID will de-associate an unauthenticated client every 5 minutes to reclaim connections and resources. If you are implementing a pre-auth ACL to allow user access to say your external web server or DMZ without auth, then they will lose their connection every 5 minutes and re-associate again after 60 seconds. If you want them to stay connected to the resources specified in the pre-auth acl, but then be prompted to auth when accessing the Internet, then use this command. Keep in mind if you are broadcasting, then your guest wireless may begin to fill up with idle connections.

View solution in original post

ahmedalshami · ‎04-06-2008

Am not get your question please clarify

IF you ask how to configure WEBauth from controller its very easy also you can use internal DHCP from Controller

Thanks

armonk_netdesk · ‎04-06-2008

No, I'm asking about the CLI command in a 4402 WLC running 5.148 code. The command is "Config Guest-lan Webauth-exclude". Why don't you type it in and see what you get?

justin · ‎07-03-2008

I want to know too.

My guess would be that if this is enabled then successive web-auth failures will lead to blocking of DHCP requests from that client's MAC address. But there aren't any parameters like how long the exclusion is applied for. Maybe it ties into the normal client exclusion policies and uses the SSID's exclusion timeout parameter.

It would be nice if Cisco could comment. I'm going to turn it on and see what it breaks...

Darren Ramsey · ‎07-03-2008

Allows you to turn off the webauth policy exclusion.

config wlan webauth-exclude disable

By default (somewhere around 4.0.179), a web-auth protected SSID will de-associate an unauthenticated client every 5 minutes to reclaim connections and resources. If you are implementing a pre-auth ACL to allow user access to say your external web server or DMZ without auth, then they will lose their connection every 5 minutes and re-associate again after 60 seconds. If you want them to stay connected to the resources specified in the pre-auth acl, but then be prompted to auth when accessing the Internet, then use this command. Keep in mind if you are broadcasting, then your guest wireless may begin to fill up with idle connections.

justin · ‎07-03-2008

Thanks for that info. May I humbly ask if you got that from a cisco doc or is it just from realworld observation?

Your explanation makes sense, but are you sure it's related to this command? Looking at the command description "webauth dhcp-server exclusion" and the ACL hits I have on my pre-auth ACL it looks like the command basically enables/disabled bypass for DHCP, i.e. if you have a pre-auth ACL then you don't need dhcp-client or dhcp-server permit rules if you have webauth-exclude enabled.

Any idea what the default state of this feature is, since it's not present in the GUI and the setting doesn't show up when you do a "show wlan"?

Darren Ramsey · ‎07-03-2008

I had opened a TAC case because my unauthenticated clients in the guest WLAN, using my pre-auth ACL were dropping every 5 minutes. The information pretty much came verbatim from Cisco TAC. They suggested using the hidden command as a workaround to my issue, only a 5.x thing.