Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1877
Views
0
Helpful
6
Replies

WLC 9800: detectportal.firefox and gstatic.com without HTTPS

Go to solution
Bolivar
Level 1
Level 1

‎07-26-2022 06:21 AM

Hello,
I'm using the Cisco Catalyst 9800-CL Wireless Controller, with Web Auth and captive portal. The captive portal is hosted on an external server, within my network, with https.

on some devices, when I try to access the internet, I am redirected to the captive portal, using https, as it should.
However, in some cases I am redirected to portals like detectportal.firefox and gstatic.com (depending on browser) , which use http (no security).
Is there any way to force the use of the correct portal, ie the portal with https?

Thank you in advance for your help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎07-26-2022 07:07 AM

 

 - For starters have a   review the 9800-CL  configuration with the CLI command : show  tech wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎07-26-2022 07:07 AM

 

 - For starters have a   review the 9800-CL  configuration with the CLI command : show  tech wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
Bolivar
Level 1
Level 1
In response to Mark Elsen

‎07-26-2022 08:44 AM

Thanks for the tip. I found and fixed some bugs, as well as adjusting some best practice tips.
However, nothing related to the problem I'm facing

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to Bolivar

‎07-26-2022 09:19 AM

 

   - Make sure the destination portal offers (secure) https  access as default , and or disable simple http access (if configured)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
Bolivar
Level 1
Level 1
In response to Mark Elsen

‎07-26-2022 10:01 AM

The external captive portal page is configured to operate with https. It is an apache server. That part is working without problems.

I noticed that the problem occurs in two cases:


1st when the captive portal "default" (detectportal.firefox or gstatic.com) is opened in the browser, with http;


2nd when the user tries to access a website with https, before authentication. In this case, the request is forwarded to Cisco's default captive portal, from wlc controller, without https.

When trying to access any website that uses http, I am correctly redirected to the secure captive portal (external with https)

Here at the institution, we have a WLC 5500 series, which works correctly for all cases. Besides the version, another difference is that the older wireless cisco controller is physical while the new one (wlc 9800) is virtualized (KVM).

0 Helpful

Go to solution
Rich R
VIP
VIP

‎07-27-2022 09:48 AM

@Bolivar please clarify?
You say it does NOT work for http captive portal requests to detectportal.firefox or gstatic.com but then you say "When trying to access any website that uses http, I am correctly redirected to the secure captive portal (external with https)" which contradicts that!
Is your apache server using a valid public certificate with matching fully qualified domain name?
Does your WLC also have a valid DNS name and cert installed?

Note that http URLs for captive portal detection and redirection are the ONLY way to reliably trigger a captive portal redirection without security/cert warnings or outright failure as some OS/browsers will now block invalid https redirects altogether without any warning.  That is the industry standard now, used by all major browsers and OS on all devices.  Trying to block that will break the service or at least make it a horrible experience for most users.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
Bolivar
Level 1
Level 1
In response to Rich R

‎07-27-2022 02:30 PM

Thanks for your reply.

"Is your apache server using a valid public certificate with matching fully qualified domain name?"
Yes, the certificate was signed by the same CA of other services that we already use in the institution.

"Does your WLC also have a valid DNS name and cert installed?"
Yup. Registered in the institutional DNS server

When I try to access an http page, I am correctly redirected to the captive secure portal page. On the other hand, in some cases, where the access attempt (before authentication) is performed through a website with https (example: https://www.google.com), I am redirected to detectportal.firefox or gstatic.com .

To work around this problem, I added a static page, which has the sole purpose of forcing redirection to another page with http. On the other hand, when being redirected to a non-secure page (with http) the WLC manages to redirect me to the correct captive portal (with https).

Here in Brazil, we call this type of procedure a "gambiarra". I believe in English it's "jerry-rig"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card