Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1319
Views
0
Helpful
5
Replies

WLC 2504 https web auth login page re-direction for guest wifi

qjamil001
Level 1
Level 1

‎03-15-2022 09:37 AM

Hi,

 

I have a WLC 2504 running ver 8.5.171.0

The issue I'm having is with laptop clients connecting to our guest wifi. They do not get the web login page to enter their credentials for guest wifi access. It attempts to redirect to https but gets stuck. Even trying to manually enter the virtual interface ip with http or https doesn't work. 


However it works fine on all mobile devices. I noticed that if I disable webauth secure web(under management > http-https) then laptops can at least get the web login page redirection to http but not https. But then mobile devices can no longer connect to the web login page at all. 

 

My question is, would this be fixed by installing a third party ssl certificate or would upgrading the firmware(if newer one available) fix this? I know this WLC is quite old. I have found a method posted on this site on how to install a third party ssl cert but it appears to only fix the certificate warning message?

 

Any input would be greatly appreciated.

Labels:
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎03-15-2022 12:12 PM

Things you need to check.

When laptops connect to the SSID, they get an IP address? If they get an IP address, they can resolve anything (nslookup)

If they can resolve, they receive the correct redirect ACL?  Does this ACL is properly created on the WLC? Are you using external web page or default on the wlc?

 

Does those laptops use Proxy?

 

0 Helpful

qjamil001
Level 1
Level 1
In response to Flavio Miranda

‎03-16-2022 05:30 AM - edited ‎03-16-2022 05:31 AM

Yes they get an IP address from DHCP. If Webauth SecureWeb is disabled they are successfully able to browse the internet with no problems. 

Yes they receive the correct redirect(no acl for this) and it does redirect to the virtual interface ip address. But the web login page doesn't load(unless Webauth SecureWeb is disabled and I manually type in http:// and virtual ip)

 

Laptops don't use proxy.  

 

I'm using the default internal web login page. The problem seems to be with Webauth SecureWeb and ssl/https.

0 Helpful

Rich R
VIP
VIP

‎03-17-2022 10:40 AM - edited ‎03-17-2022 10:42 AM

What OS/version and browser(s)/versions on the laptops?

- AireOS older versions (including 8.5.x) have very SEVERE limitation on their ability to redirect https.  This doesn't stop it working but it severely limits the number of clients the WLC can handle at once, remaining connections dropped.

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

"Be aware that this is resource consuming for the WLC in case many HTTPS requests are sent. It is advised not to use this feature before WLC version 8.7 where the scalability of this feature was enhanced."

That enhancement only applies to 5520 and 8540 anyway so not an option for you.

Note the performance table - can get to less than 1 per second!

 

That said it doesn't sound like that is your main problem.  Get a packet capture (Wireshark) and browser network trace F12 dev tools - network to see exactly what happens when your laptop tries to connect.  Make sure to start with an http url like http://www.neverssl.com to avoid certificate redirect blocking (you'll still get a certificate error if you're not using a registered domain with matching genuine public certificate).  You said you're not using proxy but what about antivirus/antimalware/firewall or even browser hijack addon software?  We had a client trying to use cloud based antivirus so the AV was trying to connect to cloud before allowing browser to connect - connection blocked.  I could clearly see this behaviour on packet capture.  We've seen similar with VPN configured to block local access.  This really sounds like a PC problem not a wifi problem.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

qjamil001
Level 1
Level 1
In response to Rich R

‎03-21-2022 08:10 AM

Thank you for your reply. 

 

The laptops I've tested it out with so far are running Win 10 Enterprise ver 21H2 and older, browsers I've tried are edge and chrome. 
The laptops are running zscaler and mcafee antivirus/host intrusion. No add-ons are enabled for the browsers. 
When clients visit and they request guest-wifi access, they have the same issue but I haven't kept track/paid attention to their OS or browser versions. 

 

Also I have a WLC 3504 running 8.5.182.0 with similar behavior. 

 

I also setup a laptop off the domain running windows 10 with no anti-virus or browser add-ons and the https re-direct still doesn't work and the web login page doesn't load even if i manually type in the virtual ip. However if I disable Webauth SecureWeb it still tries to re-direct to https:// the web login page doesn't load but then i can just remove the s at the end of the http and the web login page works fine then. 

 

I can try what you suggested and also try a internet explorer as suggested below and get back to you. 

-packet capture (Wireshark) and browser network trace F12 dev tools - network to see exactly what happens when your laptop tries to connect.  Make sure to start with an http url like http://www.neverssl.com

-IE if you can

 

0 Helpful

ammahend
VIP
VIP

‎03-17-2022 09:07 PM

if you can do a capture on the client machine during redirection, it will give a much clearer picture, feel free to share the capture. can be a cert issue, some browsers are more sensitive so try different browsers (even try old IE if you can)

-hope this helps-
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card