cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1403
Views
0
Helpful
5
Replies

WLC 2504 https web auth login page re-direction for guest wifi

qjamil001
Level 1
Level 1

Hi,

 

I have a WLC 2504 running ver 8.5.171.0

The issue I'm having is with laptop clients connecting to our guest wifi. They do not get the web login page to enter their credentials for guest wifi access. It attempts to redirect to https but gets stuck. Even trying to manually enter the virtual interface ip with http or https doesn't work. 


However it works fine on all mobile devices. I noticed that if I disable webauth secure web(under management > http-https) then laptops can at least get the web login page redirection to http but not https. But then mobile devices can no longer connect to the web login page at all. 

 

My question is, would this be fixed by installing a third party ssl certificate or would upgrading the firmware(if newer one available) fix this? I know this WLC is quite old. I have found a method posted on this site on how to install a third party ssl cert but it appears to only fix the certificate warning message?

 

Any input would be greatly appreciated.

5 Replies 5

Things you need to check.

When laptops connect to the SSID, they get an IP address? If they get an IP address, they can resolve anything (nslookup)

If they can resolve, they receive the correct redirect ACL?  Does this ACL is properly created on the WLC? Are you using external web page or default on the wlc?

 

Does those laptops use Proxy?

 

Yes they get an IP address from DHCP. If Webauth SecureWeb is disabled they are successfully able to browse the internet with no problems. 

Yes they receive the correct redirect(no acl for this) and it does redirect to the virtual interface ip address. But the web login page doesn't load(unless Webauth SecureWeb is disabled and I manually type in http:// and virtual ip)

 

Laptops don't use proxy.  

 

I'm using the default internal web login page. The problem seems to be with Webauth SecureWeb and ssl/https.

Rich R
VIP
VIP

What OS/version and browser(s)/versions on the laptops?

- AireOS older versions (including 8.5.x) have very SEVERE limitation on their ability to redirect https.  This doesn't stop it working but it severely limits the number of clients the WLC can handle at once, remaining connections dropped.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

"Be aware that this is resource consuming for the WLC in case many HTTPS requests are sent. It is advised not to use this feature before WLC version 8.7 where the scalability of this feature was enhanced."

That enhancement only applies to 5520 and 8540 anyway so not an option for you.

Note the performance table - can get to less than 1 per second!

 

That said it doesn't sound like that is your main problem.  Get a packet capture (Wireshark) and browser network trace F12 dev tools - network to see exactly what happens when your laptop tries to connect.  Make sure to start with an http url like http://www.neverssl.com to avoid certificate redirect blocking (you'll still get a certificate error if you're not using a registered domain with matching genuine public certificate).  You said you're not using proxy but what about antivirus/antimalware/firewall or even browser hijack addon software?  We had a client trying to use cloud based antivirus so the AV was trying to connect to cloud before allowing browser to connect - connection blocked.  I could clearly see this behaviour on packet capture.  We've seen similar with VPN configured to block local access.  This really sounds like a PC problem not a wifi problem.

Thank you for your reply. 

 

The laptops I've tested it out with so far are running Win 10 Enterprise ver 21H2 and older, browsers I've tried are edge and chrome. 
The laptops are running zscaler and mcafee antivirus/host intrusion. No add-ons are enabled for the browsers. 
When clients visit and they request guest-wifi access, they have the same issue but I haven't kept track/paid attention to their OS or browser versions. 

 

Also I have a WLC 3504 running 8.5.182.0 with similar behavior. 

 

I also setup a laptop off the domain running windows 10 with no anti-virus or browser add-ons and the https re-direct still doesn't work and the web login page doesn't load even if i manually type in the virtual ip. However if I disable Webauth SecureWeb it still tries to re-direct to https:// the web login page doesn't load but then i can just remove the s at the end of the http and the web login page works fine then. 

 

I can try what you suggested and also try a internet explorer as suggested below and get back to you. 

-packet capture (Wireshark) and browser network trace F12 dev tools - network to see exactly what happens when your laptop tries to connect.  Make sure to start with an http url like http://www.neverssl.com

-IE if you can

 

ammahend
VIP
VIP

if you can do a capture on the client machine during redirection, it will give a much clearer picture, feel free to share the capture. can be a cert issue, some browsers are more sensitive so try different browsers (even try old IE if you can)

-hope this helps-
Review Cisco Networking for a $25 gift card